|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Artur Muecke (muecke
tyntec.biz)
Date: Wed Jan 16 2008 - 09:05:07 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi everyone,
I have trouble to configure Postfix using SSL or TLS to connect to my
OpenLDAP-Server. Here are some information about the versions I am using:
Postfix-OS: Debian (Etch)
LDAP-OS: Debian (Etch)
Postfix: postfix-2.3.8-2+b1 postfix-ldap-2.3.8-2+b1
LDAP: slapd 2.3.30
Here is what I am doing. My postfix server relays mails after checking them
(SPAM and Viruses) to another postfix server.
Therefore it reads the "relay-domains" and "relay-recipient-maps" from an
external LDAP-Server.
Here is how I configured postfix to do this:
main.cf
===================
...
relayhost = [my2ndSMTP.de]:25
relay_domains = ldap:/etc/postfix/domains.cf
relay_recipient_maps = ldap:/etc/postfix/users.cf
ldap:/etc/postfix/aliases.cf
...
domains.cf
==================
## RELAY - DOMAINS ##
server_host = ldap://10.3.5.32:389
version = 3
start_tls = yes
tls_ca_cert_file = /etc/ssl/certs/CA.pem
tls_cert = /etc/ssl/certs/toa20cert.pem
tls_key = /etc/ssl/certs/toa20key.pem
bind = no
search_base =
ou=DNSObjects,ou=AdminObjects,ou=OxObjects,dc=ldap,dc=mydomain,dc=com
query_filter = (domainName=%s)
result_attribute = domainName
=================
aliases.cf and users.cf are alsmost the same, just with a different
search-base and so on.
Without using TLS everything works fine but as soon as I turn on TLS in
Postfix, the server doesnt relay any mails.
The LDAP- and Postfix certificates should be correct because
a "ldapsearch -x -ZZ ..." works (same certificates).
My TLS-LDAP conf looks like that:
==================
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ldap/certs/CA.pem
TLSCertificateFile /etc/ldap/certs/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/certs/ldapkey.pem
==================
"openssl s_client -connect 10.3.5.32:636 -CAfile /etc/ssl/certs/CA.pem"
Says that everything is fine:
...
Start Time: 1200495781
Timeout : 300 (sec)
Verify return code: 0 (ok)
...
I checked the TLS config with postmap like that:
=====================================================
postmap -q "domain.com" ldap:/etc/postfix/domains.cf
=====================================================
and it works perfect.
When I start postfix and try to send (relay) mails, I get the following error
messages in my mail.log:
=============================================================================
Jan 16 15:45:09 toa20 postfix/smtpd[13366]: connect from localhost[127.0.0.1]
Jan 16 15:45:15 toa20 postfix/master[13359]: warning:
process /usr/lib/postfix/trivial-rewrite pid 13369 exit status 2
Jan 16 15:45:16 toa20 postfix/smtpd[13366]: warning: problem talking to
service rewrite: Success
Jan 16 15:45:16 toa20 postfix/master[13359]: warning:
process /usr/lib/postfix/trivial-rewrite pid 13370 exit status 2
Jan 16 15:45:16 toa20 postfix/master[13359]:
warning: /usr/lib/postfix/trivial-rewrite: bad command startup -- throttling
=============================================================================
Btw, postfix is running chrooted on Debian. Cause of that I copied the
certificates to the chrooted directory (/var/spool/postfix/etc/ssl/certs),
according to the config shown above. I dont know if that is necessary.
It shouldnt be something about the user permissions, because I tried the
postmap commando with the postfix user and it works as good as with root.
Now I am kind of innocent and wonder if someone can help me out.
Would be happy 'about some advices.
Cheers,
Artur
"There are 10 kinds of people in the world, those who understand binary
math, and those who don't."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]