Hi,

This has been driving me mad for days. I relay mail for several domains and need to verify recipients through ldap.

#main.cf

relay_recipient_maps = ldap:/etc/postfix/ldap_relay.cf

#ldap_relay.cf

server_host = ldap://ldap.mydomain.com
search_base = dc=mydomain,dc=com
scope = sub
bind = no
query_filter = (|(mail=%s)(mailAlternateAddress=%s))
result_attribute = mail


When I test using 'postmap -q' valid addresses return a result and invalid ones do not as expected. However when I test using telnet the invalid address are accepted by postfix.

How do I get postfix to reject these invalid addresses??

Regards


Sean

you might want to post the output of postconf -d. do you see that behavior when you telnet from outside your LAN?

Obviously the output of postconf -d is very large. Is there anything in particular to look for??

I see this behaviour connecting from anywhere.

sorry, i meant postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $alias_maps unixasswd.byname
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = host.domain.com
mynetworks = /etc/postfix/network_table
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = /etc/postfix/rcpthosts
relay_recipient_maps = ldap:ldaprelay hash:/etc/postfix/goodmailaddr
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = /etc/postfix/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/servercert.pem
smtp_tls_key_file = /etc/postfix/host.key
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net reject_rbl_client b.barracudacentral.org reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.njabl.org reject_rbl_client psbl.surriel.com
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_unverified_recipient
smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/badmailfrom
smtpd_tls_CAfile = /etc/postfix/ca-bundle.crt
smtpd_tls_cert_file = /etc/postfix/servercert.pem
smtpd_tls_key_file = /etc/postfix/host.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport


#ldaprelay
ldaprelay_server_host = ldapserver
ldaprelay_search_base = dc=domain,dc=com
ldaprelay_cache = no
ldaprelay_query_filter = (|(mail=%s)(mailAlternateAddress=%s))
ldaprelay_result_attribute = mail
ldaprelay_result_filter = OK

Ok, so let's make sure we understand what's going on. /etc/postfix/rcpthosts should contain all the domains to which you agree to relay mail. Note that subdomains of these will automatically be included. The relay_recipient_maps parameter lists the sources (ldap config and hash files, in your case) of valid email addresses belonging to the domains in relay_domains, with a wildcard specified by omitting the user part of an email address, i.e. @domain means that all mail to domain will be relayed. Also, domains specified as being relay domains should not also be specified in another "address class", such as the local domain class (which is the domains for which postfix is the final destination.

Is it possible those unexpected email addresses are being caught by a wildcard?

I have quickly configured a test server and even if I have just one relay domain

relay_domains = example.com

and point to the same ldap server i still get the same result. Any address is allowed through. Surely this can't be right?????

I should point out that the server is only the final destination for local addresses i.e user@host.example.com all other domains inclusing example.com are relayed.

you'll have to turn on debugging to see what's happening. one guess is that the smtp connections are all coming in from mynetworks, at least from postfix's point of view (i.e. the router is rewriting the source IP address for packets coming from the outside).

Thought you might be on to something there but, alas no

A quick look at debugging hasn't shown anything obvious but i'll leave it running for a while and have another look.

I'm going to end up crawling back to qmail at this rate!!!!!!