Loading ...
Sorry, an error occurred while loading the content.

AW: local_recipient_maps with LDAP

Expand Messages
  • Marco Rebsamen
    Ok... I changed some things now... Since this Mailsystem has the fqdn mx-rel.domain1.ch and therefore is set as mydestination, I have to make sure that
    Message 1 of 19 , Aug 28, 2010
    • 0 Attachment
      Ok... I changed some things now...

      Since this Mailsystem has the fqdn mx-rel.domain1.ch and therefore is set as mydestination, I have to make sure that messages to addresses to domain1.ch are found in the local_recipient_maps. Right ?

      /etc/postfix/main.cf
      Local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf unix:passwd.byname

      /etc/postfix/local_recipient_maps.cf
      bind_dn = user@...
      bind_pw = ******
      server_host = 192.168.8.254
      #Global Catalog port
      server_port = 3268
      search_base = DC=domain, DC=local
      query_filter = proxyAddresses=*%u@...*


      The other 2 domains are not local:

      /etc/postfix/main.cf
      Virtual_alias_domains = domain2.ch domain3.ch
      Virtual_alias_maps = ldap:/etc/postfix/virtual.cf

      /etc/postfix/virtual.cf
      bind_dn = user@...
      bind_pw = ******
      server_host = 192.168.8.254
      #Global Catalog port
      server_port = 3268
      search_base = DC=domain, DC=local
      query_filter = proxyAddresses=*%s*

      Is this right ?? Guess not, since it doesn't work :-/

      -----Ursprüngliche Nachricht-----
      Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Patrick Ben Koetter
      Gesendet: Samstag, 28. August 2010 18:25
      An: Postfix Users
      Betreff: Re: local_recipient_maps with LDAP

      * Marco Rebsamen <mrebsamen@...>:
      > I see....
      > If i got multiple domains, what do i do ?
      > Something like this ?
      > query_filter = (proxyAddresses=%u@%d)

      Only one domain can be your local domain. All other domains are virtual
      domains.

      Create two ldap query files.

      Local domain:
      query_filter = (proxyAddresses=%u@...)

      Virtual domains:
      query_filter = (proxyAddresses=%s)





      >
      > -----Ursprüngliche Nachricht-----
      > Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Patrick Ben Koetter
      > Gesendet: Samstag, 28. August 2010 17:56
      > An: postfix-users@...
      > Betreff: Re: local_recipient_maps with LDAP
      >
      > * Marco Rebsamen <mrebsamen@...>:
      > > I wan't to have my local recipeints checked against my Active Directory.
      > > So I have created the .cf file with the LDAP parameters:
      > >
      > > bind_dn = user@...
      > > bind_pw = ******
      > > server_host = 192.168.8.254
      > > #Global Catalog port
      > > server_port = 3268
      > > search_base = DC=domain, DC=local
      > > query_filter = proxyAddresses=*%s*
      > >
      > > and changed the main.cf file:
      > >
      > > local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf
      > > unix:passwd.byname
      > >
      > > If i do this now:
      > > postmap -v -q 'user@...' ldap:/etc/postfix/local_recipient_maps.cf
      > >
      > > It tells me "Search found 1 match(es)". But If i try to deliver a
      > > message with the same address postfix tells me "User not known in local
      > > recipient maps"
      > >
      > > How can i figure out whats wrong ?
      >
      > %s is replaced by the input key, but you need to search for %u somewhat like
      > %this:
      >
      > query_filter = (proxyAddresses=%u@...)
      >
      > Why? In context of local recipient maps the domain part is already known to
      > Postfix and it doesn't search for it. With local_recipient_maps Postfix only
      > looks for the localpart of an email address.
      >
      > p@rick
      >
      >
      > --
      > All technical questions asked privately will be automatically answered on the
      > list and archived for public access unless privacy is explicitely required and
      > justified.
      >
      > saslfinger (debugging SMTP AUTH):
      > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

      --
      state of mind
      Digitale Kommunikation

      http://www.state-of-mind.de

      Franziskanerstraße 15 Telefon +49 89 3090 4664
      81669 München Telefax +49 89 3090 4666

      Amtsgericht München Partnerschaftsregister PR 563
    • Patrick Ben Koetter
      ... No, but it makes things easier from a logical point of view to use the main domain as Postfix local domain , because Postfix already considers itself part
      Message 2 of 19 , Aug 29, 2010
      • 0 Attachment
        * Marco Rebsamen <mrebsamen@...>:
        > Ok... I changed some things now...
        >
        > Since this Mailsystem has the fqdn mx-rel.domain1.ch and therefore is set as
        > mydestination, I have to make sure that messages to addresses to domain1.ch
        > are found in the local_recipient_maps. Right ?

        No, but it makes things easier from a logical point of view to use the main
        domain as Postfix "local domain", because Postfix already considers itself
        part of that domain if the underlying OS was conigured to be part of it.


        > /etc/postfix/main.cf
        > Local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf unix:passwd.byname
        >
        > /etc/postfix/local_recipient_maps.cf
        > bind_dn = user@...
        > bind_pw = ******
        > server_host = 192.168.8.254
        > #Global Catalog port
        > server_port = 3268
        > search_base = DC=domain, DC=local
        > query_filter = proxyAddresses=*%u@...*

        1. What are the asterisks in *%u@...* for?

        2. You query for something, but you don't tell what the query should return if
        the query turns up a result. Set $result_attribute and check with a postmap
        query if it works.



        > The other 2 domains are not local:
        >
        > /etc/postfix/main.cf
        > Virtual_alias_domains = domain2.ch domain3.ch
        > Virtual_alias_maps = ldap:/etc/postfix/virtual.cf
        >
        > /etc/postfix/virtual.cf
        > bind_dn = user@...
        > bind_pw = ******
        > server_host = 192.168.8.254
        > #Global Catalog port
        > server_port = 3268
        > search_base = DC=domain, DC=local
        > query_filter = proxyAddresses=*%s*

        Same as above.

        p@rick



        >
        > Is this right ?? Guess not, since it doesn't work :-/
        >
        > -----Ursprüngliche Nachricht-----
        > Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Patrick Ben Koetter
        > Gesendet: Samstag, 28. August 2010 18:25
        > An: Postfix Users
        > Betreff: Re: local_recipient_maps with LDAP
        >
        > * Marco Rebsamen <mrebsamen@...>:
        > > I see....
        > > If i got multiple domains, what do i do ?
        > > Something like this ?
        > > query_filter = (proxyAddresses=%u@%d)
        >
        > Only one domain can be your local domain. All other domains are virtual
        > domains.
        >
        > Create two ldap query files.
        >
        > Local domain:
        > query_filter = (proxyAddresses=%u@...)
        >
        > Virtual domains:
        > query_filter = (proxyAddresses=%s)
        >
        >
        >
        >
        >
        > >
        > > -----Ursprüngliche Nachricht-----
        > > Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Patrick Ben Koetter
        > > Gesendet: Samstag, 28. August 2010 17:56
        > > An: postfix-users@...
        > > Betreff: Re: local_recipient_maps with LDAP
        > >
        > > * Marco Rebsamen <mrebsamen@...>:
        > > > I wan't to have my local recipeints checked against my Active Directory.
        > > > So I have created the .cf file with the LDAP parameters:
        > > >
        > > > bind_dn = user@...
        > > > bind_pw = ******
        > > > server_host = 192.168.8.254
        > > > #Global Catalog port
        > > > server_port = 3268
        > > > search_base = DC=domain, DC=local
        > > > query_filter = proxyAddresses=*%s*
        > > >
        > > > and changed the main.cf file:
        > > >
        > > > local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf
        > > > unix:passwd.byname
        > > >
        > > > If i do this now:
        > > > postmap -v -q 'user@...' ldap:/etc/postfix/local_recipient_maps.cf
        > > >
        > > > It tells me "Search found 1 match(es)". But If i try to deliver a
        > > > message with the same address postfix tells me "User not known in local
        > > > recipient maps"
        > > >
        > > > How can i figure out whats wrong ?
        > >
        > > %s is replaced by the input key, but you need to search for %u somewhat like
        > > %this:
        > >
        > > query_filter = (proxyAddresses=%u@...)
        > >
        > > Why? In context of local recipient maps the domain part is already known to
        > > Postfix and it doesn't search for it. With local_recipient_maps Postfix only
        > > looks for the localpart of an email address.
        > >
        > > p@rick
        > >
        > >
        > > --
        > > All technical questions asked privately will be automatically answered on the
        > > list and archived for public access unless privacy is explicitely required and
        > > justified.
        > >
        > > saslfinger (debugging SMTP AUTH):
        > > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
        >
        > --
        > state of mind
        > Digitale Kommunikation
        >
        > http://www.state-of-mind.de
        >
        > Franziskanerstraße 15 Telefon +49 89 3090 4664
        > 81669 München Telefax +49 89 3090 4666
        >
        > Amtsgericht München Partnerschaftsregister PR 563
        >

        --
        All technical questions asked privately will be automatically answered on the
        list and archived for public access unless privacy is explicitely required and
        justified.

