Reject mail to unknown recipients using LDAP lookups before relaying mail

Discussion:

(too old to reply)

mouss

2007-08-28 20:00:34 UTC

Hi all,
I've got a RHEL 4 server running Postfix 2.2.10. It is an SMTP gateway,
that just forwards every piece of mail it recieves for three different
domains to a spam server.
What I would like to do is check for a valid recipient using LDAP lookups
against a Active Directory domain controller and reject mail for any unknown
recipients.
Is this possible because the mydestination variable isn't one of these three
relay domains? I would assume I use the relay_recipients table right?

That's right: relay_recipient_maps.

Victor Duchovni

2007-08-28 20:55:23 UTC

Permalink

What I would like to do is check for a valid recipient using LDAP lookups
against a Active Directory domain controller and reject mail for any unknown
recipients.
Is this possible because the mydestination variable isn't one of these three
relay domains? I would assume I use the relay_recipients table right?

If the domains in question are listed in relay_domains and not listed in
mydestination, recipient validation is enabled via relay_recipient_maps
as described under http://www.postfix.org/ADDRESS_CLASS_README.html#classes

mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain1.com
myhostname = smtpserver.domain1.com
relay_domains = domain1.com, domain2.com, domain3.com
relayhost = spamserver.domain1.com

Perhaps you want to use a content_filter instead, so that bounces are not
also sent to the spam filter. The "relayhost" processes all remote mail,
including bounces.

You need an LDAP table that returns a non-empty lookup result for
each valid recipient.

relay_recipient_maps = proxy:ldap:/etc/postfix/relay_rcpts.cf

with suitable settings in the .cf file. Test the table first with
"postmap -q" before testing integration via relay_recipient_maps.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

2007-08-29 02:25:57 UTC

Permalink

On second though, I'm not sure I can do a content_filter on bounces. The
spam server send it on to an exchange server after checking it, so if a user
sends a bounce and the postfix gateway filters it out, the user will never
know the mail wasn't sent, right?

I am talking about bounces *generated* by Postfix, not received by Postfix,
and using content_filter *instead* of relayhost. Or using:

relay_transport = relay:[gateway]

instead of

relayhost = [gateway]

so that mail to outside systems is not sent via the [gateway] (filter
software in front of Exchange).
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

2007-09-18 17:24:51 UTC

Permalink

I'm still having problems with this realtime lookup. I used the
instructions from http://www-personal.umich.edu/~malth/gaptuning/postfix/ to
periodically gather a list of valid recipients and have that working fine,
but I am still unable to do realtime lookups. Anyone have this successfully
working?

I think I understand that. I'll have to research it more.
I did run into a problem with ldap though. I've been getting the chase
referrals error and have been messing with the chase_referrals variable, but
after turning debug on, it looks like it is building the chase URL
incorrectly.
postmap: dict_ldap_debug: ldap_chase_v3referrals
postmap: dict_ldap_debug: ldap_url_parse_ext(ldap://example.com.com/dc=example.com,dc=com
)
postmap: dict_ldap_debug: re_encode_request: new msgid 3, new dn <dc=
example.com,dc=com>
postmap: dict_ldap_debug: ldap_chase_v3referral: msgid 2, url "
ldap://example.com.com/dc=example.com,dc=com"
Any idea how I can get around this? Can I specifically list the chase url
in the config file? I didn't see an option for it in the ldap_table man
page.

Do you have "version = 3"? If so no other non-default settings should
be required (or in any case no other settings will help). You may need
help from your LDAP server administrator...
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

2007-09-18 18:27:54 UTC

Permalink

Yep, I have version 3 and I can successfully perform both ldap searches
using my bind dn and bind pw.
After changing "chase_referrals = no" I am getting a different error
postmap: warning: dict_ldap_lookup: Search error 10: Referral
If I change chase_referrals to yes, it tries the malformed chase URL
postmap: dict_ldap_debug: ldap_chase_v3referrals
postmap: dict_ldap_debug: ldap_url_parse_ext(
ldap://domain.com.com/dc=domain.com,dc=com)
postmap: dict_ldap_debug: re_encode_request: new msgid 3, new dn <dc=
domain.com,dc=com>
postmap: dict_ldap_debug: ldap_chase_v3referral: msgid 2, url "
ldap://domain.com.com/dc=domain.com,dc=com"
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ldap_new_connection
postmap: dict_ldap_debug: ldap_int_open_connection
postmap: dict_ldap_debug: ldap_connect_to_host: TCP domain.com.com:389

Is Postfix linked to the same version of OpenLDAP as the command-line
ldapsearch? Are you the LDAP server administrator? What is this ".com.com"
beastie?
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

2007-09-18 18:59:51 UTC

Permalink

I'm pretty sure I only have one ldapsearch binary on the system. Actually
before I read Jeff's email, I didn't have ldapsearch installed. So I run
"up2date --install openldap-clients" and it installed the ldap tools, but I
still get the same error as before I had ldapsearch.

