LDAP

LDAP is a protocol that provides access to directories of information. LDAP directories are composed of entries that are organized into hierarchies. You have to understand how LDAP works and how your own directory is organized to use it with Postfix. Many networks are starting to make use of LDAP for user information, which makes it a nice way for Postfix to determine what users and addresses it should accept mail for. If your organization uses an LDAP directory, you can query your existing information for your Postfix configuration.

15.2.1 LDAP Configuration

LDAP maps are specified with the ldap map type and can be listed along with any other maps for a given parameter. Unlike MySQL, LDAP parameters are all listed in main.cf. You have to invent a name for the particular LDAP configuration you are creating and specify it with the ldap map type. If you call your LDAP configuration ldapaliases, for example, set your alias maps like this:

alias_maps = ldap:ldapaliases

The LDAP parameters for this configuration all start with the name you invented followed by the name of the parameter. Thus, the LDAP server is identified by the parameter name_server_host, so for the example above, the parameter is called ldapaliases_server_host:

ldapaliases_server_host = ldap.example.com

The important LDAP parameters are defined below. The complete list is available in the LDAP_README file that comes with the Postfix distribution:

name_search_base

The base DN from which to start the search. You have to know the naming context for your directory so that you can specify the common container for your entries. Often it is the root of the directory. Example: ldapaliases_search_base = dc=example, dc=com

name_scope

The scope of the search. There are three possible options for the scope: sub, base, and one. Your directory hierarchy determines which value you need. The base option is rarely useful. With sub the entire tree under the base is searched, and with one only direct child nodes are searched. The _scope parameter defaults to sub if you don't specify another value. Example: ldapaliases_scope = one

name_query_filter

The attributes and values that should form your search filter. The variable %s can be used as a placeholder for the current recipient email address. Example: ldapaliases_query_filter = (mailType=forward)

name_result_attribute

The attribute containing the value you want returned for this lookup. You can list multiple attributes in order of preference. Example: ldapaliases_result_attribute = email, rfc822Mailbox.

15.2.2 LDAP Example

A common use of LDAP with Postfix is to protect an internal mail server on a network that uses an LDAP directory of user accounts. Postfix resides on a gateway system accepting messages from the Internet, and relays them to the internal mail server. You want Postfix to reject messages for unknown users on the network so that they are never accepted on your network. By setting the local_recipient_maps parameter to query the LDAP directory, you can configure Postfix so that it knows about all of the user accounts and can reject mail for nonexistent accounts. On a large network there may be different mail systems serving different groups of users. You can also set up Postfix to forward messages to the correct mail server for a particular user by setting transport_maps to point email addresses to the correct internal mail servers.

The LDAP directory includes attributes for mail and mailHost, where mail contains the public email address for a user and mailHost is the internal server to which messages should be forwarded. A sample item in the directory looks like the following:

dn: uid=kdent,ou=people,dc=example,dc=com uid: kdent cn: Kyle D. Dent mail: kyle.dent@example.com uidNumber: 1001 gidNumber: 1001 mailHost: mail1.example.com homeDirectory: /home/kdent mailType: forward objectClass: people userPassword: {crypt}hidden accountStatus: active

Table 15-1 contains the LDAP directory information you need to configure Postfix in this scenario. You should collect the hostname and base DN for your own directory before starting to configure Postfix.

Table 15-2. LDAP directory information for Postfix configuration

Directory information

Values

Host

ldap.example.com

Base DN:

dc=example,dc=com

For the local_recipient_maps lookup, you only have to know that an address exists in the mail attribute. For forwarding messages to the correct internal mail server, you need the value from the mailHost attribute.

15.2.2.1 Configuring local_recipient_maps

The local_recipient_maps parameter points to lists of local users that should receive email at this system. By default it points to the user accounts and aliases that exist on the system, so that mail sent to a nonexistent user is rejected by Postfix. In this example, the LDAP directory contains the list of all email accounts that should receive mail on the system. You can set up an ldap lookup map for local_recipient_maps. In the case of local_recipient_maps, the value returned is not used for anything because you only need to know if the email address exists or not. Use an LDAP configuration called "ldaplocal." First, set local_recipient_maps to use this configuration:

local_recipient_maps = ldap:ldaplocal

The rest of the LDAP parameters for this configuration are set as follows:

ldaplocal_server_host = ldap.example.com ldaplocal_search_base = dc=example, dc=com ldaplocal_query_filter = (&(mail=%s)(accountStatus=active)) ldaplocal_result_attribute = uid

The ldaplocal_query_filter parameter compares the recipient email address to the mail attribute in the directory. It also checks to make sure that the accountStatus attribute is set to active. The result attribute is set to uid. For this lookup, you only need to know that the item exists, but Postfix does require a non-blank result for the lookup.

After reloading Postfix, it uses the LDAP configuration to determine local users and reject mail for recipients not listed in the LDAP directory.

You can easily check your LDAP configuration file with the postmap command:

$ postmap -q 'kdent' ldap:ldaplocal kdent

The -q option tells postmap to query the map using the specified key. If your query has any problems, postmap reports them to your terminal.

15.2.2.2 Configuring transport_maps

When messages received by Postfix have to be relayed to the correct internal mail server, use transport_maps. Set transport_maps to use a new LDAP configuration called "ldaptransport":

transport_maps = ldap:ldaptransport

Because the LDAP directory returns just the name of the host, and you need a transport value (transport:nexthop), you can use the _result_filter parameter to specify a template for the results:

ldaptransport_result_filter = relay:%s

Also, configure the following parameters:

ldaptransport_server_host = ldap.example.com ldaptransport_search_base = dc=example, dc=com ldaptransport_query_filter = (&(mail=%s)(accountStatus=active)) ldaptransport_result_attribute = mailHost

Again, the ldaplocal_query_filter parameter compares the recipient email address to the mail attribute in the directory and checks to make sure that the accountStatus attribute is set to active. The result attribute is the value for the mailHost attribute, which is the email server that should receive messages for the specified user. The result is expanded in the template specified in ldaptransport_result_filter.

Be sure to reload Postfix for the new ldap transport map to go into effect.

Категории