Debugging Postfix when using LDAP maps

I know that Postfix is not part of the Core system, however, since kopano doesn’t have a MTA of it’s own we need to use something, and this is really the only forum I have to ask these questions in and this seemed like the most logical location.

So long story short I’m trying to implement a system that would prevent normal users from sending mail to restricted addresses. I want to implement this using two groups:

  • Restricted Addresses (A group containing users and groups which are restricted)
  • Restricted Senders (A group containing users who can send to those Restricted Addresses)
    I found a nice little write up here which explains how to do it with hash tables. LDAP maps shouldn’t be too much harder… or so I thought.

So I created a test file ( and I’m using postmap to query the file before I even go live. And what I’m seeing doesn’t make sense.
Here is the file (

~:/etc/postfix# cat
# Directory settings
domain = domain.local
server_host = localhost
search_base = dc=domain,dc=local
version = 3

# User Binding
bind = yes
bind_dn = cn=kopano,ou=corp,dc=domain,dc=local
bind_pw = Password

# Filter
query_filter = (&(zarafaAccount=1)(memberOf=CN=Restricted Senders,OU=Mail,dc=domain,dc=local)(mail=%s))
result_attribute = mail

And here is the output when I test the file. (Fidel Castro is a member of the group.)

~:/etc/postfix# postmap -vq fidel.castro@domain.local
postmap: name_mask: all
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: inet_addr_local: configured 0 IPv6 addresses
postmap: dict_ldap_open: Using LDAP source
postmap: cfg_get_str: server_host = localhost
postmap: cfg_get_int: server_port = 389
postmap: cfg_get_int: version = 3
postmap: dict_ldap_open: server_host URL is ldap://localhost:389
postmap: cfg_get_str: scope = sub
postmap: cfg_get_str: search_base = 
postmap: cfg_get_int: timeout = 10
postmap: cfg_get_str: query_filter = (mailacceptinggeneralid=%s)
postmap: cfg_get_str: result_format = <NULL>
postmap: cfg_get_str: result_filter = %s
postmap: cfg_get_str: domain = 
postmap: cfg_get_str: terminal_result_attribute = 
postmap: cfg_get_str: leaf_result_attribute = 
postmap: cfg_get_str: result_attribute = maildrop
postmap: cfg_get_str: special_result_attribute = 
postmap: cfg_get_str: bind = yes
postmap: cfg_get_str: bind_dn = 
postmap: cfg_get_str: bind_pw = 
postmap: cfg_get_bool: cache = off
postmap: cfg_get_int: cache_expiry = -1
postmap: cfg_get_int: cache_size = -1
postmap: cfg_get_int: recursion_limit = 1000
postmap: cfg_get_int: expansion_limit = 0
postmap: cfg_get_int: size_limit = 0
postmap: cfg_get_int: dereference = 0
postmap: cfg_get_bool: chase_referrals = off
postmap: cfg_get_bool: start_tls = off
postmap: cfg_get_bool: tls_require_cert = off
postmap: cfg_get_str: tls_ca_cert_file = 
postmap: cfg_get_str: tls_ca_cert_dir = 
postmap: cfg_get_str: tls_cert = 
postmap: cfg_get_str: tls_key = 
postmap: cfg_get_str: tls_random_file = 
postmap: cfg_get_str: tls_cipher_suite = 
postmap: cfg_get_int: debuglevel = 0
postmap: dict_open:
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source, reopening
postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server ldap://localhost:389 with dn empty or implicit
postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 with dn empty or implicit
postmap: dict_ldap_connect: Cached connection handle for LDAP source
postmap: dict_ldap_lookup: Searching with filter (mailacceptinggeneralid=fidel.castro@domain.local)
postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source

It seems that postmap reads the server_host but then uses default values for every other setting!!

Thinking I did something wrong I tested other LDAP maps we have (we use them for Aliases and Groups) and I see the same problem, even though I know they are working.

I can and did use postmap successfully on hash tables, but the LDAP ones always look the same. I’m I doing something stupid??


I figured it out…

You need to use the full path to the map file, relative filenames don’t work! i.e. insetead of using:

~:/etc/postfix# postmap -vq fidel.castro@domain.local

I should have been using:

~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:/etc/postfix/