Postfix

在 Postfix 虛擬配置中使用 LDAP 時,電子郵件以“使用者未知”被退回

  • November 1, 2015

我已經解決這個問題好幾天了,似乎已經用盡了所有的故障排除,所以我想我會向社區尋求幫助。

在沒有將 OpenLDAP 引入郵件基礎架構的情況下,Postfix 和 Dovecot 一直執行良好。在過去的幾天裡,Postfix MTA 配置了虛擬 LDAP 設置,但即使 Postfix 可以讀取並知道這些真實的郵件使用者、郵件別名和虛擬域存在,但電子郵件仍顯示退回狀態。這是我的 Postfix main.cf 中相關的虛擬設置。

注意:只有 3 個虛擬 LDAP 配置

virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_minimum_uid = 5000 virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap-vmailbox.cf virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf virtual_mailbox_limit = 512000000 virtual_mailbox_base = /home/vmail transport_maps = hash:/etc/postfix/transport

以下是每個虛擬 LDAP 文件的內容。

ldap-virtual-domains.cf

server_host = ldap://ldap.example.net/ search_base = ou=Domains,dc=example,dc=net version = 3 bind = no query_filter = (&(ObjectClass=dNSDomain)(dc=%s)) result_attribute = dc

ldap-vmailbox.cf

server_host = ldap://ldap.example.net/ search_base = ou=Mail,dc=example,dc=net version = 3 bind = no query_filter = (&(objectclass=inetOrgPerson)(mail=%s)) result_attribute = mail

ldap-aliases.cf

server_host = ldap://ldap.example.net/ search_base = ou=Mail,dc=example,dc=net version = 3 bind = no query_filter = (&(objectclass=inetLocalMailRecipient)(mailLocalAddress=%s)) result_attribute = mail

驗證 Postfix 可以讀取和處理所有 3 個虛擬 LDAP 文件成功

ldap-virtual-domains.cf:

postmap -q example.net ldap:/etc/postfix/ldap-virtual-domains.cf example.net postmap -q example.org ldap:/etc/postfix/ldap-virtual-domains.cf example.org postmap -q example.com ldap:/etc/postfix/ldap-virtual-domains.cf example.com

ldap-vmailbox.cf:

postmap -q user1@example.net ldap:/etc/postfix/ldap-vmailbox.cf user1@example.net postmap -q user2@example.net ldap:/etc/postfix/ldap-vmailbox.cf user2@example.net postmap -q user3@example.net ldap:/etc/postfix/ldap-vmailbox.cf user3@example.net

ldap-aliases.cf:

postmap -q alias1@example.org ldap:/etc/postfix/ldap-aliases.cf user1@example.net postmap -q alias2@example.org ldap:/etc/postfix/ldap-aliases.cf user2@example.net

這是我在郵件日誌中看到的:

10 月 26 日 16:54:17 example.net postfix/cleanup[2789]: 3D26A105CC: info: header Subject: testing virtual LD​​AP from [REDACTED]; from=tony@macbook-air.moon to=user1@example.net proto=ESMTP helo=macbook-air.moon
10 月 26 日 16:54:17 example.net postfix/cleanup[2789]: 3D26A105CC: message-id=20151026235417.139081C7F821@macbook-air.moon
10 月 26 日 16:54:17 example.net opendkim[11877]: 3D26A105CC: [已編輯] 不是內部的
10 月 26 日 16:54:17 example.net opendkim[11877]:3D26A105CC:未通過身份驗證
10 月 26 日 16:54:17 example.net opendkim[11877]: 3D26A105CC: 沒有簽名數據
10 月 26 日 16:54:17 example.net postfix/qmgr[26221]: 3D26A105CC: from=tony@macbook-air.moon, size=571, nrcpt=1 (queue active)
10 月 26 日 16:54:17 example.net postfix/smtpd[2461]:從 [已編輯] 斷開連接 ehlo=1 郵件=1 rcpt=1 數據=1 退出=1 命令=5
10 月 26 日 16:54:17 example.net postfix/pipe[2791]:3D26A105CC:to=user1@example.net,relay=dovecot,延遲=0.12,延遲=0.08/0.01/0/0.02,dsn=5.1.1 , status=bounced (使用者未知)
10 月 26 日 16:54:17 example.net 後綴/清理 [2789]: 55F2B1080A: message-id=20151026235417.55F2B1080A@mail.example.net
10 月 26 日 16:54:17 example.net postfix/qmgr[26221]: 55F2B1080A: from=, size=2460, nrcpt=1 (queue active)
10 月 26 日 16:54:17 example.net postfix/bounce[2793]:3D26A105CC:發件人未送達通知:55F2B1080A
10 月 26 日 16:54:17 example.net postfix/qmgr[26221]: 3D26A105CC: 已移除
10 月 26 日 16:54:17 example.net postfix/smtp[2794]: 55F2B1080A: to=tony@macbook-air.moon, relay=none, delay=0.02, delays=0/0.01/0/0, dsn=5.4 .4, status=bounced (主機或域名未找到。名稱服務錯誤名稱=macbook-air.moon type=A: Host not found)

