Just curious if anyone looked over my last email (with replies to
Victor's questions). I forgot to add a few answers. I'm running
postfix 2.5.6, openldap 2.3.43 (libraries on postfix server) and openssl
0.9.8g. On the ldap server I'm running openDS 1.2.
Also, I turned up debugging in the map config file and found it is
definitely a verification problem due to proxymap (via calls from
libldap.so ?) not reading in the local copy of the 'ca'.
Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS
trace: SSL_connect:SSLv3 read server hello A
Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS
certificate verification: depth: 0, err: 18, subject:
/emailaddress=...@example.com/CN=ldap13.example.com/OU=IDC/O=Example
Co/ST=Texas/C=US,
Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug:
issuer:
/emailaddress=...@example.com/CN=ldap13.example.com/OU=IDC/O=Example
Co/ST=Texas/C=US
Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS
certificate verification: Error, self signed certificate
I've started looking at dict_ldap.c and postmap.c and openldap's tls.c
and realize that, no, I am not a programmer.
Perhaps someone very familiar with the postfix code can point out to me
the high level difference between running postmap with and ldap:mapconf,
versus handing it off to proxymap? I should point out that I have tried
changing my maps in main.cf to not use proxy, but saw no change in behavior.
I assuming they both end up using dict_ldap. I've looked over the
various error messages dict_ldap.c puts into the log when parsing
tls_ca_cert_file and dir (ex: msg_warn statements while parsing the
config file) and none appear in syslog. Indeed, proxymap verbose output
shows it reading in the config entry:
Feb 25 11:37:46 smtp11 postfix/proxymap[29694]: cfg_get_str:
/etc/postfix/ldap/aliases.cf: tls_ca_cert_dir = /etc/postfix/ssl
It also looks like dict_ldap.c is simply setting constants for use with
libldap.so:
if (*dict_ldap->tls_ca_cert_dir) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
dict_ldap->tls_ca_cert_dir)) !=
LDAP_SUCCESS) {
msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
myname, dict_ldap->tls_ca_cert_dir,
rc, ldap_err2string(rc));
return (-1);
}
}
So I'm still a bit confused why postmap works and proxymap doesn't when
neither reports it cannot set the cacert directory (or file if I use
that config).
Please let me know if the previous message with requested verbose output
didn't make it to the list.
-Nick Geron
Nick Geron wrote:
Thanks for the reply, Victor.
Responses below. Please let me know if any additional output is needed,
or if I did something foolish ;)
Note: I cut out most of dict_eval verbose output as the list bot
rejected my first attempt to send due to length. If there are
specific log lines needed I can make things more concise with grep.
-Nick
Victor Duchovni wrote:
