[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)
On Sun, Nov 05, 2023 at 12:13:17PM +, Matthias Nagel via Postfix-users
wrote:
> Viktor, you recommend to use proxymap in combination with LDAP,
Yes.
> especially if all LDAP lookups use the same connection.
Regardless of whether the connection settings are the same across all
tables. But if they are, then multiple tables will share connections,
either per-process, or in the proxymap(8) service (really same thing,
only centralised via an "RPC" indirection).
> Indeed, this is the case for my setup. The LDAP server, the bind DN
> and bind passwd are the same. Only the search base, the query filter
> and the result is different depending on the specific lookup.
In that case the connection would typically be shared. The Postfix
LDAP_README notes:
Multiple LDAP maps share the same LDAP connection if they differ
only in their query related parameters: base, scope, query_filter,
and so on. To take advantage of this, avoid spurious differences in
the definitions of LDAP maps: host selection order, version, bind,
tls parameters, ... should be the same for multiple maps whenever
possible.
> I tried to read the man page for proxymap (8).
There's not much there to read, instead see DATABASE_README, and the
"proxy_read_maps" and "local_recipient_maps" documentation in
postconf(5). Yes, the description is somewhat terse, but there's not
a lot say.
> Do I understand correctly, that I only have to add „proxy:“ in front
> of all my „ldap:“ lookups and that‘s it?
That's all, provided that nobody made the mistake of enabling chroot
also for proxymap in master.cf.
> No further configuration is required?
Magic... :-)
> Does proxymap somehow cleverly detect if two LDAP queries use the the
> same connection options and then re-uses the same connection?
That's built into the Postfix LDAP driver, regardless of whether LDAP
lookups are initiating in each process independently, or delegated to
proxymap.
> I excpected that I had to configure each connection which I would like
> to run through the proxy with proxymap, but this doesn‘t seem to be
> the case.
The supported tables are configured via proxy_read_maps and default to
all the usual tables. Customisation is only needed if you add new
"proxy:" tables not tied to one of the "standard" /mumble_maps/
parameters, for example, in smtpd_recipient_restrictions. Those
tables would need to be added to the definition of proxy_read_maps,
which you'd have to copy and extended (there's not a "+=" syntax
in main.cf for extending default values).
> Wietse, you say that Postfix cannot control when the LDAP client
> library opens a connection to the LDAP server.
Postfix asks the LDAP library to create a logical LDAP connection,
leaving it to the library to actually to the TCP connect and LDAP
"bind" handshake on demand (an actual query) later.
The timing of the LDAP connect is therefore determined by the LDAP
library. The Postfix LDAP driver may at times ask the LDAP library
to disconnect from a non-responsive server and ask it to reconnect
to any of the defined servers (ideally it will choose another that
is responsive, if multiple servers are defined).
Bottom line, be a copycat (do what I always did, when I used LDAP),
define somewhere in main.cf:
ldap = proxy:ldap:${config_directory}/
cidr = cidr:${config_directory}/
pcre = pcre:${config_directory}/
indexed = ${default_database_type}:${config_directory}/
...
and then when defining LDAP tables, write:
# For all /mumble_maps/:
mumble_maps = ${ldap}config.cf
instead of:
mumble_maps = ldap:/etc/postfix/config.cf
and likewise for other tables:
...
header_checks = ${pcre}header-checks.pcre
smtpd_client_restrictions =
...
check_client_access ${cidr}client-access.cidr
check_sender_access ${indexed}sender-access
...
...
