Skip to content

question: Is the relay host support compatible with LDAP? #3860

Closed
Closed
question: Is the relay host support compatible with LDAP?#3860
Assignees
polarathene
Labels
area/configuration (file)area/documentationkind/bug/reportA report about a bugkind/questionSomeone asked a question - feel free to answerservice/postfix
Milestone
v14.0.0
@MohammedNoureldin

Description

@MohammedNoureldin
MohammedNoureldin
opened on Jan 31, 2024

📝 Preliminary Checks

  • I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

Configuring the simplest possible SMTP relay seems to not work. However, LDAP is also configured

👟 Reproduction Steps

  • Set the relay variables
  • Send email
  • The relay is not being used, the email gets delivered directly without relaying to the specified SMTP server.

In postfix config, I saw this entry:

$ cat /etc/postfix/sasl_passwd 
[smtp.postmarkapp.com]:25    MY_SECRET

Meaning the configuration is basically applied.

Note: I also tried port 587

I tried to send to a gmail and an internal (actually the same user as the sender), and both ended delivered directly with no relay to the relay-in-the-middle server.

It is probably related to LDAP, as the tests work. Though, I am not able at the moment to test on an external ENV without LDAP.

I am not sure if this is directly related to #2673 or this #2819, I tried some of the information stated here but they did not help.

I have no gmail in my LDAP or any special rules for it other than what is mentioned.

🐋 DMS Version

13.3.1

💻 Operating System and Architecture

Ubuntu 22.04, ARM64

⚙️ Container configuration files

Environment config 
  OVERRIDE_HOSTNAME: "mail.{{ .Values.domain_name }}"
  LOG_LEVEL: info
  TZ: "{{ .Values.timezone }}"
  POSTFIX_MAILBOX_SIZE_LIMIT: "100000000" # In bytes (100 MB).
  POSTMASTER_ADDRESS: "postmaster@{{ .Values.domain_name }}"
  ENABLE_MANAGESIEVE: "1"

  ACCOUNT_PROVISIONER: "LDAP"
  LDAP_START_TLS: "yes"
  LDAP_SERVER_HOST: ldap://dc1.domain-controller.svc.cluster.local
  LDAP_SEARCH_BASE: "{{ .Values.ldap_search_base }}"
  LDAP_BIND_DN: "{{ .Values.bind_dn }}"
  LDAP_BIND_PW: "{{ .Values.bind_initial_password }}"
  LDAP_QUERY_FILTER_USER: (&(objectClass=person)(mail=%s))
  LDAP_QUERY_FILTER_GROUP: (&(objectClass=group)(mail=%s))
  LDAP_QUERY_FILTER_ALIAS: (proxyAddresses=smtp:%s)
  LDAP_QUERY_FILTER_DOMAIN: (mail=*@%s)
  SPOOF_PROTECTION: "1"
  LDAP_QUERY_FILTER_SENDERS: (|(mail=%s)(proxyAddresses=smtp:%s)(memberOf=cn=Domain Admins,cn=Users,dc=*)(memberOf=cn=Generic Email Sender,cn=Users,dc=*))
  DOVECOT_TLS: "yes"
  DOVECOT_USER_FILTER: (&(objectClass=person)(sAMAccountName=%n))
  # DOVECOT_USER_ATTRS: =uid=%{ldap:uidNumber},=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir # Valid only when using idmap AD backend.
  DOVECOT_USER_ATTRS: =uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir
  DOVECOT_PASS_ATTRS: sAMAccountName=user,userPassword=password
  DOVECOT_AUTH_BIND: "yes"
  ENABLE_SASLAUTHD: "1"
  SASLAUTHD_LDAP_START_TLS: "yes"
  SASLAUTHD_MECHANISMS: ldap
  SASLAUTHD_LDAP_FILTER: (&(sAMAccountName=%U)(objectClass=person))

  SSL_TYPE: manual
  SSL_CERT_PATH: /secrets/ssl/rsa/tls.crt
  SSL_KEY_PATH: /secrets/ssl/rsa/tls.key
  
  ### Spam and dangerous content ###
  ENABLE_RSPAMD: "1"
  # Rspamd replaces these services.
  ENABLE_OPENDKIM: "0"
  ENABLE_OPENDMARC: "0"
  ENABLE_POLICYD_SPF: "0"
  ENABLE_AMAVIS: "0"
  ENABLE_SPAMASSASSIN: "0"

  MOVE_SPAM_TO_JUNK: "1"

  ENABLE_CLAMAV: "0"

  ENABLE_POSTGREY: "0" # Rejects E-Mails from the triplet CLIENT_IP/SENDER/RECIPIENT if seen again in less than a specific time (5 min by default).
  ENABLE_FAIL2BAN: "0" # Analyses the log and recognizes the malicious behavior.

  ### Relay ###
  RELAY_HOST: smtp.postmarkapp.com
  RELAY_PORT: "25" # "587"
  RELAY_USER: "SECRET"
  RELAY_PASSWORD: "SECRET"

📜 Relevant log output

Log output 
mailserver ENABLE_OPENDKIM='0'
mailserver ENABLE_OPENDMARC='0'
mailserver ENABLE_POLICYD_SPF='0'
mailserver ENABLE_POP3='0'
mailserver ENABLE_POSTGREY='0'
mailserver ENABLE_QUOTAS='1'
mailserver ENABLE_RSPAMD='1'
mailserver ENABLE_RSPAMD_REDIS='1'
mailserver ENABLE_SASLAUTHD='1'
mailserver ENABLE_SPAMASSASSIN='0'
mailserver ENABLE_SPAMASSASSIN_KAM='0'
mailserver ENABLE_SRS='0'
mailserver ENABLE_UPDATE_CHECK='1'
mailserver FAIL2BAN_BLOCKTYPE='drop'
mailserver FETCHMAIL_PARALLEL='0'
mailserver FETCHMAIL_POLL='300'
mailserver GETMAIL_POLL='5'
mailserver LDAP_BIND_DN='cn=_binder,cn=Users,dc=intra,dc=DOMAIN,dc=com'
mailserver LDAP_BIND_PW='Ch@n9eMe'
mailserver LDAP_SEARCH_BASE='dc=intra,dc=DOMAIN,dc=com'
mailserver LDAP_SERVER_HOST='ldap://dc1.domain-controller.svc.cluster.local'
mailserver LDAP_START_TLS='yes'
mailserver LOGROTATE_INTERVAL='weekly'
mailserver LOGWATCH_INTERVAL='none'
mailserver LOGWATCH_RECIPIENT='[email protected]'
mailserver LOGWATCH_SENDER='[email protected]'
mailserver LOG_LEVEL='debug'
mailserver MARK_SPAM_AS_READ='0'
mailserver MOVE_SPAM_TO_JUNK='1'
mailserver NETWORK_INTERFACE='eth0'
mailserver ONE_DIR='1'
mailserver OVERRIDE_HOSTNAME='mail.DOMAIN.com'
mailserver PERMIT_DOCKER='none'
mailserver PFLOGSUMM_RECIPIENT='[email protected]'
mailserver PFLOGSUMM_SENDER='[email protected]'
mailserver PFLOGSUMM_TRIGGER='none'
mailserver POSTFIX_DAGENT=''
mailserver POSTFIX_INET_PROTOCOLS='all'
mailserver POSTFIX_MAILBOX_SIZE_LIMIT='100000000'
mailserver POSTFIX_MESSAGE_SIZE_LIMIT='10240000'
mailserver POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME='0'
mailserver POSTGREY_AUTO_WHITELIST_CLIENTS='5'
mailserver POSTGREY_DELAY='300'
mailserver POSTGREY_MAX_AGE='35'
mailserver POSTGREY_TEXT='Delayed by Postgrey'
mailserver POSTMASTER_ADDRESS='[email protected]'
mailserver POSTSCREEN_ACTION='enforce'
mailserver RELAY_HOST='smtp.postmarkapp.com'
mailserver REPORT_RECIPIENT='[email protected]'
mailserver REPORT_SENDER='[email protected]'
mailserver RSPAMD_CHECK_AUTHENTICATED='0'
mailserver RSPAMD_GREYLISTING='0'
mailserver RSPAMD_HFILTER='1'
mailserver RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE='6'
mailserver RSPAMD_LEARN='0'
mailserver SASLAUTHD_MECHANISMS='ldap'
mailserver SA_KILL='10.0'
mailserver SA_SPAM_SUBJECT='***SPAM*** '
mailserver SA_TAG2='6.31'
mailserver SA_TAG='2.0'
mailserver SMTP_ONLY='0'
mailserver SPAMASSASSIN_SPAM_TO_INBOX='1'
mailserver SPOOF_PROTECTION='1'
mailserver SRS_DOMAINNAME='DOMAIN.com'
mailserver SRS_EXCLUDE_DOMAINS=''
mailserver SRS_SECRET=''
mailserver SRS_SENDER_CLASSES='envelope_sender'
mailserver SSL_TYPE='manual'
mailserver SUPERVISOR_LOGLEVEL='warn'
mailserver TLS_LEVEL='modern'
mailserver TZ='Europe/Vienna'
mailserver UPDATE_CHECK_INTERVAL='1d'
mailserver VIRUSMAILS_DELETE_DELAY='7'
mailserver [  DEBUG  ]  Applying user patches
mailserver Updating certificates in /etc/ssl/certs...
mailserver 1 added, 0 removed; done.
mailserver Running hooks in /etc/ca-certificates/update.d...
mailserver done.
mailserver [   INF   ]  Starting daemons
mailserver [  DEBUG  ]  Starting cron
mailserver [  DEBUG  ]  Starting rsyslog
mailserver [  DEBUG  ]  Starting dovecot
mailserver [  DEBUG  ]  Starting update-check
mailserver [  DEBUG  ]  Starting rspamd-redis
mailserver [  DEBUG  ]  Starting rspamd
mailserver [  DEBUG  ]  Starting postfix
mailserver [  DEBUG  ]  Starting saslauthd_ldap
mailserver [   INF   ]  mail.DOMAIN.com is up and running
mailserver Jan 31 02:05:34 mail postfix/postfix-script[2114]: starting the Postfix mail system
mailserver Jan 31 02:05:34 mail postfix/master[2115]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
mailserver Jan 31 02:05:39 mail postfix/postfix-script[2193]: starting the Postfix mail system
mailserver Jan 31 02:05:39 mail postfix/master[2194]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
mailserver Jan 31 02:05:46 mail postfix/postfix-script[2281]: starting the Postfix mail system
mailserver Jan 31 02:05:46 mail postfix/master[2282]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
mailserver Jan 31 02:05:52 mail postfix/postfix-script[2360]: starting the Postfix mail system
mailserver Jan 31 02:05:52 mail postfix/master[2361]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
mailserver Jan 31 02:05:58 mail postfix/postfix-script[2448]: starting the Postfix mail system
mailserver Jan 31 02:05:58 mail postfix/master[2449]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
mailserver Jan 31 02:06:04 mail postfix/postfix-script[2527]: starting the Postfix mail system
mailserver Jan 31 02:06:04 mail postfix/master[2528]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
mailserver Jan 31 02:06:10 mail postfix/postfix-script[2615]: starting the Postfix mail system
mailserver Jan 31 02:06:10 mail postfix/master[2616]: daemon started -- version 3.5.23, configuration /etc/postfix
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────mailserver Jan 31 02:06:48 mail postfix/submissions/smtpd[2660]: connect from 089144202244.atnat0011.highway.a1.net[89.144.202.244]
mailserver Jan 31 02:06:48 mail postfix/submissions/smtpd[2660]: Anonymous TLS connection established from 089144202244.atnat0011.highway.a1.net[89.144.202.244]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
mailserver Jan 31 02:06:48 mail postfix/submissions/smtpd[2660]: 7BDEF200EE: client=089144202244.atnat0011.highway.a1.net[89.144.202.244], sasl_method=PLAIN, [email protected]
mailserver Jan 31 02:06:48 mail postfix/sender-cleanup/cleanup[2663]: 7BDEF200EE: message-id=<[email protected]>
mailserver Jan 31 02:06:48 mail postfix/sender-cleanup/cleanup[2663]: 7BDEF200EE: replace: header MIME-Version: 1.0 from 089144202244.atnat0011.highway.a1.net[89.144.202.244]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.105]>: MIME-Version: 1.0
mailserver Jan 31 02:06:48 mail postfix/qmgr[2618]: 7BDEF200EE: from=<[email protected]>, size=7738, nrcpt=1 (queue active)
mailserver Jan 31 02:06:48 mail postfix/smtp[2620]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1a]:25: Network is unreachable
mailserver Jan 31 02:06:48 mail postfix/smtp[2620]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.76.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mailserver Jan 31 02:06:49 mail dovecot: imap-login: Login: user=<Administrator>, method=PLAIN, rip=89.144.202.244, lip=10.244.171.58, mpid=2667, TLS, session=<IchSfjMQSVpZkMr0>
mailserver Jan 31 02:06:49 mail dovecot: imap-login: Login: user=<Administrator>, method=PLAIN, rip=89.144.202.244, lip=10.244.171.58, mpid=2668, TLS, session=<Y51TfjMQSlpZkMr0>
mailserver Jan 31 02:06:49 mail postfix/smtp[2620]: 7BDEF200EE: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=0.98, delays=0.38/0.01/0.12/0.48, dsn=2.0.0, status=sent (250 2.0.0 OK  1706663209 ay15-20020a5d6f0f000000b0033aedf95c65si3128410wrb.250 - gsmtp)
mailserver Jan 31 02:06:49 mail postfix/qmgr[2618]: 7BDEF200EE: removed
mailserver Jan 31 02:06:49 mail dovecot: imap(Administrator)<2668><Y51TfjMQSlpZkMr0>: Logged out in=7820 out=621 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
mailserver Jan 31 02:06:49 mail dovecot: imap(Administrator)<2667><IchSfjMQSVpZkMr0>: Logged out in=359 out=3684 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=435 body_count=0 body_bytes=0

Metadata

Metadata

Assignees

Labels

area/configuration (file)area/documentationkind/bug/reportA report about a bugkind/questionSomeone asked a question - feel free to answerservice/postfix

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions