From 2bf2e7272ad8f3f49a5e49d7e18aaefc993b9ea4 Mon Sep 17 00:00:00 2001
From: Thomas Kaltenbrunner <tom@kaltenbrunner.it>
Date: Thu, 6 Nov 2025 09:41:09 +0100
Subject: [PATCH] fix(open-xchange): Add support for ldap based transport maps
 and virtual alias maps

---
 .../open-xchange/values-postfix.yaml.gotmpl   | 39 +++++++++++++++++++
 .../environments/default/charts.yaml.gotmpl   |  2 +-
 .../environments/default/images.yaml.gotmpl   |  2 +-
 .../environments/default/secrets.yaml.gotmpl  |  1 +
 4 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
index a7d74f1c..2b546b6e 100644
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -78,6 +78,45 @@ postfix:
   staticAuthDB:
     enabled: false
 
+  ldapTransportMaps:
+    - host: "ums-ldap-server"
+      scheme: "ldap"
+      port: 389
+      baseDn: "{{ .Values.ldap.baseDn }}"
+      bindDn: "uid=ldapsearch_postfix,cn=users,{{ .Values.ldap.baseDn }}"
+      password:
+        value: {{ .Values.secrets.nubus.ldapSearch.postfix | quote }}
+      queryFilter: "(&(objectClass=person)(isOxUser=Not)(mailPrimaryAddress=%s))"
+      resultAttribute: "mailPrimaryAddress"
+      resultFormat: "smtp:legacySmtpServer1:25"
+    - host: "ums-ldap-server"
+      scheme: "ldap"
+      port: 389
+      baseDn: "{{ .Values.ldap.baseDn }}"
+      bindDn: "uid=ldapsearch_postfix,cn=users,{{ .Values.ldap.baseDn }}"
+      password:
+        value: {{ .Values.secrets.nubus.ldapSearch.postfix | quote }}
+      queryFilter: "(&(objectClass=person)(isOxUser=Not)(mailAlternativeAddress=%s))"
+      resultAttribute: "mailAlternativeAddress"
+      resultFormat: "smtp:legacySmtpServer2:25"
+
+  ldapVirtualAliasMaps:
+    - host: "ums-ldap-server"
+      scheme: "ldap"
+      port: 389
+      baseDn: "{{ .Values.ldap.baseDn }}"
+      bindDn: "uid=ldapsearch_postfix,cn=users,{{ .Values.ldap.baseDn }}"
+      password:
+        value: {{ .Values.secrets.nubus.ldapSearch.postfix | quote }}
+      # ldap filter to find groups with mail address
+      queryFilter: "(&(|(objectClass=univentionMailList)(objectClass=posixGroup))(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)))"
+      # -- use this attribute if the query already returns email addresses of members and no recursive lookup needs to be done
+      resultAttribute: ""
+      # -- do a recursive search on the specified attribute if found, should be a DN
+      specialResultAttribute: "uniqueMember"
+      # -- return the following attribute from all found leaves when a recursive search is done
+      leafResultAttribute: "mailPrimaryAddress"
+
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
   {{- else }}
diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl
index 2953f88d..02e0aeb4 100644
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.0.1"
+    version: "5.0.2"
     verify: true
   postgresql:
     # providerCategory: "Platform"
diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl
index aca98d5f..2800b1bb 100644
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -914,7 +914,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "3.0.3@sha256:12bcebf57ddb53258c48eaa60e9c25b441f4319ee1b94b363c652ad0a992a875"
+    tag: "3.0.4@sha256:5b17c801283215b13e8305b0be1497d70c232e8ea8414f965cd1010333ae95ab"
   postfixBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl
index 5c55b69d..acf9918e 100644
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -32,6 +32,7 @@ secrets:
       dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_dovecot" | sha1sum | quote }}
       element: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_element" | sha1sum | quote }}
       ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_ox" | sha1sum | quote }}
+      postfix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_postfix" | sha1sum | quote }}
       openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_openproject" | sha1sum | quote }}
       xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_xwiki" | sha1sum | quote }}
     systemAccounts: