Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

check_recipient_access and LDAP

626 views
Skip to first unread message

Maykel Moya

unread,
Oct 3, 2007, 7:06:11 PM10/3/07
to
I have

main.cf
-------
[...]
smtpd_recipient_restrictions =
check_recipient_access ldap:$config_directory/ldap-users-access.cf,
reject_unauth_destination

ldap-users-access.cf
--------------------
server_host = localhost
search_base = ou=users,dc=sld,dc=cu
version = 3
bind = yes
cache = no
bind_dn = cn=admin,dc=sld,dc=cu
bind_pw = foobar
query_filter = (&(objectClass=sldMailRecipient)(mail=%s))
result_attribute = uid
result_filter = OK


The ldap table apparently works as expected

--
root@infomed:~# postmap -q moya...@infomed.sld.cu
ldap:/etc/postfix-ldap/ldap-users-access.cf
OK
root@infomed:~# postmap -q moya...@infomed.sld.cu
ldap:/etc/postfix-ldap/ldap-users-access.cf
root@infomed:~#
--

Nevertheless postfix is not accepting mail for moyatest

--
root@infomed:~# telnet localhost 26
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 infomed.sld.cu ESMTP Postfix
ehlo foo
250-infomed.sld.cu
250-PIPELINING
250-SIZE 2621440
250-VRFY
250-ETRN
250 8BITMIME
mail from:<mo...@foo.org>
250 Ok
rcpt to:<moya...@infomed.sld.cu>
550 <moya...@infomed.sld.cu>: Recipient address rejected: User unknown
in local recipient table
--

Logs says nothing more than 'Recipient address ...'

Any hint?

Regards,
maykel


Magnus Bäck

unread,
Oct 4, 2007, 4:39:49 AM10/4/07
to
On Thursday, October 04, 2007 at 01:06 CEST,
Maykel Moya <moya-...@infomed.sld.cu> wrote:

> I have
>
> main.cf
> -------
> [...]
> smtpd_recipient_restrictions =
> check_recipient_access ldap:$config_directory/ldap-users-access.cf,
> reject_unauth_destination

[...]

> The ldap table apparently works as expected

[...]

> Nevertheless postfix is not accepting mail for moyatest

[...]

> 550 <moya...@infomed.sld.cu>: Recipient address rejected: User unknown
> in local recipient table

As long as you have smtpd_reject_unlisted_recipient = yes, Postfix will
implicitly slap in a reject_unlisted_recipient restriction at the end of
the list. That's the cause of the rejection.

But what are you trying to accmplish? To validate recipients, list them
in local_recipient_maps, relay_recipient_maps, virtual_alias_maps, or
virtual_mailbox_maps. The solution above is a hack.

The error message suggests that infomed.sld.cu is a local domain. Do you
really need this extra stuff at all? As long as users can be resolved by
getpwnam() and friends you don't need any special tricks just because
they happen to be stored in LDAP.

--
Magnus Bäck
mag...@dsek.lth.se

Maykel Moya

unread,
Oct 5, 2007, 12:55:49 AM10/5/07
to

El jue, 04-10-2007 a las 10:39 +0200, Magnus Bäck escribió:
> On Thursday, October 04, 2007 at 01:06 CEST,
> Maykel Moya <moya-...@infomed.sld.cu> wrote:
>
> > I have
> >
> > main.cf
> > -------
> > [...]
> > smtpd_recipient_restrictions =
> > check_recipient_access ldap:$config_directory/ldap-users-access.cf,
> > reject_unauth_destination
>
> As long as you have smtpd_reject_unlisted_recipient = yes, Postfix will
> implicitly slap in a reject_unlisted_recipient restriction at the end of
> the list. That's the cause of the rejection.
>
> But what are you trying to accmplish? To validate recipients, list them
> in local_recipient_maps, relay_recipient_maps, virtual_alias_maps, or
> virtual_mailbox_maps. The solution above is a hack.

In fact, it's a hack. I tried to add those recipients to
virtual_mailbox_maps and the problem persists.

> The error message suggests that infomed.sld.cu is a local domain. Do you
> really need this extra stuff at all? As long as users can be resolved by
> getpwnam() and friends you don't need any special tricks just because
> they happen to be stored in LDAP.

infomed.sld.cu is a sort of dual domain (local + virtual). You can get
the picture with this response from Victor Duchovni[1] to me.

I managed to get Dovecot-LDA work the way I need. Only left that Postfix
accepts mails directed to users listed in LDAP and not listed
in /etc/passwd.

To get the virtual users directed to dovecot transport I set up
something like this

transport_maps =
ldap:$config_directory/ldap-users-transport.cf,
hash:$config_directory/transport


ldap-users-transport.cf


--
server_host = localhost
search_base = ou=users,dc=sld,dc=cu
version = 3
bind = yes
cache = no
bind_dn = cn=admin,dc=sld,dc=cu
bind_pw = foobar

query_filter = (&(objectClass=sldMailRecipient)(uid=%u))
result_attribute = uid
result_filter = dovecot:

Regards,
maykel

[1] http://archives.neohapsis.com/archives/postfix/2007-10/0074.html

Victor Duchovni

unread,
Oct 5, 2007, 1:08:43 AM10/5/07
to
On Fri, Oct 05, 2007 at 12:55:49AM -0400, Maykel Moya wrote:

> In fact, it's a hack. I tried to add those recipients to
> virtual_mailbox_maps and the problem persists.
>
> > The error message suggests that infomed.sld.cu is a local domain. Do you
> > really need this extra stuff at all? As long as users can be resolved by
> > getpwnam() and friends you don't need any special tricks just because
> > they happen to be stored in LDAP.
>
> infomed.sld.cu is a sort of dual domain (local + virtual). You can get
> the picture with this response from Victor Duchovni[1] to me.

When a local domain has some non-system users that are delivered to
virtual mailboxes, you need to list those addresses in

local_recipient_maps =
$alias_maps,
unix:passwd.byname,
$virtual_mailbox_maps

Instead of virtual_mailbox_maps, use some table has all the non-system
users as lookup keys.

> server_host = localhost
> search_base = ou=users,dc=sld,dc=cu
> version = 3
> bind = yes
> cache = no
> bind_dn = cn=admin,dc=sld,dc=cu
> bind_pw = foobar
> query_filter = (&(objectClass=sldMailRecipient)(uid=%u))
> result_attribute = uid
> result_filter = dovecot:

That transport should probably be "dovecot:dummy" so that concurrency is
computed correctly, and if "dovecot" is maildir delivery via pipe(8),
rather LMTP (which can handle multiple recipients robustly) you must
also set the recipient limit to 1.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Maykel Moya

unread,
Oct 5, 2007, 1:24:50 AM10/5/07
to

El vie, 05-10-2007 a las 01:08 -0400, Victor Duchovni escribió:

> When a local domain has some non-system users that are delivered to
> virtual mailboxes, you need to list those addresses in
>
> local_recipient_maps =
> $alias_maps,
> unix:passwd.byname,
> $virtual_mailbox_maps

Yes! It worked.

> Instead of virtual_mailbox_maps, use some table has all the non-system
> users as lookup keys.

Didn't get the idea, could your elaborate it a little more?

> That transport should probably be "dovecot:dummy" so that concurrency is
> computed correctly, and if "dovecot" is maildir delivery via pipe(8),
> rather LMTP (which can handle multiple recipients robustly) you must
> also set the recipient limit to 1.

Yes, done.

Thanks a lot,
maykel

Victor Duchovni

unread,
Oct 5, 2007, 1:27:04 AM10/5/07
to
On Fri, Oct 05, 2007 at 01:24:50AM -0400, Maykel Moya wrote:

>
> El vie, 05-10-2007 a las 01:08 -0400, Victor Duchovni escribi??:


>
> > When a local domain has some non-system users that are delivered to
> > virtual mailboxes, you need to list those addresses in
> >
> > local_recipient_maps =
> > $alias_maps,
> > unix:passwd.byname,
> > $virtual_mailbox_maps
>
> Yes! It worked.
>
> > Instead of virtual_mailbox_maps, use some table has all the non-system
> > users as lookup keys.
>
> Didn't get the idea, could your elaborate it a little more?

If necessary, that is if the non-system users are listed elsewhere.

0 new messages