No, the idea is to repeat the search using "ldapsearch" by hand (Postfix
does not need it) and check that ldapsearch can do the lookup. If the
LDAP tools can't find the data, no use trying with Postfix.

bind_dn = cn=ldapaccess,ou=Service
Accounts,ou=Administrators,dc=domain,dc=com
bind_pw = bindpasswd
version = 3
I can't figure out why or how it's building that bad ldap url with .com.com

Consult your LDAP administrator... If you are the LDAP administrator,
get help on an LDAP server forum. Use ldapsearch rather than postmap
to describe the problem there.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

2007-09-18 19:45:03 UTC

Permalink

But it doesn't happen when I query it with ldapsearch manually. Everything
works fine when querying manually.

Please show verbose logging from ldapsearch doing the query and the
results. Does ldapsearch follow the reference, or merely report the
reference itself?
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

2007-09-18 21:09:04 UTC

Permalink

Here's the results for the address query based off username that Jeff said
to try manually.
dc=domain,dc=com -D "cn=ldapaccess,ou=Service Accounts,ou=Administrators,dc=domain,dc=com" -w "bind passwd" "uid=testuser" mail
# Test User, Users, Administrators, domain.com
dn: CN=Test User,OU=Users,OU=Administrators,DC=domain,DC=com
# search reference
ref: ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com
# search reference
ref: ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com
# search reference
ref: ldap://domain.com/CN=Configuration,DC=domain,DC=com

This reports the referrals without following them. Do the referrals
reported by "postmap -v" bear any resemblance to the above? What
are you expecting Postfix to do with the multiple referrals?
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reinaldo Carvalho

2007-09-18 21:58:55 UTC

Permalink

Ldap should to return or a "entry" or a "referral". Why you ldap
server return both? Postfix is prepared to read this?
--
Reinaldo Carvalho

I don't know. I guess I don't know enough about LDAP and referrals. All I
know is when I run
I get a bunch of output that says it successfull connects and the eventuall
postmap: warning: dict_ldap_lookup: Search error 10: Referral
http://groups.google.com/group/list.postfix.users/browse_thread/thread/949d5ef6d4a933a6/ff420b07ffe0c9ee?lnk=st&q=dict_ldap_lookup+search+error+10&rnum=12#ff420b07ffe0c9ee
If I use chase_referrals = yes, it takes a few seconds to display the error
message, if I use chase_referrals = no, it displays the error message
immediately.
-GT
On 9/18/07, Victor Duchovni

Post by Victor Duchovni

Here's the results for the address query based off username that Jeff

said

Post by Victor Duchovni

to try manually.
dc=domain,dc=com -D "cn=ldapaccess,ou=Service

Accounts,ou=Administrators,dc=domain,dc=com" -w "bind
passwd" "uid=testuser" mail

Post by Victor Duchovni

# Test User, Users, Administrators, domain.com
dn: CN=Test

User,OU=Users,OU=Administrators,DC=domain,DC=com

Post by Victor Duchovni

# search reference

ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com

Post by Victor Duchovni

# search reference

ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com

Post by Victor Duchovni

# search reference

ldap://domain.com/CN=Configuration,DC=domain,DC=com

Post by Victor Duchovni
This reports the referrals without following them. Do the referrals
reported by "postmap -v" bear any resemblance to the above? What
are you expecting Postfix to do with the multiple referrals?
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

GT4NE1

2007-09-18 22:31:15 UTC

Permalink

I got it working. I have no idea why this works and the previous one
didn't but I'm going to blame Microsoft. :)

So after reading the Postfix wiki:

http://postfix.wiki.xs4all.nl/index.php?title=Relay_recipient_maps_using_LDAP_against_Active_Directory

I thought I would try changing my query filter even though using
query_filter = mail was working fine when I ran it manually with
ldapsearch

So my new /etc/postfix/ldap.cf file is:

server_host = adcontrol1.domain.com
search_base = dc=domain, dc=com
version = 3
bind_dn = cn=ldapaccess,ou=Service Accounts,ou=Administrators,dc=domain,dc=com
bind_pw = bind passwd
query_filter = (proxyAddresses=smtp:%s)
result_attribute = mail

postmap -q returns the correct value:

[***@testbox postfix]# postmap -q ***@domain2.com
ldap:/etc/postfix/ldap2.cf
***@domain2.com

Then I put it into relay_recipient_maps and used telnet to test it.
[***@linuxmgmt-socal01 RPMS]# telnet xx.xx.xx.xx 25
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx (xx.xx.xx.xx).
Escape character is '^]'.
220 matttest.mascorp.com ESMTP Postfix
ehlo localhost
250-testbox.mascorp.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
mail from: <***@example.com>
250 Ok
rcpt to: <***@domain2.com>
250 Ok
rcpt to: <***@domain2.com>
550 <***@domain2.com>: Recipient address rejected: User unknown
quit
221 Bye
Connection closed by foreign host.

I'm not sure why using the mail for the query filter causes referral
issues with our domain controller, but I'm going to guess I'm not the
first person with this issue.

