On Wed, Feb 25, 2009 at 09:36:08AM -0600, Nick Geron wrote: >> You only show a test running as root, not "postfix". What versions of >> Postfix and OpenLDAP are these?
This question seemed pretty clear. The answer is relevant to the discussion. > There was TLS API creep in OpenLDAP >> between 2.0 and 2.1, and the Postfix LDAP driver was originally based >> on OpenLDAP 2.0, this was resolved in Postfix 2.5 as described in >> ldap_table(5) under "tls_require_cert". So what versions do you have? > postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: server_host = > ldap://ldap13.example.com:389 > postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: start_tls = on > postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: tls_require_cert = on The LDAP server must have a cert with a valid trust chain with a CN or subjectAltName matching ldap13.example.com. You need a CAfile that lists the trust chain's root cert and the LDAP server must provide any intermediate CAs. > postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_file = > /etc/postfix/ssl/ldap13.crt > postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_dir = What's in that ".crt" file? > postmap: dict_ldap_connect: Successful bind to server This worked. >> Is trivial-rewrite in a chroot jail? Please show equivalent "dict_ldap" >> logging (to that from postmap -q) from "trivial-rewrite -v" on an idle >> Postfix system asked to deliver one message to one recipient. >> >> > Not that I can tell. > > smtp11 postfix # grep trivial-rewrite master.cf > rewrite unix - - n - - trivial-rewrite -v Looks OK. > Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap > socket: wanted attribute: (list terminator) > Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute > name: (end) > Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_proxy_open: > connect to map=ldap:/etc/postfix/ldap/aliases.cf status=0 This map is handled via "proxymap", not trivial-rewrite. Not much point in tracing the wrong service, no actual LDAP lookups here. > Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: > dict_proxy_lookup: table=ldap:/etc/postfix/ldap/aliases.cf > flags=lock|fold_fix key=example.com -> status=2 result= > Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: fatal: > proxy:ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup > problem Now remove "-v" from trivial-rewrite and add it to "proxymap" instead. >>> Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str: >>> /etc/postfix/ldap/aliases.cf: tls_ca_cert_file = >>> /etc/postfix/ssl/ldap13.crt >> >> What's in this file? Is it a PEM file? Does your LDAP server expect >> client certificates? > > It's a PEM file, though I tried both DER and PEM before I found a note > somewhere stating it must be PEM format. At least that's what I recall > and what openssl thinks it is. > > smtp11 ssl # openssl x509 -subject -inform PEM -in ldap13.crt > subject= > /emailaddress=...@example.com/CN=ldap13.example.com/OU=IDC/O=Core NAP > L.P./ST=Texas/C=US This does not look like a CA cert file, it looks like the server cert file. > I would also expect to see postfix/trivial-rewrite open the cert and > fail if this was a formatting problem. Strace tells me it doesn't > attempt to open. No, the file is used by proxymap(8). >> Shouldn't this be "dev:/dev/urandom" (better yet, leave this out, it >> should default sensibly in OpenSSL). Are you using OpenSSL or GnuTLS to >> add TLS support in OpenLDAP? >> >> > Yes, I typoed that, however, it was one of many wild geese I was > chasing. I have removed the entry with no change in behavior. Are you using OpenLDAP or GNU-TLS? >> Is proxymap chrooted? > > Nothing is configured chrooted. > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap OK it is not chrooted. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
