Re: local_recipient_maps with LDAP
On Tue, Aug 31, 2010 at 10:48:45PM +0200, Marco Rebsamen wrote: Hm, looks like some things changed since I set up the last system. I mean why did it work before ? You changed your configuration. The treatment of relay_domains and virtual_alias_domains has not changed since Postfix 2.0. -- Viktor.
Re: local_recipient_maps with LDAP
On Tue, Aug 31, 2010 at 04:05:57PM +0200, Marco Rebsamen wrote: Ok I removed that * now from the request an used mail as result_attribute. This works now for the local domain ... Good. I added all the non-local domains to the parameter virtual_alias_domains and set virtual_alias_maps to ldap:/etc/postfix/virtual.cf Do you understand what virtua alias domains are for? I tested it with postmap -q and it worked. What does worked mean? But if I send a message to that domain I get the message back: User unknown in virtual alias table That means that the recipient address did NOT get rewritten into a real (not virtual alias) domain. message_size_limit = 0 Generally unwise. mydestination = $myhostname, localhost, $mydomain myhostname = mx-rel.unimatrix0.ch relay_domains = $mydestination, hash:/etc/postfix/relay relayhost = smtp.hispeed.ch sender_canonical_maps = hash:/etc/postfix/sender_canonical Generally unwise to use sender_canonical_maps. Use smtp_generic_maps instead to rewrite outbound email. smtp_enforce_tls = no Obsolete. smtp_use_tls = yes smtpd_use_tls = no Obsolete, use smtp_tls_security_level = may smtpd_tls_security_level = none transport_maps = hash:/etc/postfix/transport virtual_alias_domains = sinus-elektro.ch spinsch.ch virtual_alias_maps = ldap:/etc/postfix/virtual.cf These domains can't host real recipients, all recipients must be rewritten to a real domain. And the content of virtual.cf search_base = DC=hive, DC=loc query_filter = proxyAddresses=smtp:%s result_attribute = mail Probably mail is the original address in most cases. Where is such mail routed? If to another server, these are relay domains, not virtual alias domains, unless you rewrite the address in transit... -- Viktor.
Re: local_recipient_maps with LDAP
On Tue, Aug 31, 2010 at 08:07:52PM +0200, Marco Rebsamen wrote: Probably mail is the original address in most cases. Where is such mail routed? If to another server, these are relay domains, not virtual alias domains, unless you rewrite the address in transit... The Messages should be forwarded to the MS Exchange Server from which I request the LDAP information. Then these are relay domains not virtual alias domains, unless you rewrite the address to an internal domain specific to Exchange in transit. I had this working on an older system. What I did there was, adding the domains sinus-elektro.ch and spinsch.ch to relay_domains Which was the right thing to do. and then I had a perl-script which updated the local_receipient_maps table. Which is the wrong thing to do, since for relay domains, the validation table is relay_recipient_maps not local_recipient_maps. You can use LDAP and skip the need to generate flat file tables, unless you want to protect AD from the query load... If I now add these domains to relay_domains, postfix just delivers every message to one of these domains to the exchange without checking if the address realy exists... Because you are not setting relay_recipient_maps. http://www.postfix.org/ADDRESS_CLASS_README.html -- Viktor.
Re: local_recipient_maps with LDAP
On Sun, Aug 29, 2010 at 01:20:39AM +0200, Marco Rebsamen wrote: query_filter = proxyaddresses=...@domain1.ch* DO NOT use wildcard * patters to match recipients. The correct query is: query_filter = proxyAddresses=smtp:%...@domain1.ch or, more typically: query_filter = proxyAddresses=smtp:%s Since AD will need to know all the proxyAddresses for a given user, so there is generally no need to normalize the domain. -- Viktor.
Re: local_recipient_maps with LDAP
* Victor Duchovni postfix-users@postfix.org: On Sun, Aug 29, 2010 at 01:20:39AM +0200, Marco Rebsamen wrote: query_filter = proxyaddresses=...@domain1.ch* DO NOT use wildcard * patters to match recipients. The correct query is: query_filter = proxyAddresses=smtp:%...@domain1.ch or, more typically: query_filter = proxyAddresses=smtp:%s Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s. A query that catches those too would be this: query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s)) p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: local_recipient_maps with LDAP
* Patrick Ben Koetter p...@state-of-mind.de: Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s. A query that catches those too would be this: query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s)) On second thought... A query that matches all aliases goes like this: query_filter = proxyAddresses=smtp:%s A query filter that matches final recipients: query_filter = proxyAddresses=SMTP:%s To limit query to local domain addresses only add the domainpart: query_filter = proxyAddresses=smtp:%...@example.com p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: local_recipient_maps with LDAP
On Mon, Aug 30, 2010 at 04:39:46PM +0200, Patrick Ben Koetter wrote: * Victor Duchovni postfix-users@postfix.org: On Sun, Aug 29, 2010 at 01:20:39AM +0200, Marco Rebsamen wrote: query_filter = proxyaddresses=...@domain1.ch* DO NOT use wildcard * patters to match recipients. The correct query is: query_filter = proxyAddresses=smtp:%...@domain1.ch or, more typically: query_filter = proxyAddresses=smtp:%s Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s. A query that catches those too would be this: The proxyAddresses field is matched case-insensitively. No fancy gymnastics required: query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s)) The first string matches both. -- Viktor.
