ldap validate
I have a couple of question about LDAP verification. I followed this guide as I am using AD as LDAP source: http://blog.yenlo.com/nl/using-postfix-ldap-search-against-active-directory This works perfectly until I am sending mail to the postfix server, then it accepts the mail and passes with no verification. To clarify, this is the step that works perfectly: postmap -vq johnpaulvanhelvo...@domain.nl ldap:/etc/postfix/ldap-aliases.cf But not when I am sending to postfix (appserver > postfixrelay > nextsmtphop) What needs to be done to validate them during the SMTP transaction? Also, what if I have multiple SMTP domains within the same AD domain? Can that be contained on this one line? # Directory settings domain = domain.nl,domain2.nl,domain3.nl,etc... Thanks, Rich
Re: ldap validate
On 12/30/2015 11:22 AM, Gomes, Rich wrote: > I have a couple of question about LDAP verification. > > I followed this guide as I am using AD as LDAP source: > > http://blog.yenlo.com/nl/using-postfix-ldap-search-against-active-directory > > > This works perfectly until I am sending mail to the postfix server, then it > accepts the mail and passes with no verification. > To clarify, this is the step that works perfectly: > > postmap -vq johnpaulvanhelvo...@domain.nl ldap:/etc/postfix/ldap-aliases.cf > > But not when I am sending to postfix (appserver > postfixrelay > nextsmtphop) > > What needs to be done to validate them during the SMTP transaction? Make sure your query returns nothing with a non-existent address. The correct settings for address validation depend on the address class of the recipient domain. http://www.postfix.org/ADDRESS_CLASS_README.html users in local domains defined in $mydestination are listed in local_recipient_maps users in domains defined in $relay_domains are listed in relay_recipient_maps users in domains defined in $virtual_alias_domains are listed in $virtual_alias_maps users in domains defined in $virtual_mailbox_domains are listed in $virtual_mailbox_maps Additionally, wildcard rewrites in virtual_alias_maps or *canonical_maps will disable address validation. Don't use wildcard rewrites. -- Noel Jones
RE: ldap validate
Thanks, not using address rewrites I am not sure which question you are answering when you listed the following: users in local domains defined in $mydestination are listed in local_recipient_maps users in domains defined in $relay_domains are listed in relay_recipient_maps users in domains defined in $virtual_alias_domains are listed in $virtual_alias_maps users in domains defined in $virtual_mailbox_domains are listed in $virtual_mailbox_maps -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Wednesday, December 30, 2015 12:53 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 12/30/2015 11:22 AM, Gomes, Rich wrote: > I have a couple of question about LDAP verification. > > I followed this guide as I am using AD as LDAP source: > > http://blog.yenlo.com/nl/using-postfix-ldap-search-against-active-dire > ctory > > > This works perfectly until I am sending mail to the postfix server, then it > accepts the mail and passes with no verification. > To clarify, this is the step that works perfectly: > > postmap -vq johnpaulvanhelvo...@domain.nl > ldap:/etc/postfix/ldap-aliases.cf > > But not when I am sending to postfix (appserver > postfixrelay > > nextsmtphop) > > What needs to be done to validate them during the SMTP transaction? Make sure your query returns nothing with a non-existent address. The correct settings for address validation depend on the address class of the recipient domain. http://www.postfix.org/ADDRESS_CLASS_README.html users in local domains defined in $mydestination are listed in local_recipient_maps users in domains defined in $relay_domains are listed in relay_recipient_maps users in domains defined in $virtual_alias_domains are listed in $virtual_alias_maps users in domains defined in $virtual_mailbox_domains are listed in $virtual_mailbox_maps Additionally, wildcard rewrites in virtual_alias_maps or *canonical_maps will disable address validation. Don't use wildcard rewrites. -- Noel Jones
Re: ldap validate
On 12/30/2015 11:56 AM, Gomes, Rich wrote: > Thanks, not using address rewrites > > I am not sure which question you are answering when you listed the following: > > users in local domains defined in $mydestination are listed in > local_recipient_maps > users in domains defined in $relay_domains are listed in relay_recipient_maps > users in domains defined in $virtual_alias_domains are listed in > $virtual_alias_maps > users in domains defined in $virtual_mailbox_domains are listed in > $virtual_mailbox_maps > > > So what address class is the domain you're trying to validate users? Where is the domain defined in postfix? -- Noel Jones
RE: ldap validate
My postfix install is quite vanilla. Other than inet_interfaces, and the ldap config, I change the following: Mydomain Myorigin Relayhost -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Wednesday, December 30, 2015 1:28 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 12/30/2015 11:56 AM, Gomes, Rich wrote: > Thanks, not using address rewrites > > I am not sure which question you are answering when you listed the following: > > users in local domains defined in $mydestination are listed in > local_recipient_maps users in domains defined in $relay_domains are > listed in relay_recipient_maps users in domains defined in > $virtual_alias_domains are listed in $virtual_alias_maps users in > domains defined in $virtual_mailbox_domains are listed in > $virtual_mailbox_maps > > > So what address class is the domain you're trying to validate users? Where is the domain defined in postfix? -- Noel Jones
Re: ldap validate
On 12/30/2015 12:35 PM, Gomes, Rich wrote: > My postfix install is quite vanilla. > Other than inet_interfaces, and the ldap config, I change the following: > > Mydomain > Myorigin > Relayhost > > Carefully study the following, especially the parts about "valid addresses." http://www.postfix.org/ADDRESS_CLASS_README.html If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
RE: ldap validate
I have read over the suggested documentation and I have some questions. But perhaps it would be good to break down my goals here first. First by the postfix\relaying part, then by the validation. Years ago I used qmail on the 'nix side but since then I have been using Sendmail so some of this may be part of the expected learning curve. I am trying to configure a relay that will accept mail from applications and send the mail either to Exchange or to the Internet. In Sendmail I would do this by adding internal domains and their Exchange FrontEnd server in the mailertable file and any domains not listed there would be handled by the SmartHost entry in sendmail.cf. In Postfix I setup relay_domains and transport maps to handle the internal domains while the relay_host setting handles all other domains. This is all working as expected. Now for the LDAP validation part. The server will not host any mailboxes since it is just a relay. I don't want to use a local table for validation, I want it to query AD in real-time NOTE: If there is a way to cache these entries, great. If not, great. If I setup the LDAP queries according to this article, http://blog.yenlo.com/nl/using-postfix-ldap-search-against-active-directory It works great at the postmap -vq johnpaulvanhelvo...@domain.nl ldap:/etc/postfix/ldap-aliases.cf part but does not validate while relaying mail. Given my configuration, should I be using the virtual_mailbox_domain address class to enable the real-time validation? Or can it be done using relay_domains address class? Thanks, Rich -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Wednesday, December 30, 2015 1:54 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 12/30/2015 12:35 PM, Gomes, Rich wrote: > My postfix install is quite vanilla. > Other than inet_interfaces, and the ldap config, I change the following: > > Mydomain > Myorigin > Relayhost > > Carefully study the following, especially the parts about "valid addresses." http://www.postfix.org/ADDRESS_CLASS_README.html If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
RE: ldap validate
Ok, I have LDAP working in stream although still have a few bugs. I found this article: http://www.experts-exchange.com/questions/28251757/How-to-configure-LDAP-Authentication-for-Incoming-SMTP-Traffic.html Basically I added these lines virtual_mailbox_domains = example.com, example.org, example.net virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf to where I already had virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf and it worked. Is there a way to have Postfix DROP the message if the recipient is invalid? As opposed to sending an NDR? Thanks -Original Message- From: Gomes, Rich Sent: Monday, January 04, 2016 1:48 PM To: postfix-users@postfix.org Subject: RE: ldap validate I have read over the suggested documentation and I have some questions. But perhaps it would be good to break down my goals here first. First by the postfix\relaying part, then by the validation. Years ago I used qmail on the 'nix side but since then I have been using Sendmail so some of this may be part of the expected learning curve. I am trying to configure a relay that will accept mail from applications and send the mail either to Exchange or to the Internet. In Sendmail I would do this by adding internal domains and their Exchange FrontEnd server in the mailertable file and any domains not listed there would be handled by the SmartHost entry in sendmail.cf. In Postfix I setup relay_domains and transport maps to handle the internal domains while the relay_host setting handles all other domains. This is all working as expected. Now for the LDAP validation part. The server will not host any mailboxes since it is just a relay. I don't want to use a local table for validation, I want it to query AD in real-time NOTE: If there is a way to cache these entries, great. If not, great. If I setup the LDAP queries according to this article, http://blog.yenlo.com/nl/using-postfix-ldap-search-against-active-directory It works great at the postmap -vq johnpaulvanhelvo...@domain.nl ldap:/etc/postfix/ldap-aliases.cf part but does not validate while relaying mail. Given my configuration, should I be using the virtual_mailbox_domain address class to enable the real-time validation? Or can it be done using relay_domains address class? Thanks, Rich -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Wednesday, December 30, 2015 1:54 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 12/30/2015 12:35 PM, Gomes, Rich wrote: > My postfix install is quite vanilla. > Other than inet_interfaces, and the ldap config, I change the following: > > Mydomain > Myorigin > Relayhost > > Carefully study the following, especially the parts about "valid addresses." http://www.postfix.org/ADDRESS_CLASS_README.html If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: ldap validate
