Skip to content

Instantly share code, notes, and snippets.

@tjormola

tjormola/gist:98efc0c8eb8219d4a48ab75465e468c0

Created July 18, 2016 22:48
Show Gist options
  • Save tjormola/98efc0c8eb8219d4a48ab75465e468c0 to your computer and use it in GitHub Desktop.
Save tjormola/98efc0c8eb8219d4a48ab75465e468c0 to your computer and use it in GitHub Desktop.
Download ZIP
TLS protected LDAP connection problem with Postfix doing ldap_table lookups from ActiveDirectory
Raw
gistfile1.txt
############################################################
# Story: Postfix 3.1.0 as packaged in Ubuntu 16.04 xenial
# fails to open a STARTTLS initiated TLS protected connection
# to LDAP when using ldap_table for
# e.g. virtual_mailbox_domains with error
#
# Unable to allocate new TLS context -1: Can't contact LDAP server
#
# The target LDAP is an ActiveDirectory instance implemented
# by Samba 4.4.5. Certificate chain is ok with a custom CA.
# Everything related to LDAP lookups from Postfix work
# perfectly if not using TLS.
#
# The strange thing is that TLS protected connections
# to this AD work fine with other tools such as ldapsearch and
# postmap on command-line, but the processes launched by
# Postfix upon receiving mail will fail to initialize TLS
# in the LDAP client library code and generate this error.
#
# In Ubuntu/xenial Postfix is linked against OpenLDAP 2.4.42
# which is linked against GnuTLS 3.4.10 for the TLS stuff.
############################################################
############################################################
# main.cf
############################################################
shelluser@postfix-host:~$ sudo postconf -nf
mydestination =
mydomain = domain.example
mynetworks = 127.0.0.0/8 10.16.0.0/16
smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination
virtual_mailbox_domains = ldap:/etc/postfix/virtual-mailbox-domains.cf
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps-dummy-test.cf
virtual_transport = lmtp:inet:dovecot-host.domain.example:24
############################################################
############################################################
# master.cf
############################################################
shelluser@postfix-host:~$ sudo postconf -Mf
smtp inet n - y - - smtpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
############################################################
############################################################
# /etc/postfix/virtual-mailbox-maps-dummy-test.cf for testing without LDAP
############################################################
shelluser@postfix-host:~$ cat /etc/postfix/virtual-mailbox-maps-dummy-test.cf
[email protected] OK
############################################################
############################################################
# /etc/postfix/virtual-mailbox-domains.cf the ldap_table configuration file
############################################################
shelluser@postfix-host:~$ grep -v '#' /etc/postfix/virtual-mailbox-domains.cf
server_host = ldap://dc-host.domain.example
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = /etc/ssl/certs/ca-cert.pem
debuglevel = 1
bind = yes
bind_dn = [email protected]
bind_pw = postfix-password
search_base = cn=Mail,dc=domain,dc=example
scope = one
query_filter = (CN=%s)
result_attribute = cn
############################################################
############################################################
# Emulate the LDAP connection and query done by Postfix using ldapsearch, this works ok
############################################################
shelluser@postfix-host:~$ ldapsearch -h dc-host.domain.example -D [email protected] -x -w postfix-password -ZZ -b cn=Mail,dc=domain,dc=example -s one '(CN=example.com)' cn
# extended LDIF
#
# LDAPv3
# base <cn=Mail,dc=domain,dc=example> with scope oneLevel
# filter: (CN=example.com)
# requesting: cn
#
# example.com, Mail, domain.example
dn: CN=example.com,CN=Mail,DC=domain,DC=example
cn: example.com
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
############################################################
############################################################
# postmap -q works too, debuglevel = 1 commented out from the ldap_table config
############################################################
shelluser@postfix-host:~$ postmap -q example.com ldap:/etc/postfix/virtual-mailbox-domains.cf
example.com
############################################################
############################################################
# Now when receiving mail, we see this in Postfix logs
############################################################
Jul 19 01:23:54 postfix-host postfix[25131]: Postfix is running with backwards-compatible default settings
Jul 19 01:23:54 postfix-host postfix[25131]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Jul 19 01:23:54 postfix-host postfix[25131]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Jul 19 01:23:56 postfix-host postfix/master[25197]: daemon started -- version 3.1.0, configuration /etc/postfix
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: connect from client-host.domain.example[10.16.12.10]
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_create
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_url_parse_ext(ldap://dc-host.domain.example)
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: TLS: could not allocate default ctx.
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_err2string
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains: ldap:/etc/postfix/virtual-mailbox-domains.cf: table lookup problem
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains lookup failure
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_create
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_url_parse_ext(ldap://dc-host.domain.example)
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: TLS: could not allocate default ctx.
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_err2string
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains: ldap:/etc/postfix/virtual-mailbox-domains.cf: table lookup problem
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains lookup failure
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: NOQUEUE: reject: RCPT from client-host.domain.example[10.16.12.10]: 451 4.3.0 <[email protected]>: Temporary lookup failure; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<dc-host.domain.example>
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: disconnect from client-host.domain.example[10.16.12.10] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
############################################################
@jivanpal
Copy link

I'm experiencing the exact same issue now! Did you ever resolve this, by any chance? I'd love to know how you fixed it; been looking for hours on end...

@csarn
Copy link

csarn commented Oct 2, 2022
edited
Loading

For anyone finding this via google:
smtpd is running inside a chroot, where the CA certificate does not exist. You have to copy (or bind-mount) /etc/ssl/certs/ca-cert.pem to /var/spool/postfix/etc/ssl/certs/ca-cert.pem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment