Loading ...
Sorry, an error occurred while loading the content.

Re: Problem with relay_domains lookups

Expand Messages
  • Noel Jones
    ... Postfix uses the domain as the lookup key, not the whole address. Test with: $ postmap -q example.com ldap:/etc/postfix/ldap-domains.cf
    Message 1 of 6 , Feb 20, 2013
    • 0 Attachment
      On 2/20/2013 11:36 AM, Geoff Shang wrote:
      > Hi,
      >
      > Sorry for having to obscure stuff in the below, but I have to.
      >
      > I'm setting up an MX for our new customer mail setup. I'm having a
      > problem where relay_domains are not being looked up in LDAP as they
      > should.
      >
      > We have a bunch of test users in LDAP under the domain example.com,
      > for testing.
      >
      > The relay parameters are as follows:
      >
      > relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf <ourdomain>.com
      > relay_recipient_maps =
      > proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
      > proxy:ldap:/etc/postfix/ldap-users.cf
      > relay_transport = relay:[<mailscanner.ourdomain>.net]
      >
      > I have to specify <ourdomain>.com specifically in the relay_domains,
      > as <ourdomain>.com isn't yet listed in LDAP. It will be.
      >
      > The relay_recipient_maps funkiness is because we will have both
      > corporate mail and customer mail on the same domain, at least for a
      > time (don't get me started on what a good idea that was).
      >
      > If I try a lookup of test000001@... against our
      > recipient_domains LDAP configuration file, it works:
      >
      > $ postmap -q test000001@... ldap:/etc/postfix/ldap-domains.cf
      > example.com

      Postfix uses the domain as the lookup key, not the whole address.
      Test with:

      $ postmap -q example.com ldap:/etc/postfix/ldap-domains.cf

      http://www.postfix.org/postconf.5.html#relay_domains
      ... a "type:table" lookup table is matched when a (parent) domain
      appears as lookup key.




      -- Noel Jones



      >
      > If I send a test Email from the host to a corporate address at
      > <ourdomain>.com, it arrives just fine. I even see it look on the
      > LDAP server first to see if it is a domain listed there.
      >
      > But if I try to send a message to test000001@..., it doesn't
      > even do a look-up in LDAP, it tries to deliver it to example.com
      > instead.
      >
      > Feb 19 16:35:55 mx postfix/pickup[4988]: B393F86592: uid=0 from=<root>
      > Feb 19 16:35:55 mx postfix/cleanup[5599]: B393F86592:
      > message-id=<20130219163555.B393F86592@mx.<ourdomain>.net>
      > Feb 19 16:35:55 mx postfix/qmgr[4987]: B393F86592:
      > from=<root@mx.<ourdomain>.net>, size=366, nrcpt=1 (queue active)
      > Feb 19 16:35:59 mx postfix/smtp[5603]: connect to
      > example.com[2001:500:88:200::10]:25: Connection refused
      > Feb 19 16:36:20 mx postfix/smtp[5603]: connect to
      > example.com[192.0.43.10]:25: Connection timed out
      > Feb 19 16:36:20 mx postfix/smtp[5603]: B393F86592:
      > to=<test000001@...>, relay=none, delay=134,
      > delays=109/0.01/24/0, dsn=4.4.1, status=deferred
      > (connect to example.com[192.0.43.10]:25: Connection timed out)
      >
      > I put in the proxy: for performance reasons. I tried taking it out
      > but it made no difference and I didn't really expect it to.
      >
      > I'd understand it if LDAp was returning something that Postfix
      > wasn't happy with. But it's not even asking. It does appear to
      > connect but never sends a query. It's as if, somehow, it's deciding
      > that example.com is not a domain we relay for.
      >
      > I've tried upping the logging, and also tried a debug Email with
      > sendmail -bv. But neither give me any indication of how Postfix
      > decides what it's going to do with the message.
      >
      > I'm clearly overlooking something obvious. Any ideas?
      >
      > Here's the postconf -n output:
      >
      > alias_database = hash:/etc/aliases
      > alias_maps = hash:/etc/aliases
      > append_dot_mydomain = no
      > biff = no
      > config_directory = /etc/postfix
      > html_directory = /usr/share/doc/postfix/html
      > inet_interfaces = all
      > inet_protocols = ipv6,ipv4
      > mailbox_size_limit = 0
      > mydestination = mx.<ourdomain>.net, localhost
      > myhostname = mx.<ourdomain>.net
      > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 <our v6
      > range> <our v4 range>
      > myorigin = /etc/mailname
      > readme_directory = /usr/share/doc/postfix
      > recipient_delimiter = +
      > relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf <ourdomain>.com
      > relay_recipient_maps =
      > proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
      > proxy:ldap:/etc/postfix/ldap-users.cf
      > relay_transport = relay:[<mailscanner.ourdomain>.net]
      > smtp_tls_ciphers = high
      > smtp_tls_mandatory_ciphers = high
      > smtp_tls_mandatory_exclude_ciphers = RC4,MD5
      > smtp_tls_note_starttls_offer = yes
      > smtp_tls_protocols = !SSLv2,!SSLv3
      > smtp_tls_security_level = may
      > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
      > smtpd_error_sleep_time = 2s
      > smtpd_hard_error_limit = 10
      > smtpd_helo_required = yes
      > smtpd_helo_restrictions = permit_mynetworks
      > reject_invalid_helo_hostname
      > reject_non_fqdn_helo_hostname
      > smtpd_recipient_restrictions = permit_mynetworks
      > reject_unauth_pipelining reject_non_fqdn_sender
      > reject_invalid_hostname reject_non_fqdn_hostname
      > reject_unknown_sender_domain reject_unlisted_recipient
      > reject_non_fqdn_recipient reject_unknown_recipient_domain
      > reject_unauth_destination reject_multi_recipient_bounce
      > smtpd_soft_error_limit = 5
      > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      > smtpd_tls_loglevel = 1
      > smtpd_tls_received_header = yes
      > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      > smtpd_use_tls = yes
      >
      > Thanks,
      > Geoff.
      >
    • Geoff Shang
      ... I was initially doing this but it didn t work. In ldap-domains.cf, I use %d as the key to look for. Should I be using %s instead? Geoff.
      Message 2 of 6 , Feb 20, 2013
      • 0 Attachment
        On Wed, 20 Feb 2013, Noel Jones wrote:

