3

I have a working openLDAP v3 installation under Ubuntu 14.04 (slapd 2.4.31-1) with phpldapadmin, sudo-ldap and other packages installed. I'm trying to integrate postfix with LDAP so I can send emails to users@host2.example.com or users@host10.example.com for example.

Current Setup

As part of this setup I have host attributes for each host a user is allowed access to (or is simply a * for allowing access to all hosts). I use this on my ldap clients to grant or deny access to particular hosts. Also associated with each user is their corporate email address in the mail attribute. An example LDIF for a user is given below:

dn: uid=auser,ou=People,dc=example,dc=com
cn: A User
displayname: A User
gecos: A User
gidnumber: 1011
givenname: A
homedirectory: /home/auser
host: host1
host: host2
host: host3
host: host4
mailacceptinggeneralid: root
loginshell: /bin/bash
mail: a.user@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: hostObject
objectclass: postfixUser
objectclass: top
sn: User
uid: auser
uidnumber: 1001

Postfix Lookups of User Email Addresses in LDAP

I have a /etc/postfix/ldap-aliases.cf file with the following contents for achieving this:

server_host = ldap.example.com
search_base = dc=example, dc=com

# look for entries with this
query_filter = (|(uid=%s)(mailacceptinggeneralid=%s)(mail=%s@example.com))

# what attribute from the search result is returned
result_attribute = mail

# the format in which the result is returned
result_format = %s

This configuration works so far and is confirmed with the following postmap commands returning the addresses I expect:

# A query using the uid of the user
postmap -q auser ldap:/etc/postfix/ldap-mail.cf
a.user@example.com

# A query using the corporate username
postmap -q a.user ldap:/etc/postfix/ldap-mail.cf
a.user@example.com

# A query for a user specified in mailacceptinggeneralid
postmap -q root ldap:/etc/postfix/ldap-mail.cf
a.user@example.com

Postfix Lookups of Users with Access to a Host

I want to be able to send emails to users@host2.example.com for example, and have the addresses pulled from LDAP for all users who have access to host2 (i.e. host attribute is set to host2 or *. This I where I need some help.

So far, I have a file /etc/postfix/ldap-host-users.cf which contains:

server_host = ldap.example.com
search_base = dc=example, dc=com
query_filter = (|(host=%3)(host=\*))
result_attribute = mail
result_format = %s

It assumes the query contains the FQDN, but I think postfix only uses the username (possibly due to me using alias_maps in /etc/postfix/main.cf?). Anyway, testing the above:

postmap -q users@host2.example.com ldap:/etc/postfix/ldap-host-users.cf
a.user@example.com

# The following also returns a list of email addresses, but shouldn't:
postmap -q any_group@host2.example.com ldap:/etc/postfix/ldap-host-users.cf
a.user@example.com

postconf -n Output

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-mail.cf, ldap:/etc/postfix/ldap-host-users.cf
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost.example.com, , localhost
myhostname = host2.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Questions

  • Does postfix only query using the local username and doesn't include the FQDN in the query?
    • Is this because I'm using alias_maps in /etc/postfix/main.cf?
  • Can I somehow check that the username part of the query is users and return nothing if it is something else? e.g. In query_filter can I do something like %u="users"?
  • Is there a better/different way to achieve this?

1 Answers1

3

Some partial answers:

1. Does postfix only query using the local username and doesn't include the FQDN in the query? Is this because I'm using alias_maps in /etc/postfix/main.cf?

YES, according alias_maps documentation, we need to refer on man 5 aliases to know the syntax details.

The name is a local address (no domain part). Use double quotes when the name contains any special characters such as whitespace, #',:', or `@'. The name is folded to lowercase, in order to make database lookups case insensitive.

So, this is an expected behavior from postfix.


3. Is there a better/different way to achieve this?

Use virtual_alias_maps. According to this answer on Confused about alias_maps and virtual_alias_maps, virtual_alias_maps will "user@domain" as input.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104