Re: local_recipient_maps with LDAP
On Mon, Aug 30, 2010 at 04:45:39PM +0200, Patrick Ben Koetter wrote: * Patrick Ben Koetter p...@state-of-mind.de: Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s. A query that catches those too would be this: query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s)) On second thought... A query that matches all aliases goes like this: query_filter = proxyAddresses=smtp:%s A query filter that matches final recipients: query_filter = proxyAddresses=SMTP:%s This is wrong. Both queries find the same results. -- Viktor.
Re: local_recipient_maps with LDAP
* Victor Duchovni postfix-users@postfix.org: Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s. A query that catches those too would be this: The proxyAddresses field is matched case-insensitively. No fancy gymnastics required: query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s)) The first string matches both. Case-insensitive because the matching rule for proxyAddresses is case-insensitive? p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: local_recipient_maps with LDAP
On Mon, Aug 30, 2010 at 04:58:48PM +0200, Patrick Ben Koetter wrote: * Victor Duchovni postfix-users@postfix.org: Is smtp:%s sufficient? IIRC the main mail address is noted as SMTP:%s. A query that catches those too would be this: The proxyAddresses field is matched case-insensitively. No fancy gymnastics required: query_filter = (|(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s)) The first string matches both. Case-insensitive because the matching rule for proxyAddresses is case-insensitive? Yes, naturally. The case of the smtp prefix only matters when it is used as a result value, not when it is a lookup key. -- Viktor.
Re: local_recipient_maps with LDAP
On Mon, Aug 30, 2010 at 08:50:33PM +0200, Marco Rebsamen wrote: Ok, I'm really confused about that LDAP lookup stuff :-/ What I want to do is to check if an address to which a message is addressed really exists. I'm currently using this script for local receipient checks: bind_dn = j...@hive.loc bind_pw = server_host = 192.168.8.254 #Global Catalog port server_port = 3268 search_base = DC=hive, DC=loc query_filter = proxyAddresses=smtp:*...@unimatrix0.ch result_attribute = proxyAddresses What is that pesky * doing in your query filter!!! Why is proxyAddresses the right result attribute. I would use mail. Report problems accurately with supporting postconf -n output, table definitions AND logs! -- Viktor.
Re: local_recipient_maps with LDAP
On Mon, Aug 30, 2010 at 09:46:26PM +0200, Marco Rebsamen wrote: search_base = DC=hive, DC=loc query_filter = proxyAddresses=smtp:*...@unimatrix0.ch result_attribute = proxyAddresses What is that pesky * doing in your query filter!!! It's a damn wildcard! I thought I would need it because when I tried to find the right parameters for this LDAP request I could not find find anything until I used this star! Get rid of it. With the smtp: prefix properly set to match the actual data in Microsoft's AD, you no longer need the * and using it lowers performance and creates backscatter when you accept invalid names that are prefixes of valid names. Why is proxyAddresses the right result attribute. I would use mail. I don't know ?! Is it not ?! from where should I know that ?! By understanding what you are doing... :-( Why do I need an email address as return anyway ?! You need some non-empty attribute as a result, ideally a single-valued one that keeps the result-set small. Using mail makes sense. -- Viktor.
