Hello,
We are using ldap maps in a relay server. Ldap maps are for address
validation (valid users and alias) and a relocated map.
But now, we are having problems with our ldap servers. Problems are not
directly related with postfix servers, but I've been investigating if
postfix could do things better.
My config is:
virtual_alias_maps = hash:/etc/postfix/alu-aliases,
hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf
relay_recipient_maps = hash:/etc/postfix/relaydomains,
hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases,
proxy:ldap:/etc/postfix/ldap-vmail.cf,
proxy:ldap:/etc/postfix/ldap-sysaliases.cf
relocated_maps = proxy:ldap:/etc/postfix/ldap-relocated.cf
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
Ldap maps are:
* ldap-sysaliases.cf: This is a map for alias destinations. Although
this is a relay server, I'm resolving alias because I relay internal
mail by lmtp instead of smtp
* ldap-vmail.cf: This is the map for real users.
* ldap-relocated.cf: This a relocated map (for users who change their
email address).
In my tests I have found that during a smtp transaction the next
searches are done:
* When the "mail from:" is received, if this mail from is from a ldap
domain, a search in the relocated map is done for this mail from address.
* When the "rcpt to:" is received, postfix makes 4 searches for the
recipient address in this order:
1. In the relocated map
2. In the alias map
3. In the vmail map
4. In the alias map again
* When the data command is finished, then it makes the searches:
1. In the relocated map for the mail from address.
2. In the relocated map for the recipient address.
3. In the alias map for the recipient address
4. In the alias map again for the recipient address
5. In the relocated map (again) for the recipient address
With a total of 10 searches. I repeated the test with the same from and
recipient and almost all searches are done again. In fact, the only
searches it hasn't done are searches 1 and 2 after data command.
My question are:
* is it normal this behaviour? I mean is it normal all these searches?
Or I have something with a wrong configuration?
* Is there any way to cache these queries? In a normal transaction I
have only 4 different searches of a total of 8 (or 10) and if I repeat
the mail, all searches are done again? Is there any way to cache these
results so there was no need to research again all the information?
I have attached the output of postconf -n, ldap maps config files and
the logs at ldap server for connections from the postfix server (I have
replace the final DN where I have the information and sender and
recipient address used)
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
address_verify_map = btree:${data_directory}/verify
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
append_dot_mydomain = yes
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_size_limit = 10240
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
default_privs = nobody
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
lmtp_destination_concurrency_limit = 5
lmtp_destination_recipient_limit = 10
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 25600000
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
mydestination = $myhostname, localhost.\$mydomain, localhost
mydomain = um.es
myhostname = xenon11.um.es
mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16,
10.64.0.0/28, 172.19.0.0/16, 155.54.212.160/28
myorigin = um.es
nested_header_checks = pcre:/etc/postfix/nested_header_checks.pcre
newaliases_path = /usr/bin/newaliases
notify_classes = resource, software
parent_domain_matches_subdomains = smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$smtpd_sender_login_maps
queue_directory = /var/spool/postfix
queue_minfree = 38400000
rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
readme_directory = /usr/share/doc/postfix
recipient_canonical_maps = hash:/etc/postfix/listas_con_um_es
relay_domains = um.es, alu.um.es, cii-murcia.es, cyum.es, lcu.es, dif.um.es,
ditec.um.es, fuem.um.es, infomun.um.es, listas.um.es, listas.cii-murcia.es,
campusmarenostrum.com, listas.campusmarenostrum.es, ticarum.es,
aulavirtual.um.es
relay_recipient_maps = hash:/etc/postfix/relaydomains,
hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases,
proxy:ldap:/etc/postfix/ldap-vmail.cf,
proxy:ldap:/etc/postfix/ldap-sysaliases.cf
relocated_maps = proxy:ldap:/etc/postfix/ldap-relocated.cf
sample_directory = no
sendmail_path = /usr/lib/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 100
smtpd_client_event_limit_exceptions = 127.0.0.1, 172.19.0.0/16,
155.54.208.0/24, 155.54.212.0/24, 155.54.213.0/24, 155.54.216.0/24,
155.54.67.15, 155.54.135.194, 10.54.1.8, 155.54.204.60, 155.54.204.49,
155.54.210.253, 155.54.169.2, 155.54.204.69, 155.54.204.128, 155.54.206.3,
155.54.118.3, 155.54.204.146, 155.54.67.13, 155.54.170.10, 155.54.21.123,
155.54.204.57, 155.54.204.9, 155.54.204.231, 155.54.211.0/24, 155.54.117.10,
130.206.18.0/27
smtpd_client_message_rate_limit = 500
smtpd_client_restrictions = reject_rbl_client rbl.um.es,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/whitelist_um,
reject_unknown_reverse_client_hostname, check_client_access
cidr:/etc/postfix/client_checks.cidr,
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_end_of_data_restrictions = $(smtpdEndOfDataRestrictions)
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_checks
smtpd_recipient_limit = 150
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access
hash:/etc/postfix/verified_recipient_checks, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_maps, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, check_sender_access
pcre:/etc/postfix/sender_checks.pcre
smtpd_tls_CAfile = /etc/ssl/certs/terenassl_path.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/smtp.um.es.pem
smtpd_tls_key_file = /etc/ssl/private/privada_smtp.um.es.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/spool/postfix/prng_exch
tls_random_source = dev:/dev/urandom
transport_maps = pcre:/etc/postfix/transport.pcre
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/alu-aliases,
hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf
FIRST MAIL TRANSACTION