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)
As Viktor mentions, best practice is to: - Share the LDAP socket handle among the three tables that connect to the same LDAP endpoint (i.e. delay the bind with bind=no in the three *cf files). - Open LDAP tables from outside the chroot, by configuring LDAP tables as proxy:ldap:/path/to/file, and by running the proxymnap service with chroot turned off. The proxymap service shares each LDAP table with multiple Postfix SMTP server processes. As fir you claims about the contents of the three *.cf files, I won't comment on that without having seen concrete evidence. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)
Dear Viktor, dear Wietse, Viktor, you recommend to use proxymap in combination with LDAP, especially if all LDAP lookups use the same connection. Indeed, this is the case for my setup. The LDAP server, the bind DN and bind passwd are the same. Only the search base, the query filter and the result is different depending on the specific lookup. I tried to read the man page for proxymap (8). Do I understand correctly, that I only have to add „proxy:“ in front of all my „ldap:“ lookups and that‘s it? No further configuration is required? Does proxymap somehow cleverly detect if two LDAP queries use the the same connection options and then re-uses the same connection? I excpected that I had to configure each connection which I would like to run through the proxy with proxymap, but this doesn‘t seem to be the case. Wietse, you say that Postfix cannot control when the LDAP client library opens a connection to the LDAP server, but at the same time you say that difference in LDAP client behaviour is caused by differences in Postfix main.cf/master.cf settings and differences in Postfix LDAP configuraton files. I can assure you that the only difference is the config file to which „ldap:...“ points, i.e. my config file contains virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual-mailboxes.cf virtual_alias_maps = ldap:/etc/postfix/ldap/virtual-aliases.cf smtpd_sender_login_maps = ldap:/etc/postfix/ldap/sender-login.cf There is not very much else I could do differently in the config file. The three LDAP configuration files are identical in terms of host and binding settings. They only differ in query filter and result attribute (obviously). Nonetheless, Postfix behaves differently with repect to whether it opens the LDAP connection before or after chrooting. While it is technically correct that the LDAP client library opens the connections, it is still Postfix which calls the the client library and obviously it does so for „virtual_mailbox_maps“ and „virtual_alias_maps“ before it chroots, but for „smtpd_sender_login_maps“ after it chroots. This is something which Postfix can control. If this difference in behaviour is not easily fixable or even intended by design, it should at least be mentioned in the docs. It caught me by surprise and it also makes „portmap -q“ less useful. For „smtpd_sender_login_maps“ the LDAP configuration must be written from the chroot perspective which is not handled by „portmap -q“. Here is another rather old thread (https://groups.google.com/g/list.postfix.users/c/JZxZiOMmgKk) which never got an answer. I bet the author encountered the same problem. Bests, Matthias Am Samstag, 4. November 2023, 22:33:48 CET schrieb Wietse Venema via Postfix-users: > Viktor Dukhovni via Postfix-users: > > On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users > > wrote: > > > > > To be precise: Postfix opens your LDAP configuration file and asks > > > the LDAP library to create an LDAP client instance, before entering > > > the chroot jail and before accepting any SMTP client commmands. > > > > > > HOWEVER, Postfix does not connect to LDAP sockets before entering > > > the chroot jail and before accepting any SMTP client commmands. The > > > LDAP library decides when it wants to do that. > > > > IIRC there we were once upon a time requeting immediate connections to > > LDAP, but that was not ideal: > > > > - It complicated connection sharing across multiple tables with > > the same underlying backend server, that differ only in the > > query deails. > > > > - It also (when chrooted) meant automatic reconnect on error > > to an alternative server, ... would not necessarily work. > > > > - ... > > > > IIRC, the is in principle a way to perform an early, rather than delayed > > LDAP bind, but the OP should instead use: > > > > proxy:ldap:... > > > > with "proxyread" not chrooted. This further improves connection sharing > > and is a best practice. > > Confirmed. proxy:ldap improves sharing and can sidestep chroot issues, > as long as the read-only 'proxymap' service is not chrooted in master.cf. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > -- Matthias Nagel Dachtlerstr. 2, 40499 Stuttgart Festnetz: +49-711-25295180, Mobil: +49-151-15998774 E-Mail: matthias.h.na...@posteo.de, Skype: nagmat84, Threema: 86VM8KN7 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)
Viktor Dukhovni via Postfix-users: > On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users > wrote: > > > To be precise: Postfix opens your LDAP configuration file and asks > > the LDAP library to create an LDAP client instance, before entering > > the chroot jail and before accepting any SMTP client commmands. > > > > HOWEVER, Postfix does not connect to LDAP sockets before entering > > the chroot jail and before accepting any SMTP client commmands. The > > LDAP library decides when it wants to do that. > > IIRC there we were once upon a time requeting immediate connections to > LDAP, but that was not ideal: > > - It complicated connection sharing across multiple tables with > the same underlying backend server, that differ only in the > query deails. > > - It also (when chrooted) meant automatic reconnect on error > to an alternative server, ... would not necessarily work. > > - ... > > IIRC, the is in principle a way to perform an early, rather than delayed > LDAP bind, but the OP should instead use: > > proxy:ldap:... > > with "proxyread" not chrooted. This further improves connection sharing > and is a best practice. Confirmed. proxy:ldap improves sharing and can sidestep chroot issues, as long as the read-only 'proxymap' service is not chrooted in master.cf. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)
On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users wrote: > To be precise: Postfix opens your LDAP configuration file and asks > the LDAP library to create an LDAP client instance, before entering > the chroot jail and before accepting any SMTP client commmands. > > HOWEVER, Postfix does not connect to LDAP sockets before entering > the chroot jail and before accepting any SMTP client commmands. The > LDAP library decides when it wants to do that. IIRC there we were once upon a time requeting immediate connections to LDAP, but that was not ideal: - It complicated connection sharing across multiple tables with the same underlying backend server, that differ only in the query deails. - It also (when chrooted) meant automatic reconnect on error to an alternative server, ... would not necessarily work. - ... IIRC, the is in principle a way to perform an early, rather than delayed LDAP bind, but the OP should instead use: proxy:ldap:... with "proxyread" not chrooted. This further improves connection sharing and is a best practice. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)
Matthias Nagel via Postfix-users: > Hello all, > > I am using Postfix 3.8.1 on Ubuntu 23.10. Per distribution default, > Postfix runs chrooted. I have setup LDAP lookups for most maps. > OpenLDAP is only listening via UNIX socket on > ldapi:///var/run/slapd/ldapi. > > For all but one LDAP lookup the corresponding Postfix configuration file > looks like > > root@h12345678:~ # cat /etc/postfix/ldap/virtual-mailboxes.cf > server_host = ldapi:///var/run/slapd/ldapi > bind = yes > bind_dn = ... > bind_pw = ... > > The path to the socket is absolute. Absolute socket paths work for > "virtual_mailbox_maps", "virtual_alias_maps", etc. and all other > directive except for ?smtpd_sender_login_maps?. The Postfix SMTP server opens 'tables' before entering the chroot jail and before accepting any SMTP client commmands: smtpd_sender_login_maps, relay_recipient_maps, virtual_mailbox_maps, virtual_alias_maps, canonical_maps, sender_canonical_maps, recipient_canonical_maps, local_recipient_maps, relay_clientcerts, permit_mx_backup_networks, relay_domains, mynetworks, and more. To be precise: Postfix opens your LDAP configuration file and asks the LDAP library to create an LDAP client instance, before entering the chroot jail and before accepting any SMTP client commmands. HOWEVER, Postfix does not connect to LDAP sockets before entering the chroot jail and before accepting any SMTP client commmands. The LDAP library decides when it wants to do that. IN PARTICULAR if the LDAP client decides to open the LDAP socket at the time that Postfix makes a query, then the LDAP client won't have access to pathnames outside the chroot jail. According to your logs, the LDAP library attempts to 'connect' to the LDAP server *after* the Postfix SMTP server has entered the chroot jail and after accepting any SMTP client commmands. That behavior is outside the control of Postfix. For more support please follow instructios at https://www.postfix.org/DEBUG_README.html#mail Any differences in LDAP client behavior would be caused by: - Differences in Postfix main.cf/master.cf settings - Differences in Postfix LDAP configuraton files. - Differences in SeLinux/AppArmor/anvivirus policies for different Postfix processes. - Other differences that cannot be inferred from your report. Note that the Postfix LDAP client does not care what lookup table it is used for; any differences in behavior must necessarily be the result of differences in Postfix configuration, or differences external to Postfix. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
