Hi, I'm running: postfix-2.3.2-28 (OpenSUSE)
I'm trying to make Postfix, which runs on a separate machine from LDAP, to do LDAP binds using TLS. I'm not sure if the problem is: -> some configuration is missing -> the fact that the ldap server uses a self-signed certificate is breaking things. I don't want other Postfix TLS functionalities, just to do LDAP binds with TLS. My LDAP server uses a self-signed certificate. Until a while ago it used a certificate signed by one of my machines, a "private CA", but I changed all certificates for all services, so they are all self-signed certs now. Other services work with this new setup, if I change their CA certificate to be the machine own certificate. Before that I didn't try do do LDAP lookups with TLS. --- postconf ---------------------- alias_maps = ldap:ldaplocal, ldap:/etc/postfix/ldap-local.cf, hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all local_recipient_maps = ldap:ldaplocal, ldap:/etc/postfix/ldap-local.cf mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain myhostname = "this is my hostname" mynetworks = 127.0.0.0/8, xxx.xxx.0.0/16 newaliases_path = /usr/bin/newaliases readme_directory = /usr/share/doc/packages/postfix/README_FILES relay_domains = "people I relay mail for" relay_recipient_maps = ldap:ldaplocal, ldap:/etc/postfix/ldap-local.cf relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, reject_unauth_destination, reject_unverified_recipient, check_recipient_access smtpd_sasl_auth_enable = no smtpd_use_tls = no strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 unverified_recipient_reject_code = 559 virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual --- postconf ldap-local.cf: version = 3 server_host = ldap://"my ldap server":389 search_base = ou=people,dc=company,dc=us query_filter=(&(|(&(objectclass=postfixuser)(objectclass=inetlocalmailrecipient)) (objectclass=groupofuniquenames))(mail=%s)) result_attribute=mailRoutingAddress scope = base debuglevel = 4 domain = "my domain" start_tls = yes # --> (Since LDAP machine uses a self-signed certificate, to trust the ldap machine certificate, I need to trust its CA, which is the ldap machine certificate itself, right?): tls_ca_cert_file = /etc/postfix/ldap-machine-cert.crt <-- is that right? tls_cert = /etc/postfix/postfix-machine-cert.crt tls_key = /etc/postfix/postfix-machine-key.key tls_require_cert = yes tls_cipher_suite = TLSv1:SSLv3:SSLv2:!NULL:DIGEST-MD5:CRAM-MD5:PLAIN:LOGIN:!EXPORT:!DES:!LOW:@STRENGTH ---------- ---- postfix machine /etc/openldap/ldap.conf: TLS_REQCERT allow TLS_CACERT /etc/openldap/ldap-machine-cert.crt --------- I checked all certificate files, they exist and are readable. I read the distribution TLS and LDAP README files for the postfix package, but I can't figure out why Postfix won't even try to bind to LDAP using TLS. I used wireshark to check that, but postfix just tries to do a plain text bind (the bind works, but I want a bind using TLS). Other TLS binds work just fine with this setup, for Dovecot, PHP and other clients. thanks = Alaska Cruises Alaska Cruises. Get Info. Save. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=b7da2b26345983024d8b32267ea224bb -- Powered by Outblaze
