Hi,
My second query.
We have a mail scanner which receives outside mail from our MX and
submitted mail from customers, scans it for spam and viruses, and either
delivers it to customers or sends it out to the world via the MX. This
means that all mail is relayed, the machine has no direct access to the
outside world.
In testing our setup, I've noticed that both relay_domains and
relay_recipient_maps are checking the fqdn/domain/tld and sending address
respectively, as well as the recipient domain and address. As these
details are in LDAP, the LDAP server is getting hammered with a
significant number of unnecessary lookups.
I don't understand why this is happening. My reading of the Postfix
documentation is that these lookups should not be checking any sender
information.
The only places where LDAP is referenced are relay_domains,
relay_recipient_maps and transport_maps. I thought maybe the
transport_maps were to blame, but I tried disabling each in turn and
replacing it with file-based lookups, and it's clear that transport_maps
is not doing this and the others are.
Here's a log of the kinds of lookups I'm talking about. There should only
be example.com-related lookups:
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=mx.ourdomain.com)" attr=o
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=.ourdomain.com)" attr=o
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=.com)" attr=o
SRCH base="o=mx.ourdomain.com,ou=mail,dc=ourdomain,dc=com"
scope=2 deref=0 filter="(mail=ge...@mx.ourdomain.com)"
attr=mail
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=example.com)" attr=o
SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
filter="(mail=test099...@example.com)" attr=mail
SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
filter="(mail=test099...@example.com)" attr=mail
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=mx.ourdomain.com)" attr=o
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=.ourdomain.com)" attr=o
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=.com)" attr=o
SRCH base="o=mx.ourdomain.com,ou=mail,dc=ourdomain,dc=com"
scope=2 deref=0 filter="(mail=ge...@mx.ourdomain.com)"
attr=mail
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=example.com)" attr=o
SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
filter="(mail=test099...@example.com)" attr=mail
SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
filter="(o=example.com)" attr=o
SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
filter="(mail=test099...@example.com)" attr=mail
The searches on the "o" atribute are relay_domain lookups and the "mail"
atribute lookups are from relay_recipient_maps.
I'm using postfix 2.7.1 (Debian stable). Any ideas how to prevent this?
The postfix config is not set in stone yet and I mean to tidy it up some.
But here's how it looks right now:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv6,ipv4
mailbox_size_limit = 0
mydestination = scanner.ourdomain.com, localhost
myhostname = scanner.ourdomain.com
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf ourdomain.com
relay_recipient_maps =
proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
proxy:ldap:/etc/postfix/ldap-users.cf
relayhost = mx.ourdomain.com
smtp_destination_concurrency_limit = 100
smtp_helo_timeout = 30s
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = RC4,MD5
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP Atari/64
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_recipient_limit = 100000
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/access check_recipient_access
hash:/etc/postfix/recipient_access check_sender_access
hash:/etc/postfix/sender_access reject_unauth_destination,
warn_if_reject reject_unknown_sender_domain, warn_if_reject
reject_unauth_pipelining, warn_if_reject
reject_unknown_recipient_domain, warn_if_reject reject_non_fqdn_recipient,
warn_if_reject reject_unknown_hostname, warn_if_reject
reject_non_fqdn_hostname, warn_if_reject reject_unknown_client,
warn_if_reject reject_invalid_hostname, warn_if_reject
reject_non_fqdn_sender
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
warn_if_reject reject_non_fqdn_sender, warn_if_reject
reject_unknown_sender_domain
smtpd_soft_error_limit = 5
smtpd_timeout = 30s
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
proxy:ldap:/etc/postfix/ldap-users.cf
unknown_local_recipient_reject_code = 550
The LDAP configs are the same as in the other shtread, but there they are
for reference.
/etc/postfix/ldap-domains.cf:
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = one
query_filter = o=%s
result_attribute = o
server_host = ldap://ldap-server.ourdomain.com
search_base =ou=mail,dc=ourdomain,dc=com
/etc/postfix/ldap-users.cf:
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = sub
query_filter = mail=%s
result_attribute = mail
server_host = ldap://ldap-server.ourdomain.com
search_base =o=%d,ou=mail,dc=ourdomain,dc=com
# The return value is only used in a transport map (i.e. on our scanner)
result_format = lmtp:[imap.ourdomain.com]:24