        saslfinger (debugging SMTP AUTH):
        <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
      • Victor Duchovni
        ... DO NOT use wildcard * patters to match recipients. The correct query is: query_filter = proxyAddresses=smtp:%u@domain1.ch or, more typically:
        Message 3 of 19 , Aug 30, 2010
        • 0 Attachment
          On Sun, Aug 29, 2010 at 01:20:39AM +0200, Marco Rebsamen wrote:

          > query_filter = proxyAddresses=*%u@...*

          DO NOT use wildcard "*" patters to match recipients. The correct query
          is:

          query_filter = proxyAddresses=smtp:%u@...

          or, more typically:

          query_filter = proxyAddresses=smtp:%s

          Since AD will need to know all the proxyAddresses for a given user,
          so there is generally no need to normalize the domain.

          --
          Viktor.
        • Patrick Ben Koetter
          ... Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s . A query that catches those too would be this: query_filter =
          Message 4 of 19 , Aug 30, 2010
          • 0 Attachment
            * Victor Duchovni <postfix-users@...>:
            > On Sun, Aug 29, 2010 at 01:20:39AM +0200, Marco Rebsamen wrote:
            >
            > > query_filter = proxyAddresses=*%u@...*
            >
            > DO NOT use wildcard "*" patters to match recipients. The correct query
            > is:
            >
            > query_filter = proxyAddresses=smtp:%u@...
            >
            > or, more typically:
            >
            > query_filter = proxyAddresses=smtp:%s

            Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
            query that catches those too would be this:

            query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))

            p@rick

            --
            All technical questions asked privately will be automatically answered on the
            list and archived for public access unless privacy is explicitely required and
            justified.

            saslfinger (debugging SMTP AUTH):
            <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
          • Patrick Ben Koetter
            ... On second thought... A query that matches all aliases goes like this: query_filter = proxyAddresses=smtp:%s A query filter that matches final recipients:
            Message 5 of 19 , Aug 30, 2010
            • 0 Attachment
              * Patrick Ben Koetter <p@...>:
              > Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
              > query that catches those too would be this:
              >
              > query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))

              On second thought...

              A query that matches all aliases goes like this:

              query_filter = proxyAddresses=smtp:%s

              A query filter that matches final recipients:

              query_filter = proxyAddresses=SMTP:%s

              To limit query to local domain addresses only add the domainpart:

              query_filter = proxyAddresses=smtp:%s@...

              p@rick

              --
              All technical questions asked privately will be automatically answered on the
              list and archived for public access unless privacy is explicitely required and
              justified.

              saslfinger (debugging SMTP AUTH):
              <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
            • Victor Duchovni
              ... The proxyAddresses field is matched case-insensitively. No fancy gymnastics ... The first string matches both. -- Viktor.
              Message 6 of 19 , Aug 30, 2010
              • 0 Attachment
                On Mon, Aug 30, 2010 at 04:39:46PM +0200, Patrick Ben Koetter wrote:

                > * Victor Duchovni <postfix-users@...>:
                > > On Sun, Aug 29, 2010 at 01:20:39AM +0200, Marco Rebsamen wrote:
                > >
                > > > query_filter = proxyAddresses=*%u@...*
                > >
                > > DO NOT use wildcard "*" patters to match recipients. The correct query
                > > is:
                > >
                > > query_filter = proxyAddresses=smtp:%u@...
                > >
                > > or, more typically:
                > >
                > > query_filter = proxyAddresses=smtp:%s
                >
                > Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
                > query that catches those too would be this:

                The proxyAddresses field is matched case-insensitively. No fancy gymnastics
                required:

                > query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))

                The first string matches both.

                --
                Viktor.
              • Victor Duchovni
                ... This is wrong. Both queries find the same results. -- Viktor.
                Message 7 of 19 , Aug 30, 2010
                • 0 Attachment
                  On Mon, Aug 30, 2010 at 04:45:39PM +0200, Patrick Ben Koetter wrote:

                  > * Patrick Ben Koetter <p@...>:
                  > > Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
                  > > query that catches those too would be this:
                  > >
                  > > query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))
                  >
                  > On second thought...
                  >
                  > A query that matches all aliases goes like this:
                  >
                  > query_filter = proxyAddresses=smtp:%s
                  >
                  > A query filter that matches final recipients:
                  >
                  > query_filter = proxyAddresses=SMTP:%s

                  This is wrong. Both queries find the same results.

                  --
                  Viktor.
                • Patrick Ben Koetter
                  ... Case-insensitive because the matching rule for proxyAddresses is case-insensitive? p@rick -- All technical questions asked privately will be automatically
                  Message 8 of 19 , Aug 30, 2010
                  • 0 Attachment
                    * Victor Duchovni <postfix-users@...>:
                    > > Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
                    > > query that catches those too would be this:
                    >
                    > The proxyAddresses field is matched case-insensitively. No fancy gymnastics
                    > required:
                    >
                    > > query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))
                    >
                    > The first string matches both.