LDAP 中存在的有效郵件帳戶會在日誌中顯示: Oct 26 16:56:14 example.net postfix/pipe[3592]: 457871080A: to=vmail@example.net, orig_to=montest@example.net, relay=dovecot, delay=0.03, delays=0.01/0/0/0.02, dsn=5.1.1, status=bounced (user unknown)

vmail@example.net 是 LDAP 中的真實郵件地址,而 montest@example.net 是 LDAP 中的真實別名。Postfix 在使用postmap -q.

這是完整的 Postfix 配置:

別名數據庫 = $alias_maps
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = 否
broken_sasl_auth_clients = 是
命令目錄 = /usr/bin
兼容性級別 = 2
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
header_checks = 正則表達式:/etc/postfix/header_checks
home_mailbox = 郵件目錄/
html_directory = 否
inet_interfaces = 所有
inet_protocols = ipv4
mail_owner = 後綴
mail_spool_directory = /var/spool/mail
郵箱命令 = /usr/lib/dovecot/deliver
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
元目錄 = /etc/postfix
milter_default_action = 接受
軍事協議 = 2
我的目的地 =
mydomain = example.net
我的主機名 = 郵件.$mydomain
mynetworks = 127.0.0.0/8 10.8.0.0/24 192.168.128.0/17 [伺服器 IP 已編輯] [::1]/128 [2600:3c01::]/64 [fe80::]/64
myorigin = $ mydomain
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:127.0.0.1:8891
queue_directory = /var/spool/postfix
自述目錄 = /usr/share/doc/postfix
收件人分隔符 = +
sample_directory = /etc/postfix/sample
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = 是
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = 可能
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_sasl_authenticated、permit_mynetworks、reject_unauth_destination、check_policy_service inet:mail.example.net:12340
smtpd_sasl_auth_enable = 是
smtpd_sasl_authenticated_header = 是
smtpd_sasl_local_domain =
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/postfix/ssl/PositiveSSL.ca-bundle
smtpd_tls_cert_file = /etc/postfix/ssl/STAR_example_net.crt
smtpd_tls_key_file = /etc/postfix/ssl/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = 是
smtpd_tls_security_level = 可能
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = 是
tls_random_source = dev:/dev/urandom
transport_maps = 雜湊:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = 靜態:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = ldap:/etc/postfix/ldap-vmailbox.cf
virtual_minimum_uid = 5000
virtual_transport = 鴿舍
virtual_uid_maps = 靜態:5000

LDAP 中具有多個別名的有效使用者範例

LDAP 使用者

看來我是如此接近,但也許另一雙眼睛可以為解決這個問題提供一些見解。非常感謝任何輸入。

更新 1

我設法status=bounced (user unknown)通過更改main.cfvirtual_transport中的值來解決錯誤

virtual_transport = dovecot

virtual_transport = lmtp:unix:private/dovecot-lmtp

master.cf我改變了這一行

dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

到這條線

dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}

我在 LDAP 中添加了一個名為 postmaster@example.net 的新使用者,并快速postmap -q證明 Postfix 知道 postmaster@example.net,但後來我看到了這個錯誤。

Oct 26 23:46:46 example.net dovecot: quota-status(postmaster@example.net): Error: User initialization failed: Namespace '': stat(/home/vmail/postmaster/.Maildir) failed: Permission denied (euid=5003() egid=5000(vmail) missing +x perm: /home/vmail, dir owned by 5000:5000 mode=0700) Oct 26 23:46:46 example.net postfix/smtpd[25851]: NOQUEUE: reject: RCPT from[REDACTED]: 450 4.7.1 : Recipient address rejected: Invalid user settings. Refer to server log for more information.; from= to= proto=ESMTP helo=

經過更多研究後,我開始查看我的 Dovecot LDAP 配置,特別是dovecot-ldap.conf.ext

hosts = ldap.example.net auth_bind = no ldap_version = 3 base = ou=Mail,dc=example,dc=net deref = never scope = subtree user_attrs = uidNumber=uid,gidNumber=gid,mailHomeDirectory=home,quotaBytes=quota_rule=*:bytes=%$ user_filter = (&(objectclass=inetOrgPerson)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = SSHA

我不再user unknown在郵件日誌中看到,但我確實看到登錄嘗試失敗。我不確定,但認為這可能user_attrs來自我的 dovecot-ldap.conf.ext 中的 LDAP 屬性或任何其他 LDAP 屬性。

Oct 27 00:01:19 example.net dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<vmail@example.net>, method=PLAIN, rip=192.168.176.128, lip=192.168.176.128, TLS: Disconnected, session=<w/r1pBAj0YjAqLCA>

更新 2

我在 OpenLDAP 中創建了一個名為 Dovecot 的管理員帳戶,並read通過此行授予它訪問權限

by dn="uid=dovecot,ou=System,dc=example,dc=net" read

Dovecot 現在可以成功讀取 userPassword 屬性。這是dovecot-ldap.conf.ext啟用綁定後的樣子。

hosts = ldap.example.net auth_bind = yes auth_bind_userdn = uid=%u,ou=Mail,dc=example,dc=net dn = uid=dovecot,ou=System,dc=example,dc=net dnpass = password ldap_version = 3 base = ou=Mail,dc=example,dc=net deref = never scope = subtree user_filter = (&(objectclass=inetOrgPerson)(mail=%u)) pass_filter = (&(objectclass=inetOrgPerson)(mail=%u)) default_pass_scheme = SSHA user_attrs = uidNumber=uid,gidNumber=gid,mailHomeDirectory=,quotaBytes=quota_rule=*:bytes=%$ pass_attrs = mail=uid,userPassword=password

嘗試登錄 vmail 帳戶時,我看到 Dovecot 無法從 userdb 找到使用者

Oct 27 20:42:47 example.net dovecot: auth: Error: ldap(vmail,192.168.176.128,<8C7h/CEjo5DAqLCA>): user not found from userdb Oct 27 20:42:47 example.net dovecot: imap: Error: Authenticated user not found from userdb, auth lookup id=4111597569 (client-pid=26724 client-id=1) Oct 27 20:42:47 example.net dovecot: imap-login: Internal login failure (pid=26724 id=1) (internal failure, 1 successful auths): user=<vmail>, method=PLAIN, rip=192.168.176.128, lip=192.168.176.128, mpid=26726, secured, session=<8C7h/CEjo5DAqLCA>

如果我將user_filter屬性更改為以下行,我可以成功登錄。

user_filter = (&(objectClass=posixAccount)(uid=%u))

但隨後消息又開始反彈。

Oct 27 20:46:09 example.net postfix/smtp[27702]: ECA4F10848: to=<tony@macbook-air.moon>, relay=none, delay=0.16, delays=0.01/0.01/0.14/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=macbook-air.moon type=A: Host not found)

Oct 27 20:46:08 example.net postfix/lmtp[27698]: E0994102FA: to=<tony@example.net>, relay=example.net[private/dovecot-lmtp], delay=0.06, delays=0.05/0.01/0/0, dsn=5.1.1, status=bounced (host mail.example.net[private/dovecot-lmtp] said: 550 5.1.1 <tony@example.net> User doesn't exist: tony@example.net (in reply to RCPT TO command))

在這一點上,我認為問題可能出在使用者和傳遞過濾器上,但我真的不知道了。這是目前 Dovecot 配置dovecot -n和 Dovecot 的 LDAP 部分:http: //ix.io/lEE

我希望這都可以提供有關可能失去或混亂的線索,以便使用者登錄和發送/接收郵件成功。

這已解決。在dovecot-ldap.conf.ext我更改了以下過濾器。

user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n)(mailEnabled=TRUE))

用於 dn 查找

pass_attrs = mail=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))

完整的 dovecot-ldap.conf.ext 配置

hosts = ldap.example.net auth_bind = yes dn = uid=dovecot,ou=System,dc=example,dc=net dnpass = PASS ldap_version = 3 base = ou=Mail,dc=example,dc=net deref = never scope = subtree default_pass_scheme = SSHA user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))

我還必須將**/etc/dovecot/conf.d/10-mail.conf**mail_location中的更新為

mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/

最終權限檢查

  • 已驗證/home/vmail/*具有適當的使用者/組權限vmail:vmail
  • 驗證的 uidNumber 和 gidNumber 是 5000

Dovecot Local Delivery Agent 現在能夠處理電子郵件並將其儲存在/home/vmail/user@domain目錄中。

pass_attrs = mail=user,userPassword=password

可能是錯的。它的意思是“使用mail 作為使用者名ldap 屬性名和userPassword 作為密碼屬性名”。

我相信它應該是:

pass_attrs = mail=uid,userPassword=password

您可以通過查看 OpenLDAP 日誌來檢查它。

我也懷疑:

user_attrs = mailHomeDirectory=home

因為存在語義衝突。LDAP 屬性home用於 Unix 主目錄,但現在它用作 maildir 位置。你也可以仔細檢查一下嗎?

引用自:https://serverfault.com/questions/731850