Hi,
First, thanks to everyone for your help so far.
We've got all our customer information in LDAP and we've set up our
Postfix and Dovecot instances to talk to it.
Given the high focus on secrity at our company, we've determined that
password verification in LDAP is a costly operation. Therefore, we need
to try to limit LDAP lookups, specifically ones that depend on either
verifying a customer's password or logging in (binding) with an account
(which obviously needs to verify a password).
I have two queries that I'll put in separate threads.
I've configured our MX to lookup customer domains and addresses in LDAP
before accepting mail. This is, of course, going to be our most common
lookup, as it will be done for every Email received from the outside
world.
Right now, Postfix is connecting to LDAP every time it needs to do one of
these lookups, then disconnects again. I thought that specifying "proxy:"
in the entry might deal with this, but it doesn't appear to have done so.
My question is, is it possible to get proxymap to open a persistant
connection for LDAP to do relay_domain and relay_recipient lookups?
Thanks for any advice.
Cheers,
Geoff.
Configuration info follows:
postconf -n output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv6,ipv4
mailbox_size_limit = 0
mydestination = mx.ourdomain.com, localhost
myhostname = mx.ourdomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
<our IPv6 allocation> <our IPv4 allocation>
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf ourdomain.com
relay_recipient_maps =
proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
proxy:ldap:/etc/postfix/ldap-users.cf
relay_transport = relay:[scanner.ourdomain.com]
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = RC4,MD5
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_pipelining reject_non_fqdn_sender
reject_invalid_hostname reject_non_fqdn_hostname
reject_unknown_sender_domain reject_unlisted_recipient
reject_non_fqdn_recipient reject_unknown_recipient_domain
reject_unauth_destination reject_multi_recipient_bounce
smtpd_soft_error_limit = 5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
/etc/postfix/ldap-domains.cf:
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = one
query_filter = o=%s
result_attribute = o
server_host = ldap://ldap-server.ourdomain.com
search_base =ou=mail,dc=ourdomain,dc=com
/etc/postfix/ldap-users.cf:
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = sub
query_filter = mail=%s
result_attribute = mail
server_host = ldap://ldap-server.ourdomain.com
search_base =o=%d,ou=mail,dc=ourdomain,dc=com
# The return value is only used in a transport map (i.e. on our scanner)
result_format = lmtp:[imap.ourdomain.com]:24