=======================================
mail from: sen...@um.es
Feb 16 08:52:35 canis19 slapd[2220]: conn=1143 op=1 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=sen...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:52:35 canis19 slapd[2220]: conn=1143 op=1 SRCH attr=maildrop
Feb 16 08:52:35 canis19 slapd[2220]: conn=1143 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
---------
rcpt to: recipi...@um.es
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=1 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=1 SRCH attr=maildrop
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=2 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=2 SRCH attr=maildrop
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=2 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=3 SRCH base="<base dn>"
scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAccount)(irisUserStatus=urn:mace:rediris.es:um.es:userstatus:correo:estado:activo))"
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=3 SRCH attr=uid
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=3 SEARCH RESULT tag=101 err=0
nentries=1 text=
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=4 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=4 SRCH attr=maildrop
Feb 16 08:53:20 canis19 slapd[2220]: conn=1145 op=4 SEARCH RESULT tag=101 err=0
nentries=0 text=
-------------
data
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=5 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=sen...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=5 SRCH attr=maildrop
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=5 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=6 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=6 SRCH attr=maildrop
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=6 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=7 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=7 SRCH attr=maildrop
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=7 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=8 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=8 SRCH attr=maildrop
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=8 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=9 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=9 SRCH attr=maildrop
Feb 16 08:53:48 canis19 slapd[2220]: conn=1145 op=9 SEARCH RESULT tag=101 err=0
nentries=0 text=
SECOND MAIL TRANSACTION
===================================================
mail from: sen...@um.es
Feb 16 08:54:44 canis19 slapd[2220]: conn=1148 op=1 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=sen...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:54:44 canis19 slapd[2220]: conn=1148 op=1 SRCH attr=maildrop
Feb 16 08:54:44 canis19 slapd[2220]: conn=1148 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
--------------
rcpt to: recipi...@um.es
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=1 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=1 SRCH attr=maildrop
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=2 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=2 SRCH attr=maildrop
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=2 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=3 SRCH base="<base dn>"
scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAccount)(irisUserStatus=urn:mace:rediris.es:um.es:userstatus:correo:estado:activo))"
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=3 SRCH attr=uid
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=3 SEARCH RESULT tag=101 err=0
nentries=1 text=
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=4 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=4 SRCH attr=maildrop
Feb 16 08:55:02 canis19 slapd[2220]: conn=1149 op=4 SEARCH RESULT tag=101 err=0
nentries=0 text=
-------------------
data
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=5 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=5 SRCH attr=maildrop
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=5 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=6 SRCH
base="ou=alias,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=6 SRCH attr=maildrop
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=6 SEARCH RESULT tag=101 err=0
nentries=0 text=
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=7 SRCH
base="ou=relocated,ou=postfix,<base dn>" scope=2 deref=0
filter="(&(mail=recipi...@um.es)(objectClass=CourierMailAlias))"
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=7 SRCH attr=maildrop
Feb 16 08:55:19 canis19 slapd[2220]: conn=1149 op=7 SEARCH RESULT tag=101 err=0
nentries=0 text=
#
############################################
# BEGIN cfengine cf.smtpservers2 (v3)
#
# Equivalente al /etc/aliases tirando del LDAP
#
server_host = <ldap server<
server_port = 389
bind = yes
bind_dn = <bind dn>
bind_pw = <bind pass>
search_base = ou=relocated,ou=postfix,<base dn>
query_filter = (&(mail=%s)(objectClass=CourierMailAlias))
result_attribute = maildrop
timeout = 20
domain = hash:/etc/postfix/ldapdomains
version = 3
#
# END cfengine cf.smtpservers2
############################################
#
############################################
# BEGIN cfengine cf.smtpservers2 (v3)
#
# Equivalente al /etc/aliases tirando del LDAP
#
server_host = <ldap server>
server_port = 389
bind = yes
bind_dn = <bind dn>
bind_pw = <bind pass>
search_base = ou=alias,ou=postfix,<base dn>
query_filter = (&(mail=%s)(objectClass=CourierMailAlias))
result_attribute = maildrop
timeout = 20
domain = hash:/etc/postfix/ldapdomains
version = 3
#
# END cfengine cf.smtpservers2
############################################
#
############################################
# BEGIN cfengine cf.smtpservers2 (v3)
#
# Equivalente al /etc/aliases tirando del LDAP
#
server_host = <ldap server>
server_port = 389
bind = yes
bind_dn = <bind DN>
bind_pw = <bind pass>
search_base = <base dn>
query_filter =
(&(mail=%s)(objectClass=CourierMailAccount)(irisUserStatus=urn:mace:rediris.es:um.es:userStatus:correo:estado:activo))
result_attribute = uid
timeout = 20
domain = hash:/etc/postfix/ldapdomains
version = 3
#
# END cfengine cf.smtpservers2
############################################
