bastion seems to be seeing non contributor accounts (ie, should be ones without a @fedoraproject.org alias) and delivering bounces/whatever to them instead to /var/spool/mail on bastion. ;(
5.9G /var/spool/mail/
I am not sure what change started this happening, but it was last year. Possibly because sssd shows the user, even though they are not a shell user?
In any case we need to fix it. Either in ipa, sssd or postfix.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
Could it have something to do with the new mailman deployment?
I don't think so... it's pretty unrelated.
Hey @nphilipp could you look at this? You setup the ansible/ipa stuff a while back, perhaps you can see whats going on?
Metadata Update from @kevin: - Issue assigned to kevin
ok, this was bugging me so I looked at it today.
It's actually normal and expected that sssd/ipa enumerate all users. This is in case there's files that are owned by those users even if they don't have access to a particular machine. They cannot login, they just exist.
Basically postfix default is: local_recipient_maps = proxy:unix:passwd.byname $alias_maps so if the user is a local user or an alias, it's valid. However, sssd and ipa show all users (even ones with no access to that host). This means we were accepting and delivering (locally) emails for anyuser@fedoraproject.org. Setting this to just $alias_maps will just treat aliases as valid and ignore all the local users. This should be fine as we use aliases to send even to root or other system users.
I tested manually on bastion02 and it seems to work fine.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.