                    Case-insensitive because the matching rule for proxyAddresses is
                    case-insensitive?

                    p@rick

                    --
                    All technical questions asked privately will be automatically answered on the
                    list and archived for public access unless privacy is explicitely required and
                    justified.

                    saslfinger (debugging SMTP AUTH):
                    <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                  • Victor Duchovni
                    ... Yes, naturally. The case of the smtp prefix only matters when it is used as a result value, not when it is a lookup key. -- Viktor.
                    Message 9 of 19 , Aug 30, 2010
                    • 0 Attachment
                      On Mon, Aug 30, 2010 at 04:58:48PM +0200, Patrick Ben Koetter wrote:

                      > * Victor Duchovni <postfix-users@...>:
                      > > > Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
                      > > > query that catches those too would be this:
                      > >
                      > > The proxyAddresses field is matched case-insensitively. No fancy gymnastics
                      > > required:
                      > >
                      > > > query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))
                      > >
                      > > The first string matches both.
                      >
                      > Case-insensitive because the matching rule for proxyAddresses is
                      > case-insensitive?

                      Yes, naturally. The case of the "smtp" prefix only matters when it
                      is used as a result value, not when it is a lookup key.

                      --
                      Viktor.
                    • Marco Rebsamen
                      Ok, I m really confused about that LDAP lookup stuff :-/ What I want to do is to check if an address to which a message is addressed really exists. I m
                      Message 10 of 19 , Aug 30, 2010
                      • 0 Attachment
                        Ok, I'm really confused about that LDAP lookup stuff :-/
                        What I want to do is to check if an address to which a message is addressed really exists.

                        I'm currently using this script for local receipient checks:

                        bind_dn = jm@...
                        bind_pw = ****
                        server_host = 192.168.8.254

                        #Global Catalog port
                        server_port = 3268

                        search_base = DC=hive, DC=loc
                        query_filter = proxyAddresses=smtp:*%u@...
                        result_attribute = proxyAddresses

                        the result is the complete list of all addresses a user has. But I'm not sure if this is right. I delivered a test message by hand through telnet and somehow it got delivered to any address in the result even in the system. So I guess I really missed something... :-/


                        -----Ursprüngliche Nachricht-----
                        Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Victor Duchovni
                        Gesendet: Montag, 30. August 2010 17:17
                        An: postfix-users@...
                        Betreff: Re: local_recipient_maps with LDAP

                        On Mon, Aug 30, 2010 at 04:58:48PM +0200, Patrick Ben Koetter wrote:

                        > * Victor Duchovni <postfix-users@...>:
                        > > > Is "smtp:%s" sufficient? IIRC the main mail address is noted as "SMTP:%s". A
                        > > > query that catches those too would be this:
                        > >
                        > > The proxyAddresses field is matched case-insensitively. No fancy gymnastics
                        > > required:
                        > >
                        > > > query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))
                        > >
                        > > The first string matches both.
                        >
                        > Case-insensitive because the matching rule for proxyAddresses is
                        > case-insensitive?

                        Yes, naturally. The case of the "smtp" prefix only matters when it
                        is used as a result value, not when it is a lookup key.

                        --
                        Viktor.
                      • Victor Duchovni
                        ... What is that pesky * doing in your query filter!!! Why is proxyAddresses the right result attribute. I would use mail . Report problems accurately
                        Message 11 of 19 , Aug 30, 2010
                        • 0 Attachment
                          On Mon, Aug 30, 2010 at 08:50:33PM +0200, Marco Rebsamen wrote:

                          >
                          > Ok, I'm really confused about that LDAP lookup stuff :-/
                          > What I want to do is to check if an address to which a message is addressed really exists.
                          >
                          > I'm currently using this script for local receipient checks:
                          >
                          > bind_dn = jm@...
                          > bind_pw = ****
                          > server_host = 192.168.8.254
                          >
                          > #Global Catalog port
                          > server_port = 3268
                          >
                          > search_base = DC=hive, DC=loc
                          > query_filter = proxyAddresses=smtp:*%u@...
                          > result_attribute = proxyAddresses

                          What is that pesky "*" doing in your query filter!!!

                          Why is "proxyAddresses" the right result attribute. I would use "mail".

                          Report problems accurately with supporting "postconf -n" output,
                          table definitions AND logs!

                          --
                          Viktor.
                        • Marco Rebsamen
                          ... Von: Victor Duchovni [mailto:Victor.Duchovni@morganstanley.com] Gesendet: Montag, 30. August 2010 21:18 An: Marco Rebsamen Cc: postfix-users@postfix.org
                          Message 12 of 19 , Aug 30, 2010
                          • 0 Attachment
                            -----Ursprüngliche Nachricht-----
                            Von: Victor Duchovni [mailto:Victor.Duchovni@...]
                            Gesendet: Montag, 30. August 2010 21:18
                            An: Marco Rebsamen
                            Cc: postfix-users@...
                            Betreff: Re: local_recipient_maps with LDAP

                            On Mon, Aug 30, 2010 at 08:50:33PM +0200, Marco Rebsamen wrote:

                            >
                            > Ok, I'm really confused about that LDAP lookup stuff :-/
                            > What I want to do is to check if an address to which a message is addressed really exists.
                            >
                            > I'm currently using this script for local receipient checks:
                            >
                            > bind_dn = jm@...
                            > bind_pw = ****
                            > server_host = 192.168.8.254
                            >
                            > #Global Catalog port
                            > server_port = 3268
                            >
                            > search_base = DC=hive, DC=loc
                            > query_filter = proxyAddresses=smtp:*%u@...
                            > result_attribute = proxyAddresses

                            What is that pesky "*" doing in your query filter!!!

                            It's a damn wildcard! I thought I would need it because when I tried to find the right parameters for this LDAP request I could not find find anything until I used this star!

                            Why is "proxyAddresses" the right result attribute. I would use "mail".

                            I don't know ?! Is it not ?! from where should I know that ?! Why do I need an email address as return anyway ?! I would say the address is already written in the message ? It makes no sense to me to return an email address.... maybe I just don't understand the whole thing and someone should tell me what I should do?!

                            Report problems accurately with supporting "postconf -n" output,
                            table definitions AND logs!

                            ...same as above

                            --
                            Viktor.
                          • Victor Duchovni
                            ... Get rid of it. With the smtp: prefix properly set to match the actual data in Microsoft s AD, you no longer need the * and using it lowers performance
                            Message 13 of 19 , Aug 30, 2010
                            • 0 Attachment
                              On Mon, Aug 30, 2010 at 09:46:26PM +0200, Marco Rebsamen wrote:

                              > > > search_base = DC=hive, DC=loc
                              > > > query_filter = proxyAddresses=smtp:*%u@...
                              > > > result_attribute = proxyAddresses
                              > >
                              > > What is that pesky "*" doing in your query filter!!!
                              >
                              > It's a damn wildcard! I thought I would need it because when I tried
                              > to find the right parameters for this LDAP request I could not find find
                              > anything until I used this star!

                              Get rid of it. With the "smtp:" prefix properly set to match the actual
                              data in Microsoft's AD, you no longer need the "*" and using it lowers
                              performance and creates backscatter when you accept invalid names that
                              are prefixes of valid names.

                              > > Why is "proxyAddresses" the right result attribute. I would use "mail".
                              >
                              > I don't know ?! Is it not ?! from where should I know that ?!

                              By understanding what you are doing... :-(

                              > Why do I need an email address as return anyway ?!

                              You need some non-empty attribute as a result, ideally a single-valued
                              one that keeps the result-set small. Using "mail" makes sense.

                              --
                              Viktor.
                            • Marco Rebsamen
                              Ok I removed that * now from the request an used mail as result_attribute. This works now for the local domain but not for the others. I added all the
                              Message 14 of 19 , Aug 31, 2010
                              • 0 Attachment
                                Ok I removed that * now from the request an used "mail" as result_attribute. This works now for the local domain but not for the others.
                                I added all the non-local domains to the parameter virtual_alias_domains and set virtual_alias_maps to ldap:/etc/postfix/virtual.cf
                                I tested it with postmap -q nad it worked. But if I send a message to that domain I get the message back: User unknown in virtual alias table

                                As you wished...

