Dear Viktor, dear Wietse, Viktor, you recommend to use proxymap in combination with LDAP, especially if all LDAP lookups use the same connection. Indeed, this is the case for my setup. The LDAP server, the bind DN and bind passwd are the same. Only the search base, the query filter and the result is different depending on the specific lookup. I tried to read the man page for proxymap (8). Do I understand correctly, that I only have to add „proxy:“ in front of all my „ldap:“ lookups and that‘s it? No further configuration is required? Does proxymap somehow cleverly detect if two LDAP queries use the the same connection options and then re-uses the same connection? I excpected that I had to configure each connection which I would like to run through the proxy with proxymap, but this doesn‘t seem to be the case.
Wietse, you say that Postfix cannot control when the LDAP client library opens a connection to the LDAP server, but at the same time you say that difference in LDAP client behaviour is caused by differences in Postfix main.cf/master.cf settings and differences in Postfix LDAP configuraton files. I can assure you that the only difference is the config file to which „ldap:...“ points, i.e. my config file contains virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual-mailboxes.cf virtual_alias_maps = ldap:/etc/postfix/ldap/virtual-aliases.cf smtpd_sender_login_maps = ldap:/etc/postfix/ldap/sender-login.cf There is not very much else I could do differently in the config file. The three LDAP configuration files are identical in terms of host and binding settings. They only differ in query filter and result attribute (obviously). Nonetheless, Postfix behaves differently with repect to whether it opens the LDAP connection before or after chrooting. While it is technically correct that the LDAP client library opens the connections, it is still Postfix which calls the the client library and obviously it does so for „virtual_mailbox_maps“ and „virtual_alias_maps“ before it chroots, but for „smtpd_sender_login_maps“ after it chroots. This is something which Postfix can control. If this difference in behaviour is not easily fixable or even intended by design, it should at least be mentioned in the docs. It caught me by surprise and it also makes „portmap -q“ less useful. For „smtpd_sender_login_maps“ the LDAP configuration must be written from the chroot perspective which is not handled by „portmap -q“. Here is another rather old thread (https://groups.google.com/g/list.postfix.users/c/JZxZiOMmgKk) which never got an answer. I bet the author encountered the same problem. Bests, Matthias Am Samstag, 4. November 2023, 22:33:48 CET schrieb Wietse Venema via Postfix-users: > Viktor Dukhovni via Postfix-users: > > On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users > > wrote: > > > > > To be precise: Postfix opens your LDAP configuration file and asks > > > the LDAP library to create an LDAP client instance, before entering > > > the chroot jail and before accepting any SMTP client commmands. > > > > > > HOWEVER, Postfix does not connect to LDAP sockets before entering > > > the chroot jail and before accepting any SMTP client commmands. The > > > LDAP library decides when it wants to do that. > > > > IIRC there we were once upon a time requeting immediate connections to > > LDAP, but that was not ideal: > > > > - It complicated connection sharing across multiple tables with > > the same underlying backend server, that differ only in the > > query deails. > > > > - It also (when chrooted) meant automatic reconnect on error > > to an alternative server, ... would not necessarily work. > > > > - ... > > > > IIRC, the is in principle a way to perform an early, rather than delayed > > LDAP bind, but the OP should instead use: > > > > proxy:ldap:... > > > > with "proxyread" not chrooted. This further improves connection sharing > > and is a best practice. > > Confirmed. proxy:ldap improves sharing and can sidestep chroot issues, > as long as the read-only 'proxymap' service is not chrooted in master.cf. > > Wietse > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > -- Matthias Nagel Dachtlerstr. 2, 40499 Stuttgart Festnetz: +49-711-25295180, Mobil: +49-151-15998774 E-Mail: matthias.h.na...@posteo.de, Skype: nagmat84, Threema: 86VM8KN7 _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