        > Postfix uses the domain as the lookup key, not the whole address.
        > Test with:
        >
        > $ postmap -q example.com ldap:/etc/postfix/ldap-domains.cf

        I was initially doing this but it didn't work.

        In ldap-domains.cf, I use %d as the key to look for. Should I be using %s
        instead?

        Geoff.
      • Noel Jones
        ... I don t use ldap, so don t take my advice on the query to use (but pretty sure %s is what you need). Fortunately, postfix works the same regardless of the
        Message 3 of 6 , Feb 20, 2013
        • 0 Attachment
          On 2/20/2013 12:18 PM, Geoff Shang wrote:
          > On Wed, 20 Feb 2013, Noel Jones wrote:
          >
          >> Postfix uses the domain as the lookup key, not the whole address.
          >> Test with:
          >>
          >> $ postmap -q example.com ldap:/etc/postfix/ldap-domains.cf
          >
          > I was initially doing this but it didn't work.
          >
          > In ldap-domains.cf, I use %d as the key to look for. Should I be
          > using %s instead?
          >
          > Geoff.
          >


          I don't use ldap, so don't take my advice on the query to use (but
          pretty sure %s is what you need).

          Fortunately, postfix works the same regardless of the table type, so
          I can tell you how to test it, and what postfix expects.

          $ postmap -q example.com ldap:/etc/postfix/ldap-domains.cf




          -- Noel Jones
        • Wietse Venema
          ... That was the mistake. As documented in ldap_table(5): %d When the input key is an address of the form user@domain, %d is replaced by the (RFC 2253)
          Message 4 of 6 , Feb 20, 2013
          • 0 Attachment
            Geoff Shang:
            > On Wed, 20 Feb 2013, Noel Jones wrote:
            >
            > > Postfix uses the domain as the lookup key, not the whole address.
            > > Test with:
            > >
            > > $ postmap -q example.com ldap:/etc/postfix/ldap-domains.cf
            >
            > I was initially doing this but it didn't work.
            >
            > In ldap-domains.cf, I use %d as the key to look for. Should I be using %s

            That was the mistake. As documented in ldap_table(5):

            %d When the input key is an address of the form user@domain,
            %d is replaced by the (RFC 2253) quoted domain part of
            the address. Otherwise, the search is suppressed and
            returns no results.

            You probably want this:

            %s This is replaced by the input key. RFC 2253 quoting is
            used to make sure that the input key does not add unex-
            pected metacharacters.


            But, like Noel. I have no LDAP experience.

            Wietse
          • Geoff Shang
            ... You re right. This was the problem. My initial mistake was taking a postgresql example of a relay_domains lookup which I assumed to be functional, and
            Message 5 of 6 , Feb 21, 2013
            • 0 Attachment
              On Wed, 20 Feb 2013, Wietse Venema wrote:

              >> In ldap-domains.cf, I use %d as the key to look for. Should I be using %s
              >
              > That was the mistake. As documented in ldap_table(5):
              >
              > %d When the input key is an address of the form user@domain,
              > %d is replaced by the (RFC 2253) quoted domain part of
              > the address. Otherwise, the search is suppressed and
              > returns no results.
              >
              > You probably want this:
              >
              > %s This is replaced by the input key. RFC 2253 quoting is
              > used to make sure that the input key does not add unex-
              > pected metacharacters.

              You're right. This was the problem.

              My initial mistake was taking a postgresql example of a relay_domains
              lookup which I assumed to be functional, and applying it to my situation.
              When using %d didn't work, I wrongly guessed that the lookup used the full
              address as key. I can see where I went wrong with this, as a static file
              will of course only have the domain.

              It now appears to work as documented. Thanks everyone for your help.

              Cheers,
              Geoff.
            Your message has been successfully submitted and would be delivered to recipients shortly.