Hi Viktor, Il giorno 04/apr/2017, alle ore 18.02, Viktor Dukhovni ha scritto:
> On Tue, Apr 04, 2017 at 08:48:33AM +0200, Paolo Barbato wrote: > >> I’m using following rules in main.cf >> >> smtpd_recipient_restrictions = >> permit_mynetworks, >> check_recipient_access >> regexp:/opt/trend/imss/postfix/etc/postfix/access, >> reject_unauth_pipelining, >> reject_non_fqdn_recipient, >> reject_unknown_recipient_domain, >> reject_unauth_destination, >> ldap:ldaprfx, >> reject > > Using access(5) to perform recipient validation is not the preferred > way to reject non-existent recipients. Instead, make sure each domain > appears in the appropriate address class (see ADDRESS_CLASS_README), > and configure the corresponding recipient vaidation tables. > on the edge I'm using TrendMicro IMSVA that bundle postix 2.7.x as MTA. Postfix configurations files are maintained via some web forms available on main IMSVA web console. It's possible to activate check on recipients against multiple ldap servers. A local openldap server is then put in place acting as local cache. In production main.cf file include an entry for ldap:ldapimsva. Since CGPro virtual search base dc=cgprouter is not directly configurable via IMSVA, now I understand why (error 32), I've tried to add a separate instance ldap:ldaprfx in main.cf manually. > For better performance, change "ldap:ldaprfx" to "proxy:ldap:ldaprfx", > and consider moving the table definition out of main.cf into a > ".cf" file. > Very effective suggestions, although if CGPro developers will accept my proposal, I'm confident that I'll be able to add CGPro virtual base directly using IMSVA web console. Regards, Paolo. >> ldaprfx_server_host = xx >> ldaprfx_search_base = dc=cgprouter >> ldaprfx_query_filter = mail=%s >> ldaprfx_result_attribute = mail >> ldaprfx_result_scope = one >> ldaprfx_result_format = OK %s >> ldaprfx_version = 3 >> >> I see not existent mail correctly denied with 451, but an error is logged in >> maillog >> >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: dict_ldap_lookup: >> ldaprfx: Search base 'dc=cgprouter' not found: 32: No such object > > The LDAP server should not deny the existence of the search base. > >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: ldap:ldaprfx: table >> lookup problem >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: NOQUEUE: reject: RCPT from >> unknown[xxx: 451 4.3.5 <x...@igi.cnr.it>: Recipient address rejected: Server >> configuration error; from=<xx@xxx> to=<xx@xx> proto=ESMTP helo=<xxx> > > Then you'll be able to reject invalid recipients with a 5XX permanent > error, and avoid noisy warnings in the log. > >> Is it expected to see logging "Server configuration error" ? > > Yes, because your search base is invalid > >> Here what ldapsearch returns: >> >> ldapsearch -v -LLL -hxxxx -b"dc=cgprouter" -x -s one 'mail=notexist@xx' >> ldap_initialize( ldap://xxx) >> filter: mail=notexist@xxx >> requesting: All userApplication attributes >> No such object (32) > > The "No such object" error is undesirable, instead, this should > quietly return no result. > > Postfix ignores "no such object" only when the search base is > constructed dynamically via "%[sud]" expansions. > > What do the DNs of valid users look like? There's a slim chance > that you can interpolate part of the recipient address into the > search base, and thereby avoid the error. > > -- > Viktor. ------------------------------------------------------------------------------------------------ Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 ------------------------------------------------------------------------------------------------