                                Postconf -n:
                                alias_maps = hash:/etc/aliases
                                biff = no
                                canonical_maps = hash:/etc/postfix/canonical
                                command_directory = /usr/sbin
                                config_directory = /etc/postfix
                                content_filter =
                                daemon_directory = /usr/lib/postfix
                                data_directory = /var/lib/postfix
                                debug_peer_level = 2
                                debug_peer_list = 192.168.8.111
                                defer_transports =
                                delay_warning_time = 1h
                                disable_dns_lookups = no
                                disable_mime_output_conversion = no
                                header_checks = regexp:/etc/postfix/header_checks
                                html_directory = /usr/share/doc/packages/postfix-doc/html
                                inet_protocols = all
                                local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf unix:passwd.byname
                                mail_owner = postfix
                                mail_spool_directory = /var/mail
                                mailbox_command =
                                mailbox_size_limit = 0
                                mailbox_transport = cyrus
                                mailq_path = /usr/bin/mailq
                                manpage_directory = /usr/share/man
                                masquerade_classes = envelope_sender, header_sender, header_recipient
                                masquerade_domains =
                                masquerade_exceptions = root
                                message_size_limit = 0
                                message_strip_characters = \0
                                mydestination = $myhostname, localhost, $mydomain
                                myhostname = mx-rel.unimatrix0.ch
                                mynetworks = 192.168.8.0/24, 127.0.0.0/8
                                newaliases_path = /usr/bin/newaliases
                                queue_directory = /var/spool/postfix
                                readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
                                relay_domains = $mydestination, hash:/etc/postfix/relay
                                relayhost = smtp.hispeed.ch
                                relocated_maps = hash:/etc/postfix/relocated
                                sample_directory = /usr/share/doc/packages/postfix-doc/samples
                                sender_canonical_maps = hash:/etc/postfix/sender_canonical
                                sendmail_path = /usr/sbin/sendmail
                                setgid_group = maildrop
                                smtp_enforce_tls = no
                                smtp_sasl_auth_enable = yes
                                smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                                smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
                                smtp_tls_session_cache_timeout = 3600s
                                smtp_use_tls = yes
                                smtpd_client_restrictions =
                                smtpd_helo_required = no
                                smtpd_helo_restrictions =
                                smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
                                smtpd_sasl_auth_enable = no
                                smtpd_sender_restrictions = hash:/etc/postfix/access
                                smtpd_use_tls = no
                                strict_8bitmime = no
                                strict_rfc821_envelopes = no
                                transport_maps = hash:/etc/postfix/transport
                                unknown_local_recipient_reject_code = 550
                                virtual_alias_domains = sinus-elektro.ch spinsch.ch
                                virtual_alias_maps = ldap:/etc/postfix/virtual.cf




                                And the content of virtual.cf

                                bind_dn = jm@...
                                bind_pw = *****
                                server_host = 192.168.8.254

                                #Global Catalog port
                                server_port = 3268

                                search_base = DC=hive, DC=loc
                                query_filter = proxyAddresses=smtp:%s
                                result_attribute = mail



                                -----Ursprüngliche Nachricht-----
                                Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Victor Duchovni
                                Gesendet: Montag, 30. August 2010 21:54
                                An: postfix-users@...
                                Betreff: Re: local_recipient_maps with LDAP

                                On Mon, Aug 30, 2010 at 09:46:26PM +0200, Marco Rebsamen wrote:

                                > > > search_base = DC=hive, DC=loc
                                > > > query_filter = proxyAddresses=smtp:*%u@...
                                > > > result_attribute = proxyAddresses
                                > >
                                > > What is that pesky "*" doing in your query filter!!!
                                >
                                > It's a damn wildcard! I thought I would need it because when I tried
                                > to find the right parameters for this LDAP request I could not find find
                                > anything until I used this star!

                                Get rid of it. With the "smtp:" prefix properly set to match the actual
                                data in Microsoft's AD, you no longer need the "*" and using it lowers
                                performance and creates backscatter when you accept invalid names that
                                are prefixes of valid names.

                                > > Why is "proxyAddresses" the right result attribute. I would use "mail".
                                >
                                > I don't know ?! Is it not ?! from where should I know that ?!

                                By understanding what you are doing... :-(

                                > Why do I need an email address as return anyway ?!

                                You need some non-empty attribute as a result, ideally a single-valued
                                one that keeps the result-set small. Using "mail" makes sense.

                                --
                                Viktor.
                              • Victor Duchovni
                                ... Good. ... Do you understand what virtua alias domains are for? ... What does worked mean? ... That means that the recipient address did NOT get rewritten
                                Message 15 of 19 , Aug 31, 2010
                                • 0 Attachment
                                  On Tue, Aug 31, 2010 at 04:05:57PM +0200, Marco Rebsamen wrote:

                                  > Ok I removed that * now from the request an used "mail" as
                                  > result_attribute. This works now for the local domain ...

                                  Good.

                                  > I added all the non-local domains to the parameter virtual_alias_domains
                                  > and set virtual_alias_maps to ldap:/etc/postfix/virtual.cf

                                  Do you understand what virtua alias domains are for?

                                  > I tested it with postmap -q and it worked.

                                  What does "worked" mean?

