Victor Duchovni wrote:
On Wed, Feb 25, 2009 at 09:36:08AM -0600, Nick Geron wrote:
You only show a test running as root, not "postfix". What versions of
Postfix and OpenLDAP are these?
This question seemed pretty clear. The answer is relevant to the
discussion.
Answer below
There was TLS API creep in OpenLDAP
between 2.0 and 2.1, and the Postfix LDAP driver was originally based
on OpenLDAP 2.0, this was resolved in Postfix 2.5 as described in
ldap_table(5) under "tls_require_cert".
So what versions do you have?
Sorry, I thought I put the output from user 'postfix' running postmap
and code revisions in earlier emails.
On my postfix server I'm running postfix version 2.5.6. It was compiled
with openldap 2.3.43 so I wouldn't expect this to be related to the
openldap 2.0 to 2.1 issues.
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: server_host =
ldap://ldap13.example.com:389
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: start_tls = on
postmap: cfg_get_bool: /etc/postfix/ldap/aliases.cf: tls_require_cert = on
The LDAP server must have a cert with a valid trust chain with a CN or
subjectAltName matching ldap13.example.com. You need a CAfile that lists
the trust chain's root cert and the LDAP server must provide any intermediate
CAs.
I'm unfortunately very familiar with this concept from getting other tls
connections working. Please recall I have stated everything is working
except postfix. Courier authlib, Cyrus saslauthd and even ldap searches
with openldap binaries all link against the same openldap (2.3.43)
libraries and openssl, using the same cert and ldap host. That's what
is so frustrating :)
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_file =
/etc/postfix/ssl/ldap13.crt
postmap: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_dir =
What's in that ".crt" file?
The crt file may as well be named ldap13.pem If you're looking for the
raw contents:
smtp11 mail # su - postfix
post...@smtp11 ~ $ ls -la /etc/postfix/ssl/
total 20
drwxr-xr-x 2 root root 4096 Feb 25 12:01 .
drwxr-xr-x 5 root root 4096 Feb 25 12:04 ..
-r--r--r-- 1 root root 918 Feb 24 15:59 ldap13.crt
post...@smtp11 ~ $ cat /etc/postfix/ssl/ldap13.crt
-----BEGIN CERTIFICATE-----
MIICeTCCAeKgAwIBAgIESaRehjANBgkqhkiG9w0BAQUFADCBgDEeMBwGCSqGSIb3DQEJARYPZW5n
QGNvcmVuYXAuY29tMRswGQYDVQQDExJsZGFwMTMuY29yZW5hcC5jb20xDDAKBgNVBAsTA0lEQzEW
MBQGA1UEChMNQ29yZSBOQVAgTC5QLjEOMAwGA1UECBMFVGV4YXMxCzAJBgNVBAYTAlVTMB4XDTA5
MDIyNDIwNTQzMFoXDTE0MDIyMzIwNTQzMFowgYAxHjAcBgkqhkiG9w0BCQEWD2VuZ0Bjb3JlbmFw
LmNvbTEbMBkGA1UEAxMSbGRhcDEzLmNvcmVuYXAuY29tMQwwCgYDVQQLEwNJREMxFjAUBgNVBAoT
DUNvcmUgTkFQIEwuUC4xDjAMBgNVBAgTBVRleGFzMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAj6IX3Ms3OdSyOR+o1Ri9DovSI9pQPh2Lm28lxF5A8ZybgynjpLi44g1W
eOHPba7MhlgfBD/CTQHy7zf+XB9sszQP/lmi969P2fRKFamFA4SERmBelNlUXTUAcZjnTfTQh7eS
Iw5qtqgYA/ngv0M8NgQmxbpwUIelhNcOoEDJRjECAwEAATANBgkqhkiG9w0BAQUFAAOBgQATZLB6
xHJlKVqaqBenQ4ojq/IJS+/fnE5/C0UR/KB7EBWNzasgLz3SgTeAZBGfGE3VldNsq+FL2ZB0Lpkr
dqUGfhCNnQcjdqL2BnWl/5tlLKZd2LgdnwVmdZouG+aZMDIEDXd4lF4pwXulDoAwVgf/S4Q9WkVu
+dmys253SMhEuw==
-----END CERTIFICATE-----
postmap: dict_ldap_connect: Successful bind to server
This worked.
Is trivial-rewrite in a chroot jail? Please show equivalent "dict_ldap"
logging (to that from postmap -q) from "trivial-rewrite -v" on an idle
Postfix system asked to deliver one message to one recipient.
Not that I can tell.
smtp11 postfix # grep trivial-rewrite master.cf
rewrite unix - - n - - trivial-rewrite -v
Looks OK.
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: private/proxymap
socket: wanted attribute: (list terminator)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: input attribute
name: (end)
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: dict_proxy_open:
connect to map=ldap:/etc/postfix/ldap/aliases.cf status=0
This map is handled via "proxymap", not trivial-rewrite. Not much point
in tracing the wrong service, no actual LDAP lookups here.
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]:
dict_proxy_lookup: table=ldap:/etc/postfix/ldap/aliases.cf
flags=lock|fold_fix key=example.com -> status=2 result=
Feb 25 08:56:11 smtp11 postfix/trivial-rewrite[26147]: fatal:
proxy:ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup
problem
Now remove "-v" from trivial-rewrite and add it to "proxymap" instead.
