Debugging Postfix when using LDAP maps

  • I know that Postfix is not part of the Core system, however, since kopano doesn’t have a MTA of it’s own we need to use something, and this is really the only forum I have to ask these questions in and this seemed like the most logical location.

    So long story short I’m trying to implement a system that would prevent normal users from sending mail to restricted addresses. I want to implement this using two groups:

    • Restricted Addresses (A group containing users and groups which are restricted)
    • Restricted Senders (A group containing users who can send to those Restricted Addresses)
      I found a nice little write up here which explains how to do it with hash tables. LDAP maps shouldn’t be too much harder… or so I thought.

    So I created a test file ( and I’m using postmap to query the file before I even go live. And what I’m seeing doesn’t make sense.
    Here is the file (

    ~:/etc/postfix# cat
    # Directory settings
    domain = domain.local
    server_host = localhost
    search_base = dc=domain,dc=local
    version = 3
    # User Binding
    bind = yes
    bind_dn = cn=kopano,ou=corp,dc=domain,dc=local
    bind_pw = Password
    # Filter
    query_filter = (&(zarafaAccount=1)(memberOf=CN=Restricted Senders,OU=Mail,dc=domain,dc=local)(mail=%s))
    result_attribute = mail

    And here is the output when I test the file. (Fidel Castro is a member of the group.)

    ~:/etc/postfix# postmap -vq fidel.castro@domain.local
    postmap: name_mask: all
    postmap: inet_addr_local: configured 3 IPv4 addresses
    postmap: inet_addr_local: configured 0 IPv6 addresses
    postmap: dict_ldap_open: Using LDAP source
    postmap: cfg_get_str: server_host = localhost
    postmap: cfg_get_int: server_port = 389
    postmap: cfg_get_int: version = 3
    postmap: dict_ldap_open: server_host URL is ldap://localhost:389
    postmap: cfg_get_str: scope = sub
    postmap: cfg_get_str: search_base = 
    postmap: cfg_get_int: timeout = 10
    postmap: cfg_get_str: query_filter = (mailacceptinggeneralid=%s)
    postmap: cfg_get_str: result_format = <NULL>
    postmap: cfg_get_str: result_filter = %s
    postmap: cfg_get_str: domain = 
    postmap: cfg_get_str: terminal_result_attribute = 
    postmap: cfg_get_str: leaf_result_attribute = 
    postmap: cfg_get_str: result_attribute = maildrop
    postmap: cfg_get_str: special_result_attribute = 
    postmap: cfg_get_str: bind = yes
    postmap: cfg_get_str: bind_dn = 
    postmap: cfg_get_str: bind_pw = 
    postmap: cfg_get_bool: cache = off
    postmap: cfg_get_int: cache_expiry = -1
    postmap: cfg_get_int: cache_size = -1
    postmap: cfg_get_int: recursion_limit = 1000
    postmap: cfg_get_int: expansion_limit = 0
    postmap: cfg_get_int: size_limit = 0
    postmap: cfg_get_int: dereference = 0
    postmap: cfg_get_bool: chase_referrals = off
    postmap: cfg_get_bool: start_tls = off
    postmap: cfg_get_bool: tls_require_cert = off
    postmap: cfg_get_str: tls_ca_cert_file = 
    postmap: cfg_get_str: tls_ca_cert_dir = 
    postmap: cfg_get_str: tls_cert = 
    postmap: cfg_get_str: tls_key = 
    postmap: cfg_get_str: tls_random_file = 
    postmap: cfg_get_str: tls_cipher_suite = 
    postmap: cfg_get_int: debuglevel = 0
    postmap: dict_open:
    postmap: dict_ldap_lookup: In dict_ldap_lookup
    postmap: dict_ldap_lookup: No existing connection for LDAP source, reopening
    postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
    postmap: dict_ldap_connect: Actual Protocol version used is 3.
    postmap: dict_ldap_connect: Binding to server ldap://localhost:389 with dn empty or implicit
    postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 with dn empty or implicit
    postmap: dict_ldap_connect: Cached connection handle for LDAP source
    postmap: dict_ldap_lookup: Searching with filter (mailacceptinggeneralid=fidel.castro@domain.local)
    postmap: dict_ldap_get_values[1]: Search found 0 match(es)
    postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
    postmap: dict_ldap_lookup: Search returned nothing
    postmap: dict_ldap_close: Closed connection handle for LDAP source

    It seems that postmap reads the server_host but then uses default values for every other setting!!

    Thinking I did something wrong I tested other LDAP maps we have (we use them for Aliases and Groups) and I see the same problem, even though I know they are working.

    I can and did use postmap successfully on hash tables, but the LDAP ones always look the same. I’m I doing something stupid??


  • I figured it out…

    You need to use the full path to the map file, relative filenames don’t work! i.e. insetead of using:

    ~:/etc/postfix# postmap -vq fidel.castro@domain.local

    I should have been using:

    ~:/etc/postfix# postmap -vq fidel.castro@domain.local ldap:/etc/postfix/

Log in to reply