Re: Problem with ldap table lookups and TLS

Nick Geron Wed, 25 Feb 2009 07:34:56 -0800

Thanks for the reply, Victor.

Responses below. Please let me know if any additional output is needed,
or if I did something foolish ;)

Note: I cut out most of dict_eval verbose output as the list botrejected my first attempt to send due to length. If there are specificlog lines needed I can make things more concise with grep.


-Nick

Victor Duchovni wrote:

On Tue, Feb 24, 2009 at 06:48:12PM -0600, Nick Geron wrote:

So as root or my limited rights postfix user this works:

#postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
j...@example.com


You only show a test running as root, not "postfix". What versions of
Postfix and OpenLDAP are these? There was TLS API creep in OpenLDAP
between 2.0 and 2.1, and the Postfix LDAP driver was originally based
on OpenLDAP 2.0, this was resolved in Postfix 2.5 as described in
ldap_table(5) under "tls_require_cert".

Please show complete output from "postmap -q" running as the $mail_owner
user, just hide the bind password.

I'm guessing you wanted to see verbose output.

smtp11 ~ # su - postfix
post...@smtp11 ~ $ /usr/sbin/postmap -vq j...@example.com
ldap:/etc/postfix/ldap/aliases.cf
postmap: name_mask: ipv4
<removed dict_eval due to length>
postmap: name_mask: subnet
postmap: inet_addr_local: configured 4 IPv4 addresses
postmap: been_here: 127.0.0.0/8: 0
postmap: been_here: 172.20.0.0/22: 0
postmap: been_here: 172.28.8.0/22: 0
postmap: mynetworks: 127.0.0.0/8 172.20.0.0/22 172.28.8.0/22
postmap: dict_eval: const 127.0.0.0/8 172.20.0.0/22 172.28.8.0/22
postmap: dict_ldap_open: Using LDAP source /etc/postfix/ldap/aliases.cf
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: server_host =
ldap://ldap13.example.com:389
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: server_port = 389
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: version = 3
postmap: dict_ldap_open: /etc/postfix/ldap/aliases.cf server_host URL is
ldap://ldap13.example.com:389
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: scope = sub
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: search_base =
ou=domains,cn=mailsystem
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: timeout = 10
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: query_filter =
(&(objectClass=CourierMailAlias)(mail=%s))
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: result_format = <NULL>
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: result_filter = %s
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: domain =
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf:
terminal_result_attribute =
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: leaf_result_attribute =
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: result_attribute =
maildrop
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf:
special_result_attribute =
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: bind = on
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: bind_dn =
uid=courierauthlib,ou=ldap,cn=mailsystem
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: bind_pw = abc123
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: cache = off
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: cache_expiry = -1
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: cache_size = -1
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: recursion_limit = 1000
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: expansion_limit = 0
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: size_limit = 0
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: dereference = 0
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: chase_referrals = off
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: start_tls = on
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: tls_require_cert = on
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_file =
/etc/postfix/ssl/ldap13.crt
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_dir =
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_cert =
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_key =
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_cipher_suite =
postmap: cfg_get_int: /etc/postfix/ldap/aliases.cf: debuglevel = 0
postmap: dict_open: ldap:/etc/postfix/ldap/aliases.cf
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source
/etc/postfix/ldap/aliases.cf, reopening
postmap: dict_ldap_connect: Connecting to server
ldap://ldap13.example.com:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server
ldap://ldap13.example.com:389 as dn uid=courierauthlib,ou=ldap,cn=mailsystem
postmap: dict_ldap_connect: Successful bind to server
ldap://ldap13.example.com:389 as uid=courierauthlib,ou=ldap,cn=mailsystem
postmap: dict_ldap_connect: Cached connection handle for LDAP source
/etc/postfix/ldap/aliases.cf
postmap: dict_ldap_lookup: /etc/postfix/ldap/aliases.cf: Searching with
filter (&(objectClass=CourierMailAlias)(mail=...@example.com))
postmap: dict_ldap_get_values[1]: Search found 1 match(es)
postmap: dict_ldap_get_values[1]: search returned 1 value(s) for
requested result attribute maildrop
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned j...@example.com
j...@example.com
postmap: dict_ldap_close: Closed connection handle for LDAP source
/etc/postfix/ldap/aliases.cf
post...@smtp11 ~ $

Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup: In


Is trivial-rewrite in a chroot jail? Please show equivalent "dict_ldap"
logging (to that from postmap -q) from "trivial-rewrite -v" on an idle
Postfix system asked to deliver one message to one recipient.

Not that I can tell.

smtp11 postfix # grep trivial-rewrite master.cf
rewrite unix - - n - - trivial-rewrite -v

smtp11 postfix # tail -f /var/log/mail/postfix_trivial-rewrite.log
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: name_mask: ipv4
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: name_mask: subnet
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: inet_addr_local:
configured 4 IPv4 addresses
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: been_here:
127.0.0.0/8: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: been_here:
172.20.0.0/22: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: been_here:
66.219.32.192/28: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: been_here:
172.28.8.0/22: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: mynetworks:
127.0.0.0/8 172.20.0.0/22 172.28.8.0/22
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const
proxy:ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$virtual_alias_maps -> proxy:ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const
proxy:ldap:/etc/postfix/ldap/domains.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$local_transport -> local:smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$virtual_transport -> maildrop
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$relay_transport -> relay
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$default_transport -> smtp
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$relayhost ->
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const <>
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: expand
$sender_dependent_relayhost_maps ->
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const no
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_eval: const no
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: process
generation: 63 (63)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: connect to
subsystem private/proxymap
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr request
= open
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr table =
ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr flags =
16448
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: 16464
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_proxy_open:
connect to map=ldap:/etc/postfix/ldap/aliases.cf status=0
server_flags=fixed|lock|fold_fix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_open:
proxy:ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr request
= open
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr table =
ldap:/etc/postfix/ldap/domains.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr flags =
16448
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: 16464
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_proxy_open:
connect to map=ldap:/etc/postfix/ldap/domains.cf status=0
server_flags=fixed|lock|fold_fix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_open:
proxy:ldap:/etc/postfix/ldap/domains.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
relay_domains ~? debug_peer_list
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
relay_domains ~? fast_flush_domains
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
relay_domains ~? mynetworks
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
relay_domains ~? permit_mx_backup_networks
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
relay_domains ~? qmqpd_authorized_clients
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
relay_domains ~? relay_domains
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: connection
established fd 128
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: connection
established fd 129
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: master_notify:
status 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: rewrite socket:
wanted attribute: request
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: request
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: resolve
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: rewrite socket:
wanted attribute: sender
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: sender
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: rewrite socket:
wanted attribute: address
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: address
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: j...@example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: rewrite socket:
wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
example.com ~? smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
example.com ~? localhost.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
example.com ~? localhost
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_list_match:
example.com: no match
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: match_string:
example.com ~? proxy:ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr request
= lookup
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr table =
ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr flags =
16448
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: send attr key =
example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const mail
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const ipv4
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: name_mask: ipv4
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Postfix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
postfix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
postfix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
postdrop
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$myhostname, localhost.$mydomain, localhost -> smtp-test.example.com,
localhost.example.com, localhost
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$myhostname -> smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
/usr/lib64/postfix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
/var/lib/postfix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
/usr/sbin
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
/var/spool/postfix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const pid
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const all
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
double-bounce
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
nobody
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
hash:/etc/mail/aliases
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
20090103
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
2.5.6
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const hash
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
deferred, defer
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$mydestination -> smtp-test.example.com, localhost.example.com, localhost
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$relay_domains -> smtp-test.example.com, localhost.example.com, localhost
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
TZ MAIL_CONFIG LANG
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
subnet
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const +=
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const -=+
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
bounce
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
cleanup
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
defer
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
pickup
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const qmgr
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
rewrite
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
showq
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
error
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
flush
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
verify
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
trace
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 100s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 100s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 100s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 100s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
3600s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
3600s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 5s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 5s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
1000s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
1000s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 10s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 10s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 1s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 1s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 1s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 1s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 500s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 500s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
18000s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
18000s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 1s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const 1s
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: name_mask: subnet
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: 2
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: value
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: value
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
value: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]:
dict_proxy_lookup: table=ldap:/etc/postfix/ldap/aliases.cf
flags=lock|fold_fix key=example.com -> status=2 result=
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: fatal:
proxy:ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup
problem
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: inet_addr_local:
configured 4 IPv4 addresses
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: been_here:
127.0.0.0/8: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: been_here:
172.20.0.0/22: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: been_here:
172.28.8.0/22: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: mynetworks:
127.0.0.0/8 172.20.0.0/22 172.28.8.0/22
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
127.0.0.0/8 172.20.0.0/22 172.28.8.0/22
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
local:$myhostname -> local:smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
maildrop
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
relay
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const smtp
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
proxy:ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$virtual_alias_maps -> proxy:ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
proxy:ldap:/etc/postfix/ldap/domains.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
MAILER-DAEMON
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$transport_maps ->
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$local_transport -> local:smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$virtual_transport -> maildrop
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$relay_transport -> relay
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$default_transport -> smtp
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$relayhost ->
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const <>
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: expand
$sender_dependent_relayhost_maps ->
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const no
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_eval: const no
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: process
generation: 65 (65)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: connect to
subsystem private/proxymap
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr request
= open
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr table =
ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr flags =
16448
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: 16464
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_proxy_open:
connect to map=ldap:/etc/postfix/ldap/aliases.cf status=0
server_flags=fixed|lock|fold_fix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_open:
proxy:ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr request
= open
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr table =
ldap:/etc/postfix/ldap/domains.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr flags =
16448
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: flags
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: 16464
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_proxy_open:
connect to map=ldap:/etc/postfix/ldap/domains.cf status=0
server_flags=fixed|lock|fold_fix
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: dict_open:
proxy:ldap:/etc/postfix/ldap/domains.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
relay_domains ~? debug_peer_list
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
relay_domains ~? fast_flush_domains
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
relay_domains ~? mynetworks
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
relay_domains ~? permit_mx_backup_networks
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
relay_domains ~? qmqpd_authorized_clients
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
relay_domains ~? relay_domains
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: connection
established fd 128
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: connection
established fd 129
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: master_notify:
status 0
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: rewrite socket:
wanted attribute: request
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: request
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: resolve
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: rewrite socket:
wanted attribute: sender
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: sender
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: rewrite socket:
wanted attribute: address
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: address
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: j...@example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: rewrite socket:
wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
example.com ~? smtp-test.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
example.com ~? localhost.example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
example.com ~? localhost
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_list_match:
example.com: no match
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: match_string:
example.com ~? proxy:ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr request
= lookup
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr table =
ldap:/etc/postfix/ldap/aliases.cf
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr flags =
16448
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: send attr key =
example.com
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: status
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: 2
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: value
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: value
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
value: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]:
dict_proxy_lookup: table=ldap:/etc/postfix/ldap/aliases.cf
flags=lock|fold_fix key=example.com -> status=2 result=
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26149]: fatal:
proxy:ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup
problem

Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str:/etc/postfix/ldap/aliases.cf: tls_ca_cert_file =/etc/postfix/ssl/ldap13.crt
What's in this file? Is it a PEM file? Does your LDAP server expect
client certificates?

It's a PEM file, though I tried both DER and PEM before I found a note
somewhere stating it must be PEM format. At least that's what I recall
and what openssl thinks it is.

smtp11 ssl # openssl x509 -subject -inform PEM -in ldap13.crt
subject=
/emailaddress=...@example.com/CN=ldap13.example.com/OU=IDC/O=Core NAP
L.P./ST=Texas/C=US

smtp11 ssl # openssl x509 -subject -inform DER -in ldap13.crt
unable to load certificate
26261:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1294:
26261:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509

I would also expect to see postfix/trivial-rewrite open the cert and
fail if this was a formatting problem. Strace tells me it doesn't
attempt to open.

I've been around and around with this all day and keep coming back to thesame conclusion - proxymap and/or trivial-rewrite (or whatever isresponsible for establishing the connection) is not loading my CA file,though it's explicitly set in my ldap table conf file:
(/etc/postfix/ldap/aliases.cf)
start_tls = yes
tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
tls_random_file = /dev/urandom
Shouldn't this be "dev:/dev/urandom" (better yet, leave this out, it
should default sensibly in OpenSSL). Are you using OpenSSL or GnuTLS to
add TLS support in OpenLDAP?

Yes, I typoed that, however, it was one of many wild geese I was
chasing. I have removed the entry with no change in behavior.

Again, if I tell postmap to use the proxymap daemon with 'postmap -qj...@example.com proxy:ldap:/etc/postfix/ldap/aliases.cf', the same failureto load the cert and an error -11 as in the above syslog output.
Is proxymap chrooted?

Nothing is configured chrooted.
smtp11 postfix # cat master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite -v
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
#smtp unix - - n - - smtp
#relay unix - - n - - smtp
# -o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

Re: Problem with ldap table lookups and TLS

Reply via email to