Feb 25 13:35:26 smtp11 postfix/proxymap[32474]: dict_ldap_lookup: In
dict_ldap_lookup
Feb 25 13:35:26 smtp11 postfix/proxymap[32474]: dict_ldap_lookup: No
existing connection for LDAP source /etc/postfix/ldap/aliases.cf, reopening
Feb 25 13:35:26 smtp11 postfix/proxymap[32474]: dict_ldap_connect:
Connecting to server ldap://ldap13.corenap.com:389
Feb 25 13:35:26 smtp11 postfix/proxymap[32474]: dict_ldap_connect:
Actual Protocol version used is 3.
Feb 25 13:35:26 smtp11 postfix/proxymap[32474]: error:
dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Feb 25 13:35:26 smtp11 postfix/proxymap[32474]: fatal: too many errors -
program terminated
This looked like the relevant portion to me. Unfortunately it only
tells me what I already know, since it never reads/opens certs in
specified here:
tls_ca_cert_dir = /etc/postfix/ssl
or alternatively, I have configured only the file with full path:
tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
The verification specified by LDAP_OPT_X_TLS_DEMAND, fails as it should
without the CA. The problem as far as I see is that proxymap never
attempts to open the specified file. For example, I was tracing master
with the follow option in strace during the above. It opens pretty much
everything related to ldap and ssl except the configured certificate.
Here are some select files opened by proxymap:
[pid 32474] open("/usr/lib/libldap-2.3.so.0", O_RDONLY) = 7
[pid 32474] open("/usr/lib/liblber-2.3.so.0", O_RDONLY) = 7
[pid 32474] open("/etc/postfix/main.cf", O_RDONLY) = 8
[pid 32474] open("/etc/openldap/ldap.conf", O_RDONLY) = 8
[pid 32474] open("/etc/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such
file or directory)
[pid 32474] open("/etc/postfix/ldap/aliases.cf", O_RDONLY) = 10
[pid 32474] open("/etc/postfix/ldap/domains.cf", O_RDONLY) = 10
However postmap does open the specified cert, so what's different
between the two? (output truncated)
post...@smtp11 /etc/postfix/ldap $ strace -e trace=open
/usr/sbin/postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
open("/usr/lib/libldap-2.3.so.0", O_RDONLY) = 3
open("/usr/lib/liblber-2.3.so.0", O_RDONLY) = 3
open("/etc/postfix/ldap/aliases.cf", O_RDONLY) = 4
open("/etc/postfix/ssl/ldap13.crt", O_RDONLY) = 5
open("/etc/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/postfix/ssl/ldap13.crt", O_RDONLY) = 5
j...@example.com
Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str:
/etc/postfix/ldap/aliases.cf: tls_ca_cert_file =
/etc/postfix/ssl/ldap13.crt
What's in this file? Is it a PEM file? Does your LDAP server expect
client certificates?
It's a PEM file, though I tried both DER and PEM before I found a note
somewhere stating it must be PEM format. At least that's what I recall
and what openssl thinks it is.
smtp11 ssl # openssl x509 -subject -inform PEM -in ldap13.crt
subject=
/emailaddress=...@example.com/CN=ldap13.example.com/OU=IDC/O=Core NAP
L.P./ST=Texas/C=US
This does not look like a CA cert file, it looks like the server cert
file.
I have to defer to your judgment there, but I must re-assert that other
programs are successfully using this certificate - including postmap.
I'm uncertain if they (courier and cyrus) are verifying the chain, but
that begs the question: Does postmap not verify when told to, and is
that is why postmap works where proxymap does not?
smtp11 postfix # su - postfix
post...@smtp11 ~ $ cd /etc/postfix/ldap/
post...@smtp11 /etc/postfix/ldap $ grep tls aliases.cf
start_tls = yes
tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
tls_require_cert = yes
post...@smtp11 /etc/postfix/ldap $ /usr/sbin/postmap -q j...@example.com
ldap:/etc/postfix/ldap/aliases.cf
j...@example.com
**Using openssl to verify the cert coming back from the ldap server**
post...@smtp11 /etc/postfix/ldap $ openssl verify -CAfile
../ssl/ldap13.crt ../ssl/ldap13.crt
../ssl/ldap13.crt: OK
**And as expected, if I don't give openssl the ca (yes, 'server' cert),
it fails similarly to proxymap**
post...@smtp11 /etc/postfix/ldap $ openssl verify ../ssl/ldap13.crt
../ssl/ldap13.crt:
/emailaddress=...@corenap.com/CN=ldap13.corenap.com/OU=IDC/O=Core NAP
L.P./ST=Texas/C=US
error 18 at 0 depth lookup:self signed certificate
OK
I would also expect to see postfix/trivial-rewrite open the cert and
fail if this was a formatting problem. Strace tells me it doesn't
attempt to open.
No, the file is used by proxymap(8).
Again, if proxymap is supposed to open read and close the file, that is
not occurring according to strace output.
Shouldn't this be "dev:/dev/urandom" (better yet, leave this out, it
should default sensibly in OpenSSL). Are you using OpenSSL or GnuTLS to
add TLS support in OpenLDAP?
Yes, I typoed that, however, it was one of many wild geese I was
chasing. I have removed the entry with no change in behavior.
Are you using OpenLDAP or GNU-TLS?
Openldap 2.3.43
post...@smtp11 /etc/postfix/ldap $ ldd /usr/sbin/postfix
<snip>
libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00007f70320c8000)
liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x00007f7031eb9000)
Is proxymap chrooted?
Nothing is configured chrooted.
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
OK it is not chrooted.
