Debugging Postfix when using LDAP maps



  • I know that Postfix is not part of the Core system, however, since kopano doesn’t have a MTA of it’s own we need to use something, and this is really the only forum I have to ask these questions in and this seemed like the most logical location.

    So long story short I’m trying to implement a system that would prevent normal users from sending mail to restricted addresses. I want to implement this using two groups:

    • Restricted Addresses (A group containing users and groups which are restricted)
    • Restricted Senders (A group containing users who can send to those Restricted Addresses)
      I found a nice little write up here which explains how to do it with hash tables. LDAP maps shouldn’t be too much harder… or so I thought.

    So I created a test file (restricted-senders.cf) and I’m using postmap to query the file before I even go live. And what I’m seeing doesn’t make sense.
    Here is the file (restricted-senders.cf)

    ~:/etc/postfix# cat restricted-senders.cf
    # Directory settings
    domain = domain.local
    server_host = localhost
    search_base = dc=domain,dc=local
    version = 3
    
    # User Binding
    bind = yes
    bind_dn = cn=kopano,ou=corp,dc=domain,dc=local
    bind_pw = Password
    
    # Filter
    query_filter = (&(zarafaAccount=1)(memberOf=CN=Restricted Senders,OU=Mail,dc=domain,dc=local)(mail=%s))
    result_attribute = mail
    

    And here is the output when I test the file. (Fidel Castro is a member of the group.)

    ~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:restricted-senders.cf
    postmap: name_mask: all
    postmap: inet_addr_local: configured 3 IPv4 addresses
    postmap: inet_addr_local: configured 0 IPv6 addresses
    postmap: dict_ldap_open: Using LDAP source restricted-senders.cf
    postmap: cfg_get_str: restricted-senders.cf: server_host = localhost
    postmap: cfg_get_int: restricted-senders.cf: server_port = 389
    postmap: cfg_get_int: restricted-senders.cf: version = 3
    postmap: dict_ldap_open: restricted-senders.cf server_host URL is ldap://localhost:389
    postmap: cfg_get_str: restricted-senders.cf: scope = sub
    postmap: cfg_get_str: restricted-senders.cf: search_base = 
    postmap: cfg_get_int: restricted-senders.cf: timeout = 10
    postmap: cfg_get_str: restricted-senders.cf: query_filter = (mailacceptinggeneralid=%s)
    postmap: cfg_get_str: restricted-senders.cf: result_format = <NULL>
    postmap: cfg_get_str: restricted-senders.cf: result_filter = %s
    postmap: cfg_get_str: restricted-senders.cf: domain = 
    postmap: cfg_get_str: restricted-senders.cf: terminal_result_attribute = 
    postmap: cfg_get_str: restricted-senders.cf: leaf_result_attribute = 
    postmap: cfg_get_str: restricted-senders.cf: result_attribute = maildrop
    postmap: cfg_get_str: restricted-senders.cf: special_result_attribute = 
    postmap: cfg_get_str: restricted-senders.cf: bind = yes
    postmap: cfg_get_str: restricted-senders.cf: bind_dn = 
    postmap: cfg_get_str: restricted-senders.cf: bind_pw = 
    postmap: cfg_get_bool: restricted-senders.cf: cache = off
    postmap: cfg_get_int: restricted-senders.cf: cache_expiry = -1
    postmap: cfg_get_int: restricted-senders.cf: cache_size = -1
    postmap: cfg_get_int: restricted-senders.cf: recursion_limit = 1000
    postmap: cfg_get_int: restricted-senders.cf: expansion_limit = 0
    postmap: cfg_get_int: restricted-senders.cf: size_limit = 0
    postmap: cfg_get_int: restricted-senders.cf: dereference = 0
    postmap: cfg_get_bool: restricted-senders.cf: chase_referrals = off
    postmap: cfg_get_bool: restricted-senders.cf: start_tls = off
    postmap: cfg_get_bool: restricted-senders.cf: tls_require_cert = off
    postmap: cfg_get_str: restricted-senders.cf: tls_ca_cert_file = 
    postmap: cfg_get_str: restricted-senders.cf: tls_ca_cert_dir = 
    postmap: cfg_get_str: restricted-senders.cf: tls_cert = 
    postmap: cfg_get_str: restricted-senders.cf: tls_key = 
    postmap: cfg_get_str: restricted-senders.cf: tls_random_file = 
    postmap: cfg_get_str: restricted-senders.cf: tls_cipher_suite = 
    postmap: cfg_get_int: restricted-senders.cf: debuglevel = 0
    postmap: dict_open: ldap:restricted-senders.cf
    postmap: dict_ldap_lookup: In dict_ldap_lookup
    postmap: dict_ldap_lookup: No existing connection for LDAP source restricted-senders.cf, reopening
    postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
    postmap: dict_ldap_connect: Actual Protocol version used is 3.
    postmap: dict_ldap_connect: Binding to server ldap://localhost:389 with dn empty or implicit
    postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 with dn empty or implicit
    postmap: dict_ldap_connect: Cached connection handle for LDAP source restricted-senders.cf
    postmap: dict_ldap_lookup: restricted-senders.cf: Searching with filter (mailacceptinggeneralid=fidel.castro@domain.local)
    postmap: dict_ldap_get_values[1]: Search found 0 match(es)
    postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
    postmap: dict_ldap_lookup: Search returned nothing
    postmap: dict_ldap_close: Closed connection handle for LDAP source restricted-senders.cf
    

    It seems that postmap reads the server_host but then uses default values for every other setting!!

    Thinking I did something wrong I tested other LDAP maps we have (we use them for Aliases and Groups) and I see the same problem, even though I know they are working.

    I can and did use postmap successfully on hash tables, but the LDAP ones always look the same. I’m I doing something stupid??

    Thanks
    Bob



  • I figured it out…

    You need to use the full path to the map file, relative filenames don’t work! i.e. insetead of using:

    ~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:restricted-senders.cf
    

    I should have been using:

    ~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:/etc/postfix/restricted-senders.cf
    

Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.