Hello all, I am using Postfix 3.8.1 on Ubuntu 23.10. Per distribution default, Postfix runs chrooted. I have setup LDAP lookups for most maps. OpenLDAP is only listening via UNIX socket on ldapi:///var/run/slapd/ldapi.
For all but one LDAP lookup the corresponding Postfix configuration file looks like root@h12345678:~ # cat /etc/postfix/ldap/virtual-mailboxes.cf server_host = ldapi:///var/run/slapd/ldapi bind = yes bind_dn = ... bind_pw = ... The path to the socket is absolute. Absolute socket paths work for "virtual_mailbox_maps", "virtual_alias_maps", etc. and all other directive except for „smtpd_sender_login_maps“. "smtpd_sender_login_maps" requires a *relative* path to the LDAP socket and the LDAP socket must be located within the chrooted environment. With an absolute path I get the following error logs my-host.my-domain.tld postfix/submission/smtpd[341439]: >>> START Sender address RESTRICTIONS <<< my-host.my-domain.tld postfix/submission/smtpd[341439]: generic_checks: name=reject_authenticated_sender_login_mismatch my-host.my-domain.tld postfix/submission/smtpd[341439]: ctable_locate: leave existing entry key jane....@receiver.tld?sen...@my-domain.tld my-host.my-domain.tld postfix/submission/smtpd[341439]: dict_ldap_lookup: In dict_ldap_lookup my-host.my-domain.tld postfix/submission/smtpd[341439]: dict_ldap_lookup: No existing connection for LDAP source /etc/postfix/ldap/sender-login.cf, reopening my-host.my-domain.tld postfix/submission/smtpd[341439]: dict_ldap_connect: Connecting to server ldapi:///var/run/slapd/ldapi my-host.my-domain.tld postfix/submission/smtpd[341439]: dict_ldap_connect: Actual Protocol version used is 3. my-host.my-domain.tld postfix/submission/smtpd[341439]: dict_ldap_connect: Binding to server ldapi:///var/run/slapd/ldapi with dn ... my-host.my-domain.tld postfix/submission/smtpd[341439]: warning: dict_ldap_connect: Unable to bind to server ldapi:///var/run/slapd/ldapi with dn ... my-host.my-domain.tld postfix/submission/smtpd[341439]: warning: ldap:/etc/postfix/ldap/sender-login.cf lookup error for "sen...@my-domain.tld" my-host.my-domain.tld postfix/submission/smtpd[341439]: maps_find: smtpd_sender_login_maps: sen...@my-domain.tld: search aborted my-host.my-domain.tld postfix/submission/smtpd[341439]: NOQUEUE: reject: RCPT from dial-up.client.provider.tld[x.y.w.z]: 451 4.3.0 <sen...@my-domain.tld>: Temporary lookup failure In order to make it work, the configuration file for "smtpd_sender_login_maps" must look like root@h12345678:~ # cat /etc/postfix/ldap/sender-login.cf server_host = ldapi://private/ldapi bind = yes bind_dn = ... bind_pw = ... Note, that there is only a double slash (//) after the protocol specifier, not a tripple slash (///) to form a relative path. I also had to make OpenLDAP listen on that additional socket (obvisouly). With that modified configuration, LDAP lookup for „smtpd_sender_login_maps“ does work. However, and that is annoying, postmap stops working for this particular map, i.e. postmap -q sen...@my-domain.tld ldap:/etc/postfix/ldap/sender-login.cf returns an error, because postmap does not chroot postmap does not find the LDAP socket. - Why does „smtpd_sender_login_maps“ behave differently than all other configuration options which allow LDAP lookup? - Is this an oversight? Is it an „bug“ in the Postfix software? All other LDAP connections seem to opened by Postfix before chrooting. - Did I miss something in the docs? If this is not a bug, but intended behaviour, there should at least a hint in the docs that „smtpd_sender_login_maps“ is special with respect to LDAP configuration Bests, Matthias _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
