Postfix + Remote Ldap Server problem
I have setup Postfix LDAP (postfix-2.5.4-2.sasl2.vda.rhel5) on Centos 5.2
x64 and all features that i have configured are working great EXCEPT from
REMOTE LDAP SERVER.
I have configured OpenLDAP Server to some other ip on the network(its a
different server) but Postfix still looks for LOCAL LDAP DATABASE all the
time.
When i move password database from remote Ldap server to localhost and
start ldap service on localhost everything works OK.
The thing is that i want LDAP Server to be another machine on the network.
message:
---
postfix/trivial-rewrite[18638]: warning:dict_ldap_connect: Unable to bind
to server ldap://localhost:389 as : -1(Can't contact LDAP server)
postfix/trivial-rewrite[18638]: fatal:ldap:ldaplists(0,lock|fold_fix):
table lookup problem
In my config i have set:
>From main.cf
## LDAP SERVER ##
ldap_server_host = remoteipaddress
ldap_server_port = 389
ldap_bind = no
ldap_search_base = ou=accounts,dc=***,dc=**
ldap_scope = sub
ldap_cache = no
Postfix comaplains about not finding ldap://localhost !!!
Just note all ldap.conf files in system are empty.And generally localhost
LDAP isn't defined anywhere.
# postconf -m
btree
cidr
environ
hash
ldap
nis
proxy
regexp
static
unix
I am also sending you postfinger debug attached.
thanks in advance
Bill
postfinger - postfix configuration on Fri Feb 27 12:49:37 EET 2009
version: 1.30
Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public. If this is the case it is your responsibility to modify
the output to hide this private information. [Remove this warning with
the --nowarn option.]
--System Parameters--
mail_version = 2.5.4
hostname = serverhostname
uname = Linux serverhostname 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST
2008 x86_64 x86_64 x86_64 GNU/Linux
--Packaging information--
looks like this postfix comes from RPM package: postfix-2.5.4-2.sasl2.vda.rhel5
--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
debug_peer_level = 3
default_destination_concurrency_limit = 50
default_process_limit = 200
html_directory = /usr/share/doc/postfix-2.5.4-documentation/html
local_destination_concurrency_limit = 10
local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
$transport_maps
mynetworks = *.*.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.5.4-documentation/readme
recipient_delimiter = +
relayhost = [nic.upatras.gr]
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_banner = $myhostname serverhostname
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
warn_if_reject, reject_unknown_client_hostname
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_restrictions = warn_if_reject, reject_invalid_helo_hostname,
warn_if_reject, reject_non_fqdn_helo_hostname, warn_if_reject,
reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sender_login_maps = $virtual_alias_maps
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unknown_sender_domain, warn_if_reject, reject_sender_login_mismatch,
warn_if_reject, reject_unauthenticated_sender_login_mismatch
smtpd_timeout = ${stress?10}${stress:300}
smtpd_tls_cert_file = /etc/postfix/certs/serverhostname.pem
smtpd_tls_key_file = /etc/postfix/certs/serverhostname.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual ldap:ldapmailfwonly
ldap:ldaplists ldap:ldapalias
virtual_gid_maps = static:102
virtual_mailbox_base = /
virtual_mailbox_limit = 0
virtual_mailbox_maps = ldap:ldapaccounts
virtual_uid_maps = static:103
--master.cf--
smtp inet n - n - - smtpd
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickupfifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace un
Re: single domain - multiple smtp relayhosts
You just need to mention one domain on your transport maps and then configure dns to have multiple MX records for same domain. Don't forget to add the priority number for its host. Postfix will automatically discover those mx records for you. e.g. mail.test.com IN MX 10 mailserver1.test.com IN MX 20 mailserver2.test.com Bill Noel Jones wrote: Wilson A. Galafassi Jr. wrote: Hello to all, I need to configure postfix to use multiple smtp relayhosts for a single domain. This is possible? How? Your question is not entirely clear, so I'm going to answer as if "single domain" refers to a single outbound destination, with other outbound domains delivered directly. Use transport_maps and MX records to direct mail to the group of hosts you want, or use multiple /etc/hosts entries. An example: # main.cf - tell postfix to use a transport table transport_maps = hash:/etc/postfix/transport # transport - domains that get special treatment example.com smtp:example.local # /etc/hosts - host <> IP mapping 10.1.2.2 example.local 10.1.2.3 example.local Or you can define example.local in your local DNS server. http://www.postfix.org/transport.5.html -- Noel Jones
smtpd_client_restrictions
Hello all, I need to reject smtp connection from certain ip inside my network (SPAMMER). I have configured the following according http://www.postfix.org/access.5.html and it doesn't work. I just want to deny an ip address to send mails to the outside world! smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated access === ipaddress REJECT Thanks in advance Bill
Re: smtpd_client_restrictions
Stan Hoeppner wrote:
vtzan put forth on 12/11/2009 5:46 AM:
thanks for your fast reply. But that was my PLAN B ;-)
any idea for PLAN A?