Thank to all of those who talked me down from the ledge. Maybe I'll
have some free time in the future to see if I can get query filter
mail to work, but this should do for now.

Thanks,

-GT

Post by Reinaldo Carvalho
Ldap should to return or a "entry" or a "referral". Why you ldap
server return both? Postfix is prepared to read this?
--
Reinaldo Carvalho

Post by Victor Duchovni

Here's the results for the address query based off username that Jeff

said

Post by Victor Duchovni

to try manually.
dc=domain,dc=com -D "cn=ldapaccess,ou=Service

Accounts,ou=Administrators,dc=domain,dc=com" -w "bind
passwd" "uid=testuser" mail

Post by Victor Duchovni

# Test User, Users, Administrators, domain.com
dn: CN=Test

User,OU=Users,OU=Administrators,DC=domain,DC=com

Post by Victor Duchovni

# search reference

ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com

Post by Victor Duchovni

# search reference

ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com

Post by Victor Duchovni

# search reference

ldap://domain.com/CN=Configuration,DC=domain,DC=com

MacShane, Tracy

2007-09-19 00:32:00 UTC

Permalink

-----Original Message-----
Sent: Wednesday, 19 September 2007 8:31 AM
To: Reinaldo Carvalho
Subject: Re: Reject mail to unknown recipients using LDAP
lookups before relaying mail
I got it working. I have no idea why this works and the
previous one didn't but I'm going to blame Microsoft. :)
http://postfix.wiki.xs4all.nl/index.php?title=Relay_recipient_
maps_using_LDAP_against_Active_Directory
I thought I would try changing my query filter even though
using query_filter = mail was working fine when I ran it
manually with ldapsearch
server_host = adcontrol1.domain.com
search_base = dc=domain, dc=com
version = 3
bind_dn = cn=ldapaccess,ou=Service
Accounts,ou=Administrators,dc=domain,dc=com
bind_pw = bind passwd
query_filter = (proxyAddresses=smtp:%s)
result_attribute = mail
I'm not sure why using the mail for the query filter causes
referral issues with our domain controller, but I'm going to
guess I'm not the first person with this issue.
Thank to all of those who talked me down from the ledge.
Maybe I'll have some free time in the future to see if I can
get query filter mail to work, but this should do for now.
Thanks,
-GT

Hm, I've not had problems getting the "mail" attribute in my LDAP query,
but I'm using Perl to build my map files asynchronously (it's not as if
email addresses change that frequently in the domain). proxyAddresses
has the advantage of containing all the aliases a mailbox might have -
is that "result_attribute = mail" multivalued? It'd be a bummer if
proxyAddresses has multiple values and you aren't picking up the value
that you need (since the entry that is the same as the default "mail"
attribute can appear anywhere on the list, if it is a list).

Victor Duchovni

2007-09-19 00:46:27 UTC

Permalink

Post by GT4NE1
proxyAddresses
has the advantage of containing all the aliases a mailbox might have -
is that "result_attribute = mail" multivalued

No the "mail" attribute in AD and many other LDAP schemas holds
a single primary email address. With AD it is correct to query
"proxyAddresses=smtp:%s", because that supports all the alternative
addresses of the user, including the primary.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

MacShane, Tracy

2007-09-19 00:51:43 UTC

Permalink

-----Original Message-----
Sent: Wednesday, 19 September 2007 10:46 AM
To: MacShane, Tracy
Subject: Re: Reject mail to unknown recipients using LDAP
lookups before relaying mail

Post by GT4NE1
proxyAddresses
has the advantage of containing all the aliases a mailbox

might have -

Post by GT4NE1
is that "result_attribute = mail" multivalued

Sorry, I was obviously not being clear. I know that "mail" is
single-valued and "proxyAddresses" is multivalued. I was just wondering
if the MTA end is processing any multiple values that may exist (since
the OP was trying to look for a single value initially). Of course, if
proxyAddresses is only holding the default mail address (and no others),
it won't be an issue.

MacShane, Tracy

2007-09-19 01:02:41 UTC

Permalink

-----Original Message-----
Sent: Wednesday, 19 September 2007 10:56 AM
To: MacShane, Tracy
Subject: Re: Reject mail to unknown recipients using LDAP
lookups before relaying mail

Post by MacShane, Tracy
Sorry, I was obviously not being clear. I know that "mail" is
single-valued and "proxyAddresses" is multivalued.

This is sufficient, the requirement is a multi-valued lookup
key and a single-valued unambiguous result.

Oh, yes, of course - if an alias matches _any_ one of the values, mail
will be routed to the mailbox that's associated with that alias. My
brain really is not functioning today!

Victor Duchovni

2007-09-19 00:56:21 UTC

Permalink

Post by MacShane, Tracy
Sorry, I was obviously not being clear. I know that "mail" is
single-valued and "proxyAddresses" is multivalued.

This is sufficient, the requirement is a multi-valued lookup key and a
single-valued unambiguous result.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.