I am using postfix with LDAP - however, when I receive an email, when postfix goes to LDAP to get the recipient information from LDAP, it queries using the sender address.
LDAP log
Mar 31 16:18:06 appserver slapd[2499399]: daemon: read active on 13 Mar 31 16:18:06 appserver slapd[2499399]: daemon: epoll: listen=7 active_threads=0 tvp=zero Mar 31 16:18:06 appserver slapd[2499399]: daemon: epoll: listen=8 active_threads=0 tvp=zero Mar 31 16:18:06 appserver slapd[2499399]: daemon: epoll: listen=9 active_threads=0 tvp=zero Mar 31 16:18:06 appserver slapd[2499399]: daemon: epoll: listen=10 active_threads=0 tvp=zero Mar 31 16:18:06 appserver slapd[2499399]: daemon: epoll: listen=11 active_threads=0 tvp=zero Mar 31 16:18:06 appserver slapd[2499399]: connection_get(13) Mar 31 16:18:06 appserver slapd[2499399]: connection_get(13): got connid=1034 Mar 31 16:18:06 appserver slapd[2499399]: connection_read(13): checking for input on id=1034 Mar 31 16:18:06 appserver slapd[2499399]: op tag 0x63, time 1743437886 Mar 31 16:18:06 appserver slapd[2499399]: conn=1034 op=1 do_search Mar 31 16:18:06 appserver slapd[2499399]: >>> dnPrettyNormal: <dc=mydomain,dc=io> Mar 31 16:18:06 appserver slapd[2499399]: <<< dnPrettyNormal: <dc=mydomain,dc=io>, <dc=mydomain,dc=io> Mar 31 16:18:06 appserver slapd[2499399]: SRCH "dc=mydomain,dc=io" 2 0 0 10 0 Mar 31 16:18:06 appserver slapd[2499399]: begin get_filter Mar 31 16:18:06 appserver slapd[2499399]: EQUALITY Mar 31 16:18:06 appserver slapd[2499399]: end get_filter 0 Mar 31 16:18:06 appserver slapd[2499399]: filter: (dc=gmail.com) Mar 31 16:18:06 appserver slapd[2499399]: attrs: dn Mar 31 16:18:06 appserver slapd[2499399]: conn=1034 op=1 SRCH base="dc=mydomain,dc=io" scope=2 deref=0 filter="(dc=gmail.com)" Mar 31 16:18:06 appserver slapd[2499399]: conn=1034 op=1 SRCH attr=dn Mar 31 16:18:06 appserver slapd[2499399]: => mdb_search Mar 31 16:18:06 appserver slapd[2499399]: mdb_dn2entry("dc=mydomain,dc=io") Mar 31 16:18:06 appserver slapd[2499399]: => mdb_dn2id("dc=mydomain,dc=io") Mar 31 16:18:06 appserver slapd[2499399]: <= mdb_dn2id: got id=0x1 Mar 31 16:18:06 appserver slapd[2499399]: => mdb_entry_decode: Mar 31 16:18:06 appserver slapd[2499399]: <= mdb_entry_decode Mar 31 16:18:06 appserver slapd[2499399]: => access_allowed: search access to "dc=mydomain,dc=io" "entry" requested Mar 31 16:18:06 appserver slapd[2499399]: <= root access granted Mar 31 16:18:06 appserver slapd[2499399]: => access_allowed: search access granted by manage(=mwrscxd) Mar 31 16:18:06 appserver slapd[2499399]: search_candidates: base="dc=mydomain,dc=io" (0x00000001) scope=2 Postfix log
Apr 1 05:34:42 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: flags Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute name: flags Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute value: 0 Apr 1 05:34:42 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: address Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute name: address Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute value: "" Apr 1 05:34:42 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: (list terminator) Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute name: (end) Apr 1 05:34:42 mail postfix/smtpd[89697]: rewrite_clnt: local: "" -> "" Apr 1 05:34:42 mail postfix/smtpd[89697]: send attr request = rewrite Apr 1 05:34:42 mail postfix/smtpd[89697]: send attr rule = local Apr 1 05:34:42 mail postfix/smtpd[89697]: send attr address = [email protected] Apr 1 05:34:42 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: flags Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute name: flags Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute value: 0 Apr 1 05:34:42 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: address Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute name: address Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute value: [email protected] Apr 1 05:34:42 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: (list terminator) Apr 1 05:34:42 mail postfix/smtpd[89697]: input attribute name: (end) Apr 1 05:34:42 mail postfix/smtpd[89697]: rewrite_clnt: local: [email protected] -> [email protected] Apr 1 05:34:42 mail postfix/smtpd[89697]: send attr request = resolve Apr 1 05:34:42 mail postfix/smtpd[89697]: send attr sender = Apr 1 05:34:42 mail postfix/smtpd[89697]: send attr address = [email protected] Apr 1 05:34:52 mail postfix/trivial-rewrite[89701]: warning: dict_ldap_connect: Unable to bind to server ldap://knox.mydomain.io with dn cn=admin,dc=mydomain,dc=io: -1 (Can't contact LDAP server) Apr 1 05:34:52 mail postfix/trivial-rewrite[89701]: warning: virtual_alias_domains: ldap:/etc/postfix/ldap/ldap-aliases.cf: table lookup problem Apr 1 05:34:52 mail postfix/trivial-rewrite[89701]: warning: virtual_alias_domains lookup failure Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: flags Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute name: flags Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute value: 0 Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: transport Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute name: transport Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute value: CHANNEL NOT UPDATED Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: nexthop Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute name: nexthop Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute value: NEXTHOP NOT UPDATED Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: recipient Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute name: recipient Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute value: [email protected] Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: flags Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute name: flags Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute value: 8 Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: (list terