I have a working openLDAP v3 installation under Ubuntu 14.04 (slapd 2.4.31-1
) with phpldapadmin
, sudo-ldap
and other packages installed. I'm trying to integrate postfix
with LDAP so I can send emails to users@host2.example.com or users@host10.example.com for example.
Current Setup
As part of this setup I have host
attributes for each host a user is allowed access to (or is simply a *
for allowing access to all hosts). I use this on my ldap clients to grant or deny access to particular hosts. Also associated with each user is their corporate email address in the mail
attribute. An example LDIF for a user is given below:
dn: uid=auser,ou=People,dc=example,dc=com
cn: A User
displayname: A User
gecos: A User
gidnumber: 1011
givenname: A
homedirectory: /home/auser
host: host1
host: host2
host: host3
host: host4
mailacceptinggeneralid: root
loginshell: /bin/bash
mail: a.user@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: hostObject
objectclass: postfixUser
objectclass: top
sn: User
uid: auser
uidnumber: 1001
Postfix Lookups of User Email Addresses in LDAP
I have a /etc/postfix/ldap-aliases.cf
file with the following contents for achieving this:
server_host = ldap.example.com
search_base = dc=example, dc=com
# look for entries with this
query_filter = (|(uid=%s)(mailacceptinggeneralid=%s)(mail=%s@example.com))
# what attribute from the search result is returned
result_attribute = mail
# the format in which the result is returned
result_format = %s
This configuration works so far and is confirmed with the following postmap
commands returning the addresses I expect:
# A query using the uid of the user
postmap -q auser ldap:/etc/postfix/ldap-mail.cf
a.user@example.com
# A query using the corporate username
postmap -q a.user ldap:/etc/postfix/ldap-mail.cf
a.user@example.com
# A query for a user specified in mailacceptinggeneralid
postmap -q root ldap:/etc/postfix/ldap-mail.cf
a.user@example.com
Postfix Lookups of Users with Access to a Host
I want to be able to send emails to users@host2.example.com
for example, and have the addresses pulled from LDAP for all users who have access to host2
(i.e. host
attribute is set to host2
or *
. This I where I need some help.
So far, I have a file /etc/postfix/ldap-host-users.cf
which contains:
server_host = ldap.example.com
search_base = dc=example, dc=com
query_filter = (|(host=%3)(host=\*))
result_attribute = mail
result_format = %s
It assumes the query contains the FQDN, but I think postfix
only uses the username
(possibly due to me using alias_maps
in /etc/postfix/main.cf
?). Anyway, testing the above:
postmap -q users@host2.example.com ldap:/etc/postfix/ldap-host-users.cf
a.user@example.com
# The following also returns a list of email addresses, but shouldn't:
postmap -q any_group@host2.example.com ldap:/etc/postfix/ldap-host-users.cf
a.user@example.com
postconf -n Output
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-mail.cf, ldap:/etc/postfix/ldap-host-users.cf
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost.example.com, , localhost
myhostname = host2.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Questions
- Does
postfix
only query using the localusername
and doesn't include the FQDN in the query?- Is this because I'm using
alias_maps
in/etc/postfix/main.cf
?
- Is this because I'm using
- Can I somehow check that the
username
part of the query isusers
and return nothing if it is something else? e.g. Inquery_filter
can I do something like%u="users"
? - Is there a better/different way to achieve this?