On 1/4/2016 12:47 PM, Gomes, Rich wrote: > I have read over the suggested documentation and I have some questions. But > perhaps it would be good to break down my goals here first. > First by the postfix\relaying part, then by the validation. > > Years ago I used qmail on the 'nix side but since then I have been using > Sendmail so some of this may be part of the expected learning curve. > > I am trying to configure a relay that will accept mail from applications and > send the mail either to Exchange or to the Internet. > In Sendmail I would do this by adding internal domains and their Exchange > FrontEnd server in the mailertable file and any domains not listed there > would be handled by the SmartHost entry in sendmail.cf. > In Postfix I setup relay_domains and transport maps to handle the internal > domains while the relay_host setting handles all other domains. > > This is all working as expected. Yes, that's the correct way to configure relay_domains. And yes, that's the correct use of the relay domain class. http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class > > > Now for the LDAP validation part. > The server will not host any mailboxes since it is just a relay. > I don't want to use a local table for validation, I want it to query AD in > real-time > NOTE: If there is a way to cache these entries, great. If not, great. > > If I setup the LDAP queries according to this article, > http://blog.yenlo.com/nl/using-postfix-ldap-search-against-active-directory > It works great at the postmap -vq johnpaulvanhelvo...@domain.nl > ldap:/etc/postfix/ldap-aliases.cf part but does not validate while relaying > mail. The article you refer to doesn't use relay_domains. Some differences will be needed for your setup. > Given my configuration, should I be using the virtual_mailbox_domain address > class to enable the real-time validation? > Or can it be done using relay_domains address class? Valid users for relay_domains are listed in relay_recipient_maps. That's where your ldap: map goes. http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class You're not using virtual_mailbox_domains, so it would not be appropriate to add your ldap: lookup there. -- Noel Jones
Re: ldap validate
On 1/4/2016 3:11 PM, Gomes, Rich wrote: > Ok, I have LDAP working in stream although still have a few bugs. > > I found this article: > > http://www.experts-exchange.com/questions/28251757/How-to-configure-LDAP-Authentication-for-Incoming-SMTP-Traffic.html > > > Basically I added these lines > > virtual_mailbox_domains = example.com, example.org, example.net > virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf > > to where I already had > virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf > > and it worked. That's correct if you're using virtual_mailbox_domains, but not for relay_domains. > Is there a way to have Postfix DROP the message if the recipient is invalid? > As opposed to sending an NDR? Postfix will reject invalid recipients. Discarding invalid recipients is a terrible idea. -- Noel Jones
RE: ldap validate
So I should change the config to use relay domains instead of virtual mailbox? The idea behind dropping invalid users is that this is by attrition Homegrown applications sending reports to people who haven't worked here in years. Better to drop in those cases Again, this is an internal server and not receiving from Internet, just receiving from applications. Is dropping an option? -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Monday, January 04, 2016 4:32 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/4/2016 3:11 PM, Gomes, Rich wrote: > Ok, I have LDAP working in stream although still have a few bugs. > > I found this article: > > http://www.experts-exchange.com/questions/28251757/How-to-configure-LD > AP-Authentication-for-Incoming-SMTP-Traffic.html > > > Basically I added these lines > > virtual_mailbox_domains = example.com, example.org, example.net > virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf > > to where I already had > virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf > > and it worked. That's correct if you're using virtual_mailbox_domains, but not for relay_domains. > Is there a way to have Postfix DROP the message if the recipient is invalid? > As opposed to sending an NDR? Postfix will reject invalid recipients. Discarding invalid recipients is a terrible idea. -- Noel Jones
