Debugging Postfix when using LDAP maps

I know that Postfix is not part of the Core system, however, since kopano doesn’t have a MTA of it’s own we need to use something, and this is really the only forum I have to ask these questions in and this seemed like the most logical location.

So long story short I’m trying to implement a system that would prevent normal users from sending mail to restricted addresses. I want to implement this using two groups:

  • Restricted Addresses (A group containing users and groups which are restricted)
  • Restricted Senders (A group containing users who can send to those Restricted Addresses)
    I found a nice little write up here which explains how to do it with hash tables. LDAP maps shouldn’t be too much harder… or so I thought.

So I created a test file (restricted-senders.cf) and I’m using postmap to query the file before I even go live. And what I’m seeing doesn’t make sense.
Here is the file (restricted-senders.cf)

~:/etc/postfix# cat restricted-senders.cf
# Directory settings
domain = domain.local
server_host = localhost
search_base = dc=domain,dc=local
version = 3

# User Binding
bind = yes
bind_dn = cn=kopano,ou=corp,dc=domain,dc=local
bind_pw = Password

# Filter
query_filter = (&(zarafaAccount=1)(memberOf=CN=Restricted Senders,OU=Mail,dc=domain,dc=local)(mail=%s))
result_attribute = mail

And here is the output when I test the file. (Fidel Castro is a member of the group.)

~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:restricted-senders.cf
postmap: name_mask: all
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: inet_addr_local: configured 0 IPv6 addresses
postmap: dict_ldap_open: Using LDAP source restricted-senders.cf
postmap: cfg_get_str: restricted-senders.cf: server_host = localhost
postmap: cfg_get_int: restricted-senders.cf: server_port = 389
postmap: cfg_get_int: restricted-senders.cf: version = 3
postmap: dict_ldap_open: restricted-senders.cf server_host URL is ldap://localhost:389
postmap: cfg_get_str: restricted-senders.cf: scope = sub
postmap: cfg_get_str: restricted-senders.cf: search_base = 
postmap: cfg_get_int: restricted-senders.cf: timeout = 10
postmap: cfg_get_str: restricted-senders.cf: query_filter = (mailacceptinggeneralid=%s)
postmap: cfg_get_str: restricted-senders.cf: result_format = <NULL>
postmap: cfg_get_str: restricted-senders.cf: result_filter = %s
postmap: cfg_get_str: restricted-senders.cf: domain = 
postmap: cfg_get_str: restricted-senders.cf: terminal_result_attribute = 
postmap: cfg_get_str: restricted-senders.cf: leaf_result_attribute = 
postmap: cfg_get_str: restricted-senders.cf: result_attribute = maildrop
postmap: cfg_get_str: restricted-senders.cf: special_result_attribute = 
postmap: cfg_get_str: restricted-senders.cf: bind = yes
postmap: cfg_get_str: restricted-senders.cf: bind_dn = 
postmap: cfg_get_str: restricted-senders.cf: bind_pw = 
postmap: cfg_get_bool: restricted-senders.cf: cache = off
postmap: cfg_get_int: restricted-senders.cf: cache_expiry = -1
postmap: cfg_get_int: restricted-senders.cf: cache_size = -1
postmap: cfg_get_int: restricted-senders.cf: recursion_limit = 1000
postmap: cfg_get_int: restricted-senders.cf: expansion_limit = 0
postmap: cfg_get_int: restricted-senders.cf: size_limit = 0
postmap: cfg_get_int: restricted-senders.cf: dereference = 0
postmap: cfg_get_bool: restricted-senders.cf: chase_referrals = off
postmap: cfg_get_bool: restricted-senders.cf: start_tls = off
postmap: cfg_get_bool: restricted-senders.cf: tls_require_cert = off
postmap: cfg_get_str: restricted-senders.cf: tls_ca_cert_file = 
postmap: cfg_get_str: restricted-senders.cf: tls_ca_cert_dir = 
postmap: cfg_get_str: restricted-senders.cf: tls_cert = 
postmap: cfg_get_str: restricted-senders.cf: tls_key = 
postmap: cfg_get_str: restricted-senders.cf: tls_random_file = 
postmap: cfg_get_str: restricted-senders.cf: tls_cipher_suite = 
postmap: cfg_get_int: restricted-senders.cf: debuglevel = 0
postmap: dict_open: ldap:restricted-senders.cf
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source restricted-senders.cf, reopening
postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server ldap://localhost:389 with dn empty or implicit
postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 with dn empty or implicit
postmap: dict_ldap_connect: Cached connection handle for LDAP source restricted-senders.cf
postmap: dict_ldap_lookup: restricted-senders.cf: Searching with filter (mailacceptinggeneralid=fidel.castro@domain.local)
postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source restricted-senders.cf

It seems that postmap reads the server_host but then uses default values for every other setting!!

Thinking I did something wrong I tested other LDAP maps we have (we use them for Aliases and Groups) and I see the same problem, even though I know they are working.

I can and did use postmap successfully on hash tables, but the LDAP ones always look the same. I’m I doing something stupid??

Thanks
Bob

I figured it out…

You need to use the full path to the map file, relative filenames don’t work! i.e. insetead of using:

~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:restricted-senders.cf

I should have been using:

~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:/etc/postfix/restricted-senders.cf