thanks alot
Bill
Hay Bill,
First off, please keep all replies on the postfix-users list. 2nd, send
your 'postconf -n' output and the relevant contents of
/etc/postfix/access. 3rd, it might be tricky doing what you are asking
because, if I understand you correctly, the IP you want to block with
smtpd is within mynetworks.
--
Stan
Hello Stan,
1.sorry forgot to "reply-all".
Yes this that is true, the IP i want to block is withing $mynetworks. ;-)
here is the postconf -n ( was replaced for obvious reasons.)
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 50
default_process_limit = 200
disable_vrfy_command = no
html_directory = /usr/share/doc/postfix-2.5.4-documentation/html
inet_interfaces = all
local_destination_concurrency_limit = 50
local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
$transport_maps
mydomain = .gr
myhostname = mail..gr
mynetworks = 1X0.1X0.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.4-documentation/readme
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relayhost = [..gr]
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname mail..gr
smtpd_client_connection_count_limit = 50
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated
smtpd_delay_reject = yes
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_required = no
smtpd_helo_restrictions = warn_if_reject,
reject_invalid_helo_hostname,
warn_if_reject,
reject_non_fqdn_helo_hostname,
warn_if_reject,reject_unknown_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_login_maps = $virtual_alias_maps
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
warn_if_reject,
reject_sender_login_mismatch,
warn_if_reject, reject_unauthenticated_sender_login_mismatch
smtpd_timeout = ${stress?10}${stress:300}
smtpd_tls_CAfile = /etc/postfix/certs/ipsCA.pem
smtpd_tls_cert_file = /etc/postfix/certs/mail.pem
smtpd_tls_key_file = /etc/postfix/certs/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual,
proxy:ldap:/etc/postfix/ldap/ldapmailfwonly.cf,
proxy:ldap:/etc/postfix/ldap/ldapalias.cf
virtual_gid_maps = static:102
virtual_mailbox_base = /
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/ldapaccounts.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:103
thanks in advance
for your help.
Bill
Re: smtpd_client_restrictions
Hello noel, thanks for you response but it didn't worked! thanks Bill Noel Jones wrote: On 12/11/2009 7:02 AM, Stan Hoeppner wrote: vtzan put forth on 12/11/2009 5:46 AM: thanks for your fast reply. But that was my PLAN B ;-) any idea for PLAN A? thanks alot Bill Hay Bill, First off, please keep all replies on the postfix-users list. 2nd, send your 'postconf -n' output and the relevant contents of /etc/postfix/access. 3rd, it might be tricky doing what you are asking because, if I understand you correctly, the IP you want to block with smtpd is within mynetworks. -- Stan http://www.postfix.org/postconf.5.html#mynetworks It's easy enough to exclude the IP from mynetworks, just use something like: mynetworks = !192.168.1.not-this-host 192.168.1.0/24 Although if there is a machine in mynetworks sending out spam (virus zombie?) I think I would just firewall it until I could identify it and either 2x4 the user or fix the PC (or maybe both if I'm in a mood). -- Noel Jones
Re: smtpd_client_restrictions
Stan Hoeppner wrote: vtzan put forth on 12/14/2009 1:17 AM: Hello noel, thanks for you response but it didn't worked! First, did you reload postfix after editing main.cf? If not, the change won't take effect until you reload of restart postfix. And, how do you know it didn't work? Is he still sending spam? If so use iptables _NOW_ to put a stop to it! yes i reload and i just put my ip and tested! ;-) I cannot understand for the life of me why you're dicking around with this instead of dropping the hammer instantly on this situation... >From the book of Sysadmin Rule #1: Use whatever _functional_ tool you have available _right now_ to stop network abuse. Learn to use other tools/methods for the same job _when you are not in crisis mode_. There is a bear knocking down your front door intent on eating you. Are you going to grab fork, then knife, then rolling pen, and realize none of them work, before grabbing the gun and shooting the bear? Taking this route makes you bear food... -- Stan thanks alot for you reply Stan. No the problem has stopped but just trying to figure out a quick way from postfix to prevent abusing my server is this is happened again. I know how to use IP tables but want to know a postfix way. thanks Bill
