forward_path ignored with ldap in local_recipient_maps?

Thu, 10 Dec 2015 04:51:08 -0800 

Hi,
I've configured postfix (2.10.1 from CentOS 7) to deliver mail to dovecot over LMTP (which is configured to use LDAP). I've noticed the following behaviour which seems strange to me. 


1. When postfix is configured to use ldap for canonical and alias 
lookups (see config below), but not for local_recipient_maps 
(local_recipient_maps is set to 'proxy:unix:passwd.byname $alias_maps'). 
The system is not configured to check LDAP for passwd entries (no 
sssd/nss_ldap/...).


If the canonical map contains:
 user1 -> Firstname.Lastname
And the aliases in LDAP contain:
 Firstname.Lastname -> user1


then postfix will deliver mail for 'user1' to dovecot (who delivers it 
to the mailbox). Postfix will not look at the forward file for that user 
in that case.



If a mail is sent to 'user2' who is also in LDAP but has no 
canonical/aliases entry, postfix rejects the mail as it's not in the 
local_recipient_maps.



==> Why does it accept the first mail if user1 is also not in the local 
recipient map???




2. If local_recipient_maps is configured to use LDAP (see config below), 
mail to user2 is accepted (as the user is now known/local for postfix), 
which is good. However it seems the 'forward_path' variable is 
completely ignored??



If the local_recipients_maps is set to 'proxy:unix:passwd.byname 
$alias_maps' and the system is configured to use LDAP (using sssd) then 
the forward file is checked by postfix. But in that scenario postfix 
would bounce mail if the LDAP server is down (as sssd returns the user 
as not found).



How can I configure postfix to either respect the forward file with ldap 
lookups, or soft-bounce if LDAP is down (and unix:passwd.byname is used).


Regards,

Rik


alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database proxy:ldap:/etc/postfix/ldap-aliases.cf
append_at_myorigin = yes
append_dot_mydomain = yes

canonical_maps = hash:/etc/postfix/canonical 
proxy:ldap:/etc/postfix/ldap-canonical.cf

command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 10.33.138.9

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5

delay_warning_time = 4h
deliver_lock_attempts = 30
deliver_lock_delay = 2s
duplicate_filter_limit = 20000
forward_path = /etc/postfix/esat-tools/forwards/${user}/${user}
header_checks = pcre:/etc/postfix/header_checks
html_directory = no

inbox-too-big = check_client_access 
cidr:/etc/postfix/restrictions/reject_local_offenders

inet_interfaces = all
local_header_rewrite_clients = permit_mynetworks
local_recipient_maps = proxy:ldap:/etc/postfix/ldap-passwd.cf $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 52428800
minimal_backoff_time = 300s

mydestination = $myhostname localhost localhost.$mydomain $mydomain 
esat.kuleuven.ac.be pcre:/etc/postfix/mydestinations

mydomain = esat.kuleuven.be
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
relay_domains =
relayhost = [maildrop.esat.kuleuven.be]
relocated_maps = hash:/etc/postfix/relocated

restricted-list = check_sender_access 
hash:/etc/postfix/restrictions/allow_restricted_lists, reject

sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_banner = $myhostname ESMTP $mail_name

smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/restrictions/sender-blacklist check_sender_access 
hash:/etc/postfix/restrictions/inbox-too-big check_recipient_access 
hash:/etc/postfix/restrictions/destination-blacklist 
check_policy_service 
unix:/var/spool/postfix/private/dovecot-quota-status permit_mynetworks 
reject_unauth_destination check_recipient_access 
hash:/etc/postfix/restrictions/restricted-lists

smtpd_restriction_classes = inbox-too-big restricted-list
smtpd_tls_cert_file = /etc/postfix/mailserv.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
soft_bounce = no
virtual_alias_domains = /etc/postfix/virtual_alias_domains
virtual_alias_maps = hash:/etc/postfix/virtual_aliases

--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440  - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>























					Reply via email to