Re: ldap validate
On 1/4/2016 3:37 PM, Gomes, Rich wrote: > So I should change the config to use relay domains instead of virtual mailbox? You previously wrote that these domains were defined in relay_domains (which they should be). Don't define domains in more than one address class ie. not in more than one *_domains parameter. List your internal Exchange domains in relay_domains, and list the valid recipients in relay_recipient_maps. Don't list the valid recipients anywhere else. > The idea behind dropping invalid users is that this is by attrition > Homegrown applications sending reports to people who haven't worked here in > years. > Better to drop in those cases You can assign specific bad users to the discard: transport. # transport table previousresid...@example.com discard: Or maybe better, use virtual_alias_maps to redirect the mail to the appropriate person. -- Noel Jones > > Again, this is an internal server and not receiving from Internet, just > receiving from applications. > > Is dropping an option? > > > > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones > Sent: Monday, January 04, 2016 4:32 PM > To: postfix-users@postfix.org > Subject: Re: ldap validate > > On 1/4/2016 3:11 PM, Gomes, Rich wrote: >> Ok, I have LDAP working in stream although still have a few bugs. >> >> I found this article: >> >> http://www.experts-exchange.com/questions/28251757/How-to-configure-LD >> AP-Authentication-for-Incoming-SMTP-Traffic.html >> >> >> Basically I added these lines >> >> virtual_mailbox_domains = example.com, example.org, example.net >> virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf >> >> to where I already had >> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf >> >> and it worked. > > That's correct if you're using virtual_mailbox_domains, but not for > relay_domains. > > >> Is there a way to have Postfix DROP the message if the recipient is invalid? >> As opposed to sending an NDR? > > > Postfix will reject invalid recipients. Discarding invalid recipients is a > terrible idea. > > > > > -- Noel Jones >
RE: ldap validate
Does this imply an actual list\map? " and list the valid recipients in relay_recipient_maps" I am looking to do real-time LDAP lookups. The only time I get it to work is when using virtual mailbox domains and maps Not sure what I am missing here. Relaying is working great via relay domains and maps LDAP lookups, not so much with that same config Only with virtual mailbox domains -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Monday, January 04, 2016 4:58 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/4/2016 3:37 PM, Gomes, Rich wrote: > So I should change the config to use relay domains instead of virtual mailbox? You previously wrote that these domains were defined in relay_domains (which they should be). Don't define domains in more than one address class ie. not in more than one *_domains parameter. List your internal Exchange domains in relay_domains, and list the valid recipients in relay_recipient_maps. Don't list the valid recipients anywhere else. > The idea behind dropping invalid users is that this is by attrition > Homegrown applications sending reports to people who haven't worked here in > years. > Better to drop in those cases You can assign specific bad users to the discard: transport. # transport table previousresid...@example.com discard: Or maybe better, use virtual_alias_maps to redirect the mail to the appropriate person. -- Noel Jones > > Again, this is an internal server and not receiving from Internet, just > receiving from applications. > > Is dropping an option? > > > > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones > Sent: Monday, January 04, 2016 4:32 PM > To: postfix-users@postfix.org > Subject: Re: ldap validate > > On 1/4/2016 3:11 PM, Gomes, Rich wrote: >> Ok, I have LDAP working in stream although still have a few bugs. >> >> I found this article: >> >> http://www.experts-exchange.com/questions/28251757/How-to-configure-L >> D AP-Authentication-for-Incoming-SMTP-Traffic.html >> >> >> Basically I added these lines >> >> virtual_mailbox_domains = example.com, example.org, example.net >> virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf >> >> to where I already had >> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf >> >> and it worked. > > That's correct if you're using virtual_mailbox_domains, but not for > relay_domains. > > >> Is there a way to have Postfix DROP the message if the recipient is invalid? >> As opposed to sending an NDR? > > > Postfix will reject invalid recipients. Discarding invalid recipients is a > terrible idea. > > > > > -- Noel Jones >
Re: ldap validate
On 1/5/2016 1:22 PM, Gomes, Rich wrote: > Does this imply an actual list\map? > > " and list the valid recipients in relay_recipient_maps" > relay_recipient_maps = ldap:/path/to/file > > I am looking to do real-time LDAP lookups. > > The only time I get it to work is when using virtual mailbox domains and maps > > Not sure what I am missing here. > Relaying is working great via relay domains and maps > LDAP lookups, not so much with that same config > Only with virtual mailbox domains You're using relay_domains and relay_recipient_maps. Don't use any of the virtual_mailbox_* parameters. -- Noel Jones
