Hello, I am trying to set up an LDAP-based alias table, and I want postfix to authenticate to LDAP using a Kerberos service principal, or at least using the EXTERNAL method (SSL certificate authentication).
The ldap-aliases.cf file looks like this (domains and realms changed): server_host = ldap://ldap.example.com/ search_base = ou=people,dc=metricspace,dc=net version = 3 bind = sasl sasl_mechs = EXTERNAL sasl_realm = EXAMPLE.COM scope = sub query_filter = mail=%s result_attribute = maildrop start_tls = yes tls_ca_cert_file = /etc/ssl/certs/ca-cert.pem tls_cert = /etc/ssl/certs/host-cert.pem tls_key = /etc/ssl/private/host-key.pem tls_require_cert = yes master.cf looks like this: smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache Interestingly, postalias works fine with this setup, but when I start postfix, it complains as follows: postfix/local[82350]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server postfix/postmap[44248]: fatal: table ldap:/usr/local/etc/postfix/ldap/ldap-aliases.cf: query error: Bad file descriptor Interestingly, postalias run from the command line seems to work just fine. More interestingly, using an ldap-based local_recipients_maps seems to work just fine, but alias_maps fails as described. The keys and the keytables are both accessible by the postfix user. This leads me to believe that it's either something subtle wrong with the file permissions, or there's a bug in postfix. There is a new feature in MIT Kerberos which allows a client key table to be set (via the KRB5_CLIENT_KTNAME environment variable), which will be used to automatically update and refresh the credentials cache. When I set this to point to a key table and update ldap-aliases.cf to use GSSAPI, postalias works, and the credentials cache gets updated, but the postfix daemon fails in the same way. My version is 2.4.9, installed as a FreeBSD port, and I am using openSSL (ie *not* GNUTLS). Thanks, Eric
signature.asc
Description: OpenPGP digital signature