                                  > But if I send a message to that domain I get the message back:
                                  > User unknown in virtual alias table

                                  That means that the recipient address did NOT get rewritten into
                                  a real (not virtual alias) domain.

                                  > message_size_limit = 0

                                  Generally unwise.

                                  > mydestination = $myhostname, localhost, $mydomain
                                  > myhostname = mx-rel.unimatrix0.ch
                                  > relay_domains = $mydestination, hash:/etc/postfix/relay
                                  > relayhost = smtp.hispeed.ch


                                  > sender_canonical_maps = hash:/etc/postfix/sender_canonical

                                  Generally unwise to use sender_canonical_maps. Use smtp_generic_maps
                                  instead to rewrite outbound email.

                                  > smtp_enforce_tls = no

                                  Obsolete.

                                  > smtp_use_tls = yes
                                  > smtpd_use_tls = no

                                  Obsolete, use

                                  smtp_tls_security_level = may
                                  smtpd_tls_security_level = none

                                  > transport_maps = hash:/etc/postfix/transport
                                  > virtual_alias_domains = sinus-elektro.ch spinsch.ch
                                  > virtual_alias_maps = ldap:/etc/postfix/virtual.cf

                                  These domains can't host real recipients, all recipients
                                  must be rewritten to a real domain.

                                  > And the content of virtual.cf
                                  >
                                  > search_base = DC=hive, DC=loc
                                  > query_filter = proxyAddresses=smtp:%s
                                  > result_attribute = mail

                                  Probably "mail" is the original address in most cases. Where is
                                  such mail routed? If to another server, these are "relay" domains,
                                  not virtual alias domains, unless you rewrite the address in transit...

                                  --
                                  Viktor.
                                • Marco Rebsamen
                                  ... virtual_alias_domains ... I thought I would... ... I got the same address back as I searched for... ... Well... I thought that the guys from opensuse did a
                                  Message 16 of 19 , Aug 31, 2010
                                  • 0 Attachment
                                    >> I added all the non-local domains to the parameter
                                    virtual_alias_domains
                                    >> and set virtual_alias_maps to ldap:/etc/postfix/virtual.cf
                                    > Do you understand what virtua alias domains are for?

                                    I thought I would...

                                    >> I tested it with postmap -q and it worked.
                                    > What does "worked" mean?

                                    I got the same address back as I searched for...

                                    >> But if I send a message to that domain I get the message back:
                                    >> User unknown in virtual alias table
                                    >
                                    > That means that the recipient address did NOT get rewritten into
                                    > a real (not virtual alias) domain.
                                    >
                                    >> message_size_limit = 0
                                    > Generally unwise.
                                    >
                                    >> mydestination = $myhostname, localhost, $mydomain
                                    >> myhostname = mx-rel.unimatrix0.ch
                                    >> relay_domains = $mydestination, hash:/etc/postfix/relay
                                    >> relayhost = smtp.hispeed.ch
                                    >
                                    >
                                    >> sender_canonical_maps = hash:/etc/postfix/sender_canonical
                                    > Generally unwise to use sender_canonical_maps. Use smtp_generic_maps
                                    > instead to rewrite outbound email.
                                    >
                                    >> smtp_enforce_tls = no
                                    > Obsolete.
                                    >
                                    >> smtp_use_tls = yes
                                    >> smtpd_use_tls = no
                                    > Obsolete, use
                                    > smtp_tls_security_level = may
                                    > smtpd_tls_security_level = none

                                    Well... I thought that the guys from opensuse did a good job with the
                                    out of the box settings.
                                    Obviously they didn't...

                                    >> transport_maps = hash:/etc/postfix/transport
                                    >> virtual_alias_domains = sinus-elektro.ch spinsch.ch
                                    >> virtual_alias_maps = ldap:/etc/postfix/virtual.cf
                                    >
                                    > These domains can't host real recipients, all recipients
                                    > must be rewritten to a real domain.
                                    >
                                    > And the content of virtual.cf
                                    >
                                    > search_base = DC=hive, DC=loc
                                    > query_filter = proxyAddresses=smtp:%s
                                    > result_attribute = mail
                                    >
                                    > Probably "mail" is the original address in most cases. Where is
                                    > such mail routed? If to another server, these are "relay" domains,
                                    > not virtual alias domains, unless you rewrite the address in
                                    transit...

                                    The Messages should be forwarded to the MS Exchange Server from which I
                                    request the LDAP information.
                                    I had this working on an older system. What I did there was, adding the
                                    domains "sinus-elektro.ch" and "spinsch.ch" to "relay_domains"
                                    and then I had a perl-script which updated the "local_receipient_maps"
                                    table. If I now add these domains to relay_domains, postfix just
                                    delivers
                                    every message to one of these domains to the exchange without checking
                                    if the address realy exists...