RE: ldap validate
Ok, my bad that does work in fact. I had shut off smtpd -v in master.cf so I was not seeing the full LDAP queries. However it will only validate the default domain even though I have more than one domain listed in relay_domains. Is it picking this from mydomain setting in main.cf perhaps? Or somewhere else? -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 2:33 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 1:22 PM, Gomes, Rich wrote: > Does this imply an actual list\map? > > " and list the valid recipients in relay_recipient_maps" > relay_recipient_maps = ldap:/path/to/file > > I am looking to do real-time LDAP lookups. > > The only time I get it to work is when using virtual mailbox domains > and maps > > Not sure what I am missing here. > Relaying is working great via relay domains and maps LDAP lookups, not > so much with that same config Only with virtual mailbox domains You're using relay_domains and relay_recipient_maps. Don't use any of the virtual_mailbox_* parameters. -- Noel Jones
Re: ldap validate
On 1/5/2016 1:50 PM, Gomes, Rich wrote: > Ok, my bad that does work in fact. > I had shut off smtpd -v in master.cf so I was not seeing the full LDAP > queries. > > However it will only validate the default domain even though I have more than > one domain listed in relay_domains. > Is it picking this from mydomain setting in main.cf perhaps? > Or somewhere else? This is in your lookup map definition. -- Noel Jones
RE: ldap validate
It works! Thanks for all you help! Just have to see if I can turf certain emails now. I'll also need to see if I can filter the logs, smtpd -v gives way too much while without the -v gives way too little -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 3:04 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 1:50 PM, Gomes, Rich wrote: > Ok, my bad that does work in fact. > I had shut off smtpd -v in master.cf so I was not seeing the full LDAP > queries. > > However it will only validate the default domain even though I have more than > one domain listed in relay_domains. > Is it picking this from mydomain setting in main.cf perhaps? > Or somewhere else? This is in your lookup map definition. -- Noel Jones
Re: ldap validate
On 1/5/2016 2:32 PM, Gomes, Rich wrote: > > I'll also need to see if I can filter the logs, smtpd -v gives way too much > while without the -v gives way too little I can't remember the last time I needed verbose logging, even to debug a problem. What is missing from the normal logging you need on a regular basis? -- Noel Jones
RE: ldap validate
It's not so much what is missing as there is no in between Smtpd -v just gives so much per transaction. I usually set Sendmail at 18 and it show less than the -v does. I would like a way to see a successful map of email address to what is found during the LDAP query without all the additional info. Somewhere between smtpd and smtpd -v would be about right -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 5:39 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 2:32 PM, Gomes, Rich wrote: > > I'll also need to see if I can filter the logs, smtpd -v gives way too > much while without the -v gives way too little I can't remember the last time I needed verbose logging, even to debug a problem. What is missing from the normal logging you need on a regular basis? -- Noel Jones
RE: ldap validate
Is there additional configuration that needs to be done for mail-enabled Public Folders? They all come back with: Recipient address rejected: User unknown in relay recipient table I haven't had any luck in googling this additional config. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Gomes, Rich Sent: Tuesday, January 05, 2016 10:28 PM To: postfix users Subject: RE: ldap validate It's not so much what is missing as there is no in between Smtpd -v just gives so much per transaction. I usually set Sendmail at 18 and it show less than the -v does. I would like a way to see a successful map of email address to what is found during the LDAP query without all the additional info. Somewhere between smtpd and smtpd -v would be about right -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 5:39 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 2:32 PM, Gomes, Rich wrote: > > I'll also need to see if I can filter the logs, smtpd -v gives way too > much while without the -v gives way too little I can't remember the last time I needed verbose logging, even to debug a problem. What is missing from the normal logging you need on a regular basis? -- Noel Jones
Re: ldap validate
On Thu, Jan 07, 2016 at 10:31:49PM +, Gomes, Rich wrote: > Is there additional configuration that needs to be done for mail-enabled > Public Folders? > They all come back with: > > Recipient address rejected: User unknown in relay recipient table What does the LDAP data for a mail-enabled public folder look like? Does it have a "ProxyAddresses" attribute? What are the values of this or other email related attributes? -- Viktor.
