Hi,
Sorry for having to obscure stuff in the below, but I have to.
I'm setting up an MX for our new customer mail setup. I'm having a
problem where relay_domains are not being looked up in LDAP as they
should.
We have a bunch of test users in LDAP under the domain example.com, for
testing.
The relay parameters are as follows:
relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf
<ourdomain>.com
relay_recipient_maps =
proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
proxy:ldap:/etc/postfix/ldap-users.cf
relay_transport = relay:[<mailscanner.ourdomain>.net]
I have to specify <ourdomain>.com specifically in the relay_domains, as
<ourdomain>.com isn't yet listed in LDAP. It will be.
The relay_recipient_maps funkiness is because we will have both corporate
mail and customer mail on the same domain, at least for a time (don't get
me started on what a good idea that was).
If I try a lookup of test000...@example.com against our recipient_domains
LDAP configuration file, it works:
$ postmap -q test000...@example.com ldap:/etc/postfix/ldap-domains.cf
example.com
If I send a test Email from the host to a corporate address at
<ourdomain>.com, it arrives just fine. I even see it look on the LDAP
server first to see if it is a domain listed there.
But if I try to send a message to test000...@example.com, it doesn't even
do a look-up in LDAP, it tries to deliver it to example.com instead.
Feb 19 16:35:55 mx postfix/pickup[4988]: B393F86592: uid=0
from=<root>
Feb 19 16:35:55 mx postfix/cleanup[5599]: B393F86592:
message-id=<20130219163555.B393F86592@mx.<ourdomain>.net>
Feb 19 16:35:55 mx postfix/qmgr[4987]: B393F86592:
from=<root@mx.<ourdomain>.net>, size=366, nrcpt=1 (queue active)
Feb 19 16:35:59 mx postfix/smtp[5603]: connect to
example.com[2001:500:88:200::10]:25: Connection refused
Feb 19 16:36:20 mx postfix/smtp[5603]: connect to
example.com[192.0.43.10]:25: Connection timed out
Feb 19 16:36:20 mx postfix/smtp[5603]: B393F86592:
to=<test000...@example.com>, relay=none, delay=134, delays=109/0.01/24/0,
dsn=4.4.1, status=deferred
(connect to example.com[192.0.43.10]:25: Connection timed out)
I put in the proxy: for performance reasons. I tried taking it out but it
made no difference and I didn't really expect it to.
I'd understand it if LDAp was returning something that Postfix wasn't
happy with. But it's not even asking. It does appear to connect but
never sends a query. It's as if, somehow, it's deciding that example.com
is not a domain we relay for.
I've tried upping the logging, and also tried a debug Email with sendmail
-bv. But neither give me any indication of how Postfix decides what it's
going to do with the message.
I'm clearly overlooking something obvious. Any ideas?
Here's the postconf -n output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv6,ipv4
mailbox_size_limit = 0
mydestination = mx.<ourdomain>.net, localhost
myhostname = mx.<ourdomain>.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
<our v6 range> <our v4 range>
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf <ourdomain>.com
relay_recipient_maps =
proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
proxy:ldap:/etc/postfix/ldap-users.cf
relay_transport = relay:[<mailscanner.ourdomain>.net]
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = RC4,MD5
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_pipelining reject_non_fqdn_sender
reject_invalid_hostname reject_non_fqdn_hostname
reject_unknown_sender_domain reject_unlisted_recipient
reject_non_fqdn_recipient reject_unknown_recipient_domain
reject_unauth_destination reject_multi_recipient_bounce
smtpd_soft_error_limit = 5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Thanks,
Geoff.
