On Tue, Apr 04, 2017 at 08:48:33AM +0200, Paolo Barbato wrote: > I’m using following rules in main.cf > > smtpd_recipient_restrictions = > permit_mynetworks, > check_recipient_access > regexp:/opt/trend/imss/postfix/etc/postfix/access, > reject_unauth_pipelining, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_unauth_destination, > ldap:ldaprfx, > reject
Using access(5) to perform recipient validation is not the preferred way to reject non-existent recipients. Instead, make sure each domain appears in the appropriate address class (see ADDRESS_CLASS_README), and configure the corresponding recipient vaidation tables. For better performance, change "ldap:ldaprfx" to "proxy:ldap:ldaprfx", and consider moving the table definition out of main.cf into a ".cf" file. > ldaprfx_server_host = xx > ldaprfx_search_base = dc=cgprouter > ldaprfx_query_filter = mail=%s > ldaprfx_result_attribute = mail > ldaprfx_result_scope = one > ldaprfx_result_format = OK %s > ldaprfx_version = 3 > > I see not existent mail correctly denied with 451, but an error is logged in > maillog > > Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: dict_ldap_lookup: > ldaprfx: Search base 'dc=cgprouter' not found: 32: No such object The LDAP server should not deny the existence of the search base. > Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: ldap:ldaprfx: table > lookup problem > Apr 3 15:23:04 mail2 postfix/smtpd[11180]: NOQUEUE: reject: RCPT from > unknown[xxx: 451 4.3.5 <x...@igi.cnr.it>: Recipient address rejected: Server > configuration error; from=<xx@xxx> to=<xx@xx> proto=ESMTP helo=<xxx> Then you'll be able to reject invalid recipients with a 5XX permanent error, and avoid noisy warnings in the log. > Is it expected to see logging "Server configuration error" ? Yes, because your search base is invalid > Here what ldapsearch returns: > > ldapsearch -v -LLL -hxxxx -b"dc=cgprouter" -x -s one 'mail=notexist@xx' > ldap_initialize( ldap://xxx) > filter: mail=notexist@xxx > requesting: All userApplication attributes > No such object (32) The "No such object" error is undesirable, instead, this should quietly return no result. Postfix ignores "no such object" only when the search base is constructed dynamically via "%[sud]" expansions. What do the DNs of valid users look like? There's a slim chance that you can interpolate part of the recipient address into the search base, and thereby avoid the error. -- Viktor.