                                    > --
                                    > Viktor.
                                  • Victor Duchovni
                                    ... Then these are relay domains not virtual alias domains, unless you rewrite the address to an internal domain specific to Exchange in transit. ... Which was
                                    Message 17 of 19 , Aug 31, 2010
                                    • 0 Attachment
                                      On Tue, Aug 31, 2010 at 08:07:52PM +0200, Marco Rebsamen wrote:

                                      > > Probably "mail" is the original address in most cases. Where is
                                      > > such mail routed? If to another server, these are "relay" domains,
                                      > > not virtual alias domains, unless you rewrite the address in transit...
                                      >
                                      > The Messages should be forwarded to the MS Exchange Server from which I
                                      > request the LDAP information.

                                      Then these are relay domains not virtual alias domains, unless you
                                      rewrite the address to an internal domain specific to Exchange in transit.

                                      > I had this working on an older system. What I did there was, adding the
                                      > domains "sinus-elektro.ch" and "spinsch.ch" to "relay_domains"

                                      Which was the right thing to do.

                                      > and then I had a perl-script which updated the "local_receipient_maps"
                                      > table.

                                      Which is the wrong thing to do, since for relay domains, the validation
                                      table is "relay_recipient_maps" not "local_recipient_maps". You can use
                                      LDAP and skip the need to generate flat file tables, unless you want
                                      to protect AD from the query load...

                                      > If I now add these domains to relay_domains, postfix just
                                      > delivers
                                      > every message to one of these domains to the exchange without checking
                                      > if the address realy exists...

                                      Because you are not setting relay_recipient_maps.

                                      http://www.postfix.org/ADDRESS_CLASS_README.html

                                      --
                                      Viktor.
                                    • Marco Rebsamen
                                      Hm, looks like some things changed since I set up the last system. I mean why did it work before ? I guess i buy the newest version of Peer Heinlein s book :-P
                                      Message 18 of 19 , Aug 31, 2010
                                      • 0 Attachment
                                        Hm, looks like some things changed since I set up the last system. I mean why did it work before ?
                                        I guess i buy the newest version of Peer Heinlein's book :-P
                                        Anyway, it works now the way I wanted it.

                                        Thank you for your patience.

                                        -----Ursprüngliche Nachricht-----
                                        Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von Victor Duchovni
                                        Gesendet: Dienstag, 31. August 2010 21:29
                                        An: postfix-users@...
                                        Betreff: Re: local_recipient_maps with LDAP

                                        On Tue, Aug 31, 2010 at 08:07:52PM +0200, Marco Rebsamen wrote:

                                        > > Probably "mail" is the original address in most cases. Where is
                                        > > such mail routed? If to another server, these are "relay" domains,
                                        > > not virtual alias domains, unless you rewrite the address in transit...
                                        >
                                        > The Messages should be forwarded to the MS Exchange Server from which I
                                        > request the LDAP information.

                                        Then these are relay domains not virtual alias domains, unless you
                                        rewrite the address to an internal domain specific to Exchange in transit.

                                        > I had this working on an older system. What I did there was, adding the
                                        > domains "sinus-elektro.ch" and "spinsch.ch" to "relay_domains"

                                        Which was the right thing to do.

                                        > and then I had a perl-script which updated the "local_receipient_maps"
                                        > table.

                                        Which is the wrong thing to do, since for relay domains, the validation
                                        table is "relay_recipient_maps" not "local_recipient_maps". You can use
                                        LDAP and skip the need to generate flat file tables, unless you want
                                        to protect AD from the query load...

                                        > If I now add these domains to relay_domains, postfix just
                                        > delivers
                                        > every message to one of these domains to the exchange without checking
                                        > if the address realy exists...

                                        Because you are not setting relay_recipient_maps.

                                        http://www.postfix.org/ADDRESS_CLASS_README.html

                                        --
                                        Viktor.
                                      • Victor Duchovni
                                        ... You changed your configuration. The treatment of relay_domains and virtual_alias_domains has not changed since Postfix 2.0. -- Viktor.
                                        Message 19 of 19 , Sep 1, 2010
                                        • 0 Attachment
                                          On Tue, Aug 31, 2010 at 10:48:45PM +0200, Marco Rebsamen wrote:

                                          > Hm, looks like some things changed since I set up the last system. I
                                          > mean why did it work before ?

                                          You changed your configuration. The treatment of relay_domains and
                                          virtual_alias_domains has not changed since Postfix 2.0.

                                          --
                                          Viktor.
                                        Your message has been successfully submitted and would be delivered to recipients shortly.