Hello all, I have a, somehow, working postfix + dovecot configuration with AD LDAP lookups. Recently I have moved our AD to a samba4 server with the unfortunate result, that sending mail now is very slow. This is because of the, currently, slow LDAP server implementation in samba4 which handels the LDAP queries at a poor speed.
I did some debugging and found out that my postfix/LDAP setup seems to
be wrong. When sending a mail for example from a test mail account
t...@novanetwork.de to t...@hotmail.com the following LDAP queries are
sent to the domain controller(LDAP):
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=t...@novanetwork.de)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@novanetwork.de)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(|(mail=t...@novanetwork.de)(otherMailbox=t...@novanetwork.de))))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=t...@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=t...@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=t...@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=@hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(otherMailbox=hotmail.com)))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
ldb: ldb FULL SEARCH:
(&(!(isDeleted=TRUE))(&(objectclass=person)(|(mail=hotmail.com)(otherMailbox=hotmail.com))))
SCOPE: sub DN: ou=HQ,dc=novanetwork,dc=loc
How can I prevent postfix from doing lookups for domains which are not
ours ? This would reduce the amount of LDAP queries quite a lot.
Here is my config for reference :
main.cf:
biff = no
append_dot_mydomain = no
readme_directory = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_prng_update_period = 3600s
tls_daemon_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = novalx07.novanetwork.loc
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = mail.novanetwork.de
mydestination = $myhostname, localhost.novanetwork.loc, localhost
relayhost =
relay_domains= $mydestination, hash:/etc/postfix/relay_domains
transport_maps = hash:/etc/postfix/transport_maps,
hash:/etc/postfix/relay_domains
virtual_mailbox_limit_override = yes
virtual_overquota_bounce = yes
virtual_mailbox_limit_message = Sorry, the user's maildir has overdrawn
the disk quota, please notice the user and try again later.
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_group_maps.cf,
proxy:ldap:/etc/postfix/ldap_virtual_alias_maps.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
virtual_mailbox_base = /nfs/mailstore/vmail/
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
check_sender_access = hash:/etc/postfix/sender_access
header_checks = pcre:/etc/postfix/header_checks.pcre
relay_recipient_maps = proxy:ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
mynetworks = 10.2.1.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
# Allow maximum mail size 40GB
message_size_limit = 40480000
recipient_delimiter = +
inet_interfaces = all
content_filter = amavis:[127.0.0.1]:10024
inet_protocols = ipv4
mynetworks_style = subnet
smtpd_banner = mail.novanetwork.de ESMTP $mail_name ($mail_version)
smtp_helo_name = mail.novanetwork.de
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
check_policy_service inet:127.0.0.1:10023,
permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_reject_unlisted_recipient = yes
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauthenticated_sender_login_mismatch
permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/dovecot-auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = no
proxy_read_maps = $canonical_maps $lmtp_generic_maps
$local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps
$recipient_canonical_maps $relay_domains $relay_recipient_maps
$relocated_maps $sender_bcc_maps $sender_canonical_maps
$smtp_generic_maps $smtpd_sender_login_maps $transport_maps
$virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains
$virtual_mailbox_maps
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_invalid_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre
permit
delay_warning_time = 0h
policy_time_limit = 3600
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
queue_run_delay = 300s
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
enable_original_recipient = no
disable_vrfy_command = yes
allow_min_user = no
ldap_virtual_alias_maps.cf:
server_host = dc1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = l...@novanetwork.loc
bind_pw = somepass
search_base = ou=HQ,dc=novanetwork,dc=loc
scope = sub
query_filter = (&(objectclass=person)(otherMailbox=%s))
result_attribute= mail #otherMailbox from DC
debuglevel = 0
ldap_virtual_group_maps.cf:
server_host = dc1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = l...@novanetwork.loc
bind_pw = somepass
search_base = ou=MailGroups,ou=HQ,dc=novanetwork,dc=loc
scope = sub
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
debuglevel = 0
ldap_virtual_mailbox_maps.cf:
server_host = dc1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = l...@novanetwork.loc
bind_pw = somepass
search_base = ou=HQ,dc=novanetwork,dc=loc
scope = sub
query_filter = (&(objectclass=person)(|(mail=%s)(otherMailbox=%s)))
result_attribute= samaccountname #Account from DC
debuglevel = 0
relay_domains:
novanetwork.de lmtp:unix:private/dovecot-lmtp
Thank you for your kind help
best regards
Andreas
signature.asc
Description: OpenPGP digital signature
