Postfix Integration / Multi-Domain Lookup via LDAP

[acb]

I have successfully been able to integrate Postfix with Scalix 11.4.3. Postfix uses the following configuration to check for valid recipients:

Code: Select all

server_host = ldap://localhost:5757
query_filter = mail=%s
bind = no
result_attribute = scalixInstanceMailHost
result_format = smtp:[%s]:10025
size_limit = 1
domain = sx.domain.com

However, I wish to check for multiple domains, and this configuration does not work that way. I know that a static file can be used within Postfix to accomplish this goal, but my goal is to create a dynamic lookup. Simply removing the "domain" key/value pair does not work.

I have attempted to connect to the real ldap service on port 389 using the following config:

Code: Select all

server_host = ldap://sx.domain.com
query_filter = mail=%s
bind = yes
bind_dn = admin
bind_pwd = password
terminal_result_attribute = mail
result_format = smtp:[%s]:10025

But this results in an error:

Mar 13 16:47:17 sx postfix/trivial-rewrite[15734]: warning: dict_ldap_connect: Unable to bind to server ldap://sx.domain.com as admin: 64 (Naming violation)

I've played with the configuration to generate authentication errors, so I believe my current bind information is correct. I am not sure why a naming violation is being thrown, but I do believe it should be possible to query that ldap server for valid recipients.

Has anyone been able to configure Postfix to query Scalix for valid recipients among multiple domains in a dynamic manner?

[acb]

I figured out how to grab valid recipients, but that doesn't seem to matter much because I need to be able to grab the list of domains that Scalix handles. Is this to be found via LDAP, or it is stored elsewhere?

[Valerion]

Scalix doesn't work with "domains" as a concept, only email addresses. There is a list of accepted domains in the smtpd.cfg, and the SAC config has a list that's used to populate the dropdown in the user screen, but neither dictates to the server core on that.

If you're a commercial customer, a list of licensed domains are usually available via sxlicense. Otherwise you can write something that reads all the IA-FORMAL entries in the SYSTEM directory via omsearch and collect the domains from that.

[acb]

I am testing out a hosting edition license. I am able to create mailnodes using the sxhostcfg/sxhostadd plugins, but I am not sure where that information is stored.

I suppose I could modify the sxhostadd config to add the domains to a static table that postfix can then read. Then I won't need to worry where scalix stores that information.

[Valerion]

This information is stored in internal config files, and they are not easily readable. Writing out a list as you create mailnodes seems like an easy solution. Reading the SYSTEM directory with a script should be just as easy, though, and you know it's always up to date.

[acb]

I've been able to add an additional script call in sxhostadd, and that script let's me maintain a hash table for Postfix's "relay_domains" list.

Now I am trying to come up with a way to delete domains automatically. The sxhostdel plugin doesn't work on domains, so I have no way of knowing ahead of time which domains are to be deleted.

Where are the domains stored, either directly or indirectly? I see one file that has the primary domains associated with each mail node, but I have not yet found where the list of "local domains" is kept.

If I can parse that list somehow, I can periodically prune the relay_domains table. Eventually, I want to add some additional admin code that deletes those domains from the relay_domains table when the mailnode or domain is deleted in sac.

[Valerion]

There is no such list in the server, as Scalix does not handle domains. I still think the most accurate is to do a omsearch -s -m IA-FORMAL, then parse the entries for domains.

[acb]

If Scalix does not handle domains, then how does it know what domains to list when showing the local domains? They are shown there whether or not the domain has any users. That implies that somewhere, in some arbitrary format, the domains are on-disk.

The omsearch command you responded with his handy, and I thank you for the assistance. However, that command only lists users. If a domain has no users, it does not appear.

A race-condition is then possible: I delete the last user from a domain, then my pruning script fires off at a normal interval and sees that the domain is gone. It deletes it from the relay_domains table. If my next action is to create another user in that domain, it will not receive mail.

I've tried doing an exhaustive search of all of the files within the scalix directories. Something in there causes grep to time-out, but I found this file:

~/caa/scalix.res/config/ubermanager.properties

It contains a variable called ubermanager.console.localDomains, and it appears to be a series of objects associating mail nodes to domains in the form:

ubermanager.console.localDomains=domain/node,domain/node

A simple regex can pick out the domains from that list. Now my question is whether or not that file is safe to query for valid data, or if it is some sort of dynamic temporary piece.

[Valerion]

If you're referring to the list in SAC, it's indeed the ubermanager.properties file. However, this is manually updated from inside SAC, so the Scalix server core does not populate any values to it, it is simply used to generate the dropdowns in SAC user/group/resource creation.

There's the list of valid recipient domains (given with RECIPIENT and RELAY in smtpd.cfg). However, again, this list is manually kept up to date by the administrator. The same applies to the domains given in ./etc/mail/local-host-names and /etc/mail/access (if any).

Where else are you seeing domains that I am missing them? The only place I can think of that it's listed is SAC, with the manual list, but I could be missing some place else.

[Warlock]

Hi - I wonder if anyone can assist me with a similiar kind of issue I am having.
I have scalix and Postfix integrated and postfix autheticates against the scalix ldap entries for the primary domain on my scalix mailnode.
I then add a secondary mail domain through SAC, but postfix will not authenticate against ldap for the second mail domain - "user unknow" is the error.
If I login to SWA and send a mail from domain 1 to domain 2 the mail does through no problem though - so it would seem to be a problem with postfix reading from ldap for the second domain. Has anyone experienced a similar problem - is anyone able to assist with a fix for this?

[Warlock]

OK - got LDAP authenticating against multiple domains by adding each domain to the scalix-transport.cf file and reloading postfix:

server_host = ldap://localhost:5757
query_filter = mail=%s
bind = no
result_attribute = scalixInstanceMailHost
result_format = smtp:[%s]:10025
size_limit = 1
domain = domain1.co.za, domain2.co.za

[Beaujolais]

Here is what's working for me:

main.cf

Code: Select all

transport_maps = hash:/etc/postfix/scalix_transport
virtual_alias_maps = regexp:/etc/postfix/my_aliases.regexp
relay_recipient_maps = ldap:/etc/postfix/scalix_recipients.ldap
relay_domains = /etc/postfix/scalix_domains


scalix_transport

Code: Select all

domain1.com       smtp:[localhost]:10030
domain2.com       smtp:[localhost]:10030


scalix_recipients.ldap

Code: Select all

server_host = ldap://localhost:389
query_filter = mail=%s
bind = no
result_attribute = mail


my_aliases.regexp

Code: Select all

/^(postmaster|domains|root|abuse|webmaster|sysadmin)@/ beaujolais@domain1.com


And simple script to populate scalix_transport (no error checking)
Needs to be executed only when new domain is added.

Code: Select all

#!/bin/sh
grep ubermanager.console.localDomains /var/opt/scalix/??/caa/scalix.res/config/ubermanager.properties|sed -e 's/ubermanager\.console\.localDomains=//g' -e 's/,/\n/g'|awk -F "/" '{print $1}' > /etc/postfix/scalix_domains
echo /etc/postfix/scalix_domains ... updated

cat /etc/postfix/scalix_domains | sed -e 's/$/\tsmtp\:\[localhost\]\:10030/' > /etc/postfix/scalix_transport
/usr/sbin/postmap /etc/postfix/scalix_transport
echo /etc/postfix/scalix_transport ... updated

/etc/init.d/postfix reload


[Warlock]

Thanks - will have a look at this method and see how it goes - cheers.

[Beaujolais]

With my method you save one LDAP lookup for transport maps (speed benefit).

The unfortunate thing is, that you either have to list all domains in you LDAP query for transport maps or transport maps file directly. ...meaning manual entry is always needed when domain is added.
As such, the method I've listed is bit faster but accomplishes same result. ...and I have the script to populate the maps