Re: local_recipient_maps with LDAP
Marco Rebsamen mrebsa...@unimatrix0.ch wrote in message news:f70fd6682c026e40970a322e98e764545...@tranceiver.hive.loc... Hello Everybody I wan't to have my local recipeints checked against my Active Directory. So I have created the .cf file with the LDAP parameters: bind_dn = u...@domain.local bind_pw = ** server_host = 192.168.8.254 #Global Catalog port server_port = 3268 search_base = DC=domain, DC=local query_filter = proxyAddresses=*%s* and changed the main.cf file: local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf unix:passwd.byname If i do this now: postmap -v -q 'u...@domain.ch' ldap:/etc/postfix/local_recipient_maps.cf It tells me Search found 1 match(es). But If i try to deliver a message with the same address postfix tells me User not known in local recipient maps How can i figure out whats wrong ? Thanks The following has worked for me. Don't know if it is the best way or not. Step 1 Create a user in Active Directory for Postfix to use. First name = postfix Lastname = User Logon Name = postfix User cannot change password Password never expires Step 2 Add the following to the /etc/postfix/main.cf: # Prevents mail from being sent to local user accounts local_transport = virtual # Information about mailboxes virtual_mailbox_base = /var/postfix/maildirs/ virtual_mailbox_maps = ldap:/etc/postfix/ldap_mailboxes.cf virtual_minimum_uid = 501 virtual_uid_maps = static:501 virtual_gid_maps = static:502 # Files storing user and group information virtual_maps = ldap:/etc/postfix/ldap_users.cf, ldap:/etc/postfix/ldap_groups.cf Step 3 Create /etc/postfix/ldap_mailboxes.cf server_host = ldap://mail.testcompany.com:389 version = 3 search_base = cn=users,dc=testcompany,dc=com query_filter = ((mail=%s) (objectClass=user)) result_attribute = samaccountname result_format = %s/ bind_dn = postfix bind_pw = DFD321 Step 4 Create /etc/postfix/ldap_users.cf server_host = ldap://mail.testcompany.com:389 version = 3 search_base = cn=users,dc=testcompay,dc=com query_filter = ((mail=%s) (objectClass=user)) result_attribute = samaccountname bind_dn = postfix bind_pw = DFD321 Step 5 Create /etc/postfix/ldap_groups.cf server_host = ldap://mail.testcompany.com:389 version = 3 search_base = ou=mail_groups,dc=testcompay,dc=com query_filter = ((mail=%s) (objectClass = group)) special_result_attribute = member leaf_result_attribute = mail bind_dn = postfix bind_pw = DFD321 Once you get this working, you will need to think about ssl encryption between the Linux box and the Windows box.
Re: local_recipient_maps with LDAP
* Marco Rebsamen mrebsa...@unimatrix0.ch: I wan't to have my local recipeints checked against my Active Directory. So I have created the .cf file with the LDAP parameters: bind_dn = u...@domain.local bind_pw = ** server_host = 192.168.8.254 #Global Catalog port server_port = 3268 search_base = DC=domain, DC=local query_filter = proxyAddresses=*%s* and changed the main.cf file: local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf unix:passwd.byname If i do this now: postmap -v -q 'u...@domain.ch' ldap:/etc/postfix/local_recipient_maps.cf It tells me Search found 1 match(es). But If i try to deliver a message with the same address postfix tells me User not known in local recipient maps How can i figure out whats wrong ? %s is replaced by the input key, but you need to search for %u somewhat like %this: query_filter = (proxyaddresses...@domain.local) Why? In context of local recipient maps the domain part is already known to Postfix and it doesn't search for it. With local_recipient_maps Postfix only looks for the localpart of an email address. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: local_recipient_maps with LDAP
* Marco Rebsamen mrebsa...@unimatrix0.ch: I see If i got multiple domains, what do i do ? Something like this ? query_filter = (proxyaddresses...@%d) Only one domain can be your local domain. All other domains are virtual domains. Create two ldap query files. Local domain: query_filter = (proxyaddresses...@domain.local) Virtual domains: query_filter = (proxyAddresses=%s) -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Patrick Ben Koetter Gesendet: Samstag, 28. August 2010 17:56 An: postfix-users@postfix.org Betreff: Re: local_recipient_maps with LDAP * Marco Rebsamen mrebsa...@unimatrix0.ch: I wan't to have my local recipeints checked against my Active Directory. So I have created the .cf file with the LDAP parameters: bind_dn = u...@domain.local bind_pw = ** server_host = 192.168.8.254 #Global Catalog port server_port = 3268 search_base = DC=domain, DC=local query_filter = proxyAddresses=*%s* and changed the main.cf file: local_recipient_maps = ldap:/etc/postfix/local_recipient_maps.cf unix:passwd.byname If i do this now: postmap -v -q 'u...@domain.ch' ldap:/etc/postfix/local_recipient_maps.cf It tells me Search found 1 match(es). But If i try to deliver a message with the same address postfix tells me User not known in local recipient maps How can i figure out whats wrong ? %s is replaced by the input key, but you need to search for %u somewhat like %this: query_filter = (proxyaddresses...@domain.local) Why? In context of local recipient maps the domain part is already known to Postfix and it doesn't search for it. With local_recipient_maps Postfix only looks for the localpart of an email address. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
