On Tue, Feb 24, 2009 at 06:48:12PM -0600, Nick Geron wrote:
> So as root or my limited rights postfix user this works:
>
> #postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
> j...@example.com
You only show a test running as root, not "postfix". What versions of
Postfix and OpenLDAP are these? There was TLS API creep in OpenLDAP
between 2.0 and 2.1, and the Postfix LDAP driver was originally based
on OpenLDAP 2.0, this was resolved in Postfix 2.5 as described in
ldap_table(5) under "tls_require_cert".
Please show complete output from "postmap -q" running as the $mail_owner
user, just hide the bind password.
> Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup: In
Is trivial-rewrite in a chroot jail? Please show equivalent "dict_ldap"
logging (to that from postmap -q) from "trivial-rewrite -v" on an idle
Postfix system asked to deliver one message to one recipient.
> Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str:
> /etc/postfix/ldap/aliases.cf: tls_ca_cert_file =
> /etc/postfix/ssl/ldap13.crt
What's in this file? Is it a PEM file? Does your LDAP server expect
client certificates?
> I've been around and around with this all day and keep coming back to the
> same conclusion - proxymap and/or trivial-rewrite (or whatever is
> responsible for establishing the connection) is not loading my CA file,
> though it's explicitly set in my ldap table conf file:
>
> (/etc/postfix/ldap/aliases.cf)
> start_tls = yes
> tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
> tls_random_file = /dev/urandom
Shouldn't this be "dev:/dev/urandom" (better yet, leave this out, it
should default sensibly in OpenSSL). Are you using OpenSSL or GnuTLS to
add TLS support in OpenLDAP?
> Again, if I tell postmap to use the proxymap daemon with 'postmap -q
> j...@example.com proxy:ldap:/etc/postfix/ldap/aliases.cf', the same failure
> to load the cert and an error -11 as in the above syslog output.
Is proxymap chrooted?
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
