Matthias Nagel via Postfix-users:
> Hello all,
>
> I am using Postfix 3.8.1 on Ubuntu 23.10. Per distribution default,
> Postfix runs chrooted. I have setup LDAP lookups for most maps.
> OpenLDAP is only listening via UNIX socket on
> ldapi:///var/run/slapd/ldapi.
>
> For all but one LDAP lookup the corresponding Postfix configuration file
> looks like
>
> root@h12345678:~ # cat /etc/postfix/ldap/virtual-mailboxes.cf
> server_host = ldapi:///var/run/slapd/ldapi
> bind = yes
> bind_dn = ...
> bind_pw = ...
>
> The path to the socket is absolute. Absolute socket paths work for
> "virtual_mailbox_maps", "virtual_alias_maps", etc. and all other
> directive except for ?smtpd_sender_login_maps?.
The Postfix SMTP server opens 'tables' before entering the chroot
jail and before accepting any SMTP client commmands:
smtpd_sender_login_maps, relay_recipient_maps, virtual_mailbox_maps,
virtual_alias_maps, canonical_maps, sender_canonical_maps,
recipient_canonical_maps, local_recipient_maps, relay_clientcerts,
permit_mx_backup_networks, relay_domains, mynetworks, and more.
To be precise: Postfix opens your LDAP configuration file and asks
the LDAP library to create an LDAP client instance, before entering
the chroot jail and before accepting any SMTP client commmands.
HOWEVER, Postfix does not connect to LDAP sockets before entering
the chroot jail and before accepting any SMTP client commmands. The
LDAP library decides when it wants to do that.
IN PARTICULAR if the LDAP client decides to open the LDAP socket
at the time that Postfix makes a query, then the LDAP client won't
have access to pathnames outside the chroot jail.
According to your logs, the LDAP library attempts to 'connect' to
the LDAP server *after* the Postfix SMTP server has entered the
chroot jail and after accepting any SMTP client commmands.
That behavior is outside the control of Postfix.
For more support please follow instructios at
https://www.postfix.org/DEBUG_README.html#mail
Any differences in LDAP client behavior would be caused by:
- Differences in Postfix main.cf/master.cf settings
- Differences in Postfix LDAP configuraton files.
- Differences in SeLinux/AppArmor/anvivirus policies for different
Postfix processes.
- Other differences that cannot be inferred from your report.
Note that the Postfix LDAP client does not care what lookup table
it is used for; any differences in behavior must necessarily be the
result of differences in Postfix configuration, or differences
external to Postfix.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
