Postfix LDAP "Temporary lookup failure"
in [Postfix]
|
From: Matias Surdi on 26 Mar 2010 13:28 Hi, I'm running postfix with a ldap vmailbox database for incomming mails. The problem is that I'm receiving mails to non existent accounts, or , with an accented (non ascii) character and instead of rejecting the mail postfix is replying the client with a 451 error, here is the session transcript, with modified domains for privacy reasons: Transcript of session follows. Out: 220 mail.example.com ESMTP In: EHLO agamemnon.external.com Out: 250-mail.example.com Out: 250-PIPELINING Out: 250-SIZE 20480000 Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 220 2.0.0 Ready to start TLS In: EHLO agamemnon.external.com Out: 250-mail.example.com Out: 250-PIPELINING Out: 250-SIZE 20480000 Out: 250-ETRN Out: 250-AUTH PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:<user(a)external.com> Out: 250 2.1.0 Ok In: RCPT TO:<"?myuser"@example.com> Out: 451 4.3.0 < myuser(a)example.com>: Temporary lookup failure In: QUIT Out: 221 2.0.0 Bye Additionaly, on the postfix log I can see: Mar 26 15:44:17 calipso postfix/smtpd[27237]: warning: dict_ldap_lookup: Search error 34: Invalid DN syntax And on the LDAP server I'm getting: Mar 26 15:44:17 sanson slapd[1688]: conn=204424 op=3 do_search: invalid dn (uid=<CD>myuser,ou=users,dc=example,dc=com) As you can see, the recipient address is malformed, but postfix is replying with the wrong error code, although I think this may be more related to ldap problem than to a postfix one. here is the vmailbox map config file: server_host = ldapserver.local search_base = uid=%u,ou=users,dc=example,dc=com query_filter = (&(mail=%u(a)example.com)(memberOf=cn=service_email,ou=groups,dc=example,dc=com)) result_format = ./example.com/%s/ result_attribute = uid scope = base bind = yes bind_dn = uid=serviceauth,ou=users,dc=example,dc=com bind_pw = pass version = 3 Any help will be very appreciated. -- Matias Emanuel Surdi.
From: Quanah Gibson-Mount on 26 Mar 2010 13:31 --On Friday, March 26, 2010 6:28 PM +0100 Matias Surdi <matiassurdi(a)gmail.com> wrote: > Additionaly, on the postfix log I can see: > > Mar 26 15:44:17 calipso postfix/smtpd[27237]: warning: > dict_ldap_lookup: Search error 34: Invalid DN syntax Looks like dict_ldap_lookup is failing to properly encode the data before querying LDAP. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Victor Duchovni on 26 Mar 2010 14:04 On Fri, Mar 26, 2010 at 10:31:50AM -0700, Quanah Gibson-Mount wrote: > --On Friday, March 26, 2010 6:28 PM +0100 Matias Surdi > <matiassurdi(a)gmail.com> wrote: > > >> Additionaly, on the postfix log I can see: >> >> Mar 26 15:44:17 calipso postfix/smtpd[27237]: warning: >> dict_ldap_lookup: Search error 34: Invalid DN syntax > > Looks like dict_ldap_lookup is failing to properly encode the data before > querying LDAP. No idle speculation please. Postfix encodes the LDAP query with particular care, but Postfix is only responsible for encoding the variable parts of the query and search base that it inserts via "%s", "%d", "%u", .... The fixed parts of the query and search base must be configured correctly by the administrator. This also applies to any DNs found in special_result_attribute values. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Victor Duchovni on 26 Mar 2010 14:21 On Fri, Mar 26, 2010 at 06:28:50PM +0100, Matias Surdi wrote: > The problem is that I'm receiving mails to non existent accounts, or , > with an accented (non ascii) character and instead of rejecting the > mail postfix is replying the client with a 451 error, here is the > session transcript, with modified domains for privacy reasons: SMTP is not a UTF-8 protocol, it is an ASCII protocol, and envelopes with non-ASCII characters are malformed. In your case, you should reject these via a suitable check before passing them to LDAP. > In: RCPT TO:<"?myuser"@example.com> > Out: 451 4.3.0 < myuser(a)example.com>: Temporary lookup failure Don't pass non-ASCII user names to your LDAP table. > search_base = uid=%u,ou=users,dc=example,dc=com In RFC 2253, all attribute values are assumed to be UTF-8. Postfix has no idea what character-encoding (UTF-8, ISO-8859-1, ...) corresponds to a non-ASCII envelope recipient, and so cannot translate this value to UTF-8. The value provided is encoded in the query verbatim. In this case, your server objects to the malformed UTF-8 string in the search base. Use a fixed search base with a "scope" of "sub" or "one". search_base = ou=users,dc=example,dc=com and add (uid=%u) to your search filter if necessary. > search_base = uid=%u,ou=users,dc=example,dc=com > query_filter = (&(mail=%u(a)example.com)(memberOf=cn=service_email,ou=groups,dc=example,dc=com)) > result_format = ./example.com/%s/ > result_attribute = uid > scope = base Perhaps the LDAP server will tolerate non-ASCII data in the query value and return "not-found". -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Wietse Venema on 26 Mar 2010 16:54 Victor Duchovni: > On Fri, Mar 26, 2010 at 06:28:50PM +0100, Matias Surdi wrote: > > > The problem is that I'm receiving mails to non existent accounts, or , > > with an accented (non ascii) character and instead of rejecting the > > mail postfix is replying the client with a 451 error, here is the > > session transcript, with modified domains for privacy reasons: > > SMTP is not a UTF-8 protocol, it is an ASCII protocol, and envelopes > with non-ASCII characters are malformed. In your case, you should > reject these via a suitable check before passing them to LDAP. > > > In: RCPT TO:<"?myuser"@example.com> > > Out: 451 4.3.0 < myuser(a)example.com>: Temporary lookup failure > > Don't pass non-ASCII user names to your LDAP table. Hmm. If the Postfix LDAP driver handles only non-ASCII query keys then we should have a smarter response from the mail system. One obvious response is to return a "not found" result. We have prior art with this. When Postfix is asked to look up an empty string, some Berkeley DB implementations return an error, so we don't do such lookups and return "not found" instead of a non-peristent error. > In RFC 2253, all attribute values are assumed to be UTF-8. Postfix has > no idea what character-encoding (UTF-8, ISO-8859-1, ...) corresponds to > a non-ASCII envelope recipient, and so cannot translate this value to > UTF-8. The value provided is encoded in the query verbatim. In this case, > your server objects to the malformed UTF-8 string in the search base. Fortunately, UTF-8 is a "stateful" encoding so it knows that this non-ASCII character is out-of-order, but I would prefer not to make the query at all. Wietse
|
Next
|
Last
Pages: 1 2 3 Prev: Postfix redirection after aliase resolution Next: Spam from the same domain |