I'm in the process of putting together a postfix system with an ldap
back-end and have come
across something very odd regarding ldap_table. Basically, postfix
does not load my private CA.
The CA is really a self signed cert generated by java keytool - try as I
might, I couldn't get keytool to
use our private CA generated by openssl.
Without a local copy of the 'CA', TLS connections fail with or without
requiring a cert. I found a similar thread in
the archive, but the root problem there was related to random number
generation, GNUTLS and
the key in the log was an exit status 2 from trivial-rewrite.
http://archives.neohapsis.com/archives/postfix/2008-01/0764.html
Now, my tests are similar to this fellow, but I do not get the same exit
status. Also, all maps work fine without encryption.
So as root or my limited rights postfix user this works:
#postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
j...@example.com
However, any lookup actions from the server fails to establish the TLS
connection.
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup:
In dict_ldap_lookup
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup:
No existing connection for LDAP source /etc/postfix/ldap/aliases.cf,
reopening
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]:
dict_ldap_connect: Connecting to server ldap://ldap13.example.com:389
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]:
dict_ldap_connect: Actual Protocol version used is 3.
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: error:
dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: fatal:
ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup problem
I do see that dict_ldap read my config here:
Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str:
/etc/postfix/ldap/aliases.cf: tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
I've been around and around with this all day and keep coming back to
the same conclusion - proxymap and/or trivial-rewrite (or whatever is
responsible for establishing the connection) is not loading my CA file,
though it's explicitly set in my ldap table conf file:
(/etc/postfix/ldap/aliases.cf)
bind = yes
bind_dn = uid=postfix,ou=ldap,cn=mailsystem
bind_pw = abc123
start_tls = yes
version = 3
tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
#tls_require_cert = yes
server_host = ldap://ldap13.example.com:389
search_base = ou=domains,cn=mailsystem
query_filter = (&(objectClass=CourierMailAlias)(mail=%s))
result_attribute = maildrop
#debuglevel = 1
tls_random_file = /dev/urandom
(in main.cf)
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/aliases.cf
Running strace for opened files shows that the server loads another
private ca and cert for smtpd (smtp auth) and even system specified
certificates it or openssl libs read out of /etc/ldap.conf. Traces even
show that something is loading /etc/openldap/ldap.conf, which I've also
explicitly set a TLS_CAFILE entry for testing with openldap binaries. I
should also note that courier authlib and saslauthd both work fine with
TLS to the same ldap server using the same ca.
As one might expect, tracing the successful postmap command does show
that it opens and reads the cert specified via tls_ca_cert_file:
#strace -e trace=open postmap -q j...@example.com
ldap:/etc/postfix/ldap/aliases.cf
...
open("/etc/postfix/ssl/ldap13.crt", O_RDONLY) = 5
...
Again, if I tell postmap to use the proxymap daemon with 'postmap -q
j...@example.com proxy:ldap:/etc/postfix/ldap/aliases.cf', the same
failure to load the cert and an error -11 as in the above syslog output.
The test rig is on a recent build of gentoo with postfix 2.5.6 built
against openssl 0.9.8g. The LDAP server is running openDS 1.2.
Thanks for any help. This one's got me baffled. Please let me know if
I should provide any additional output.
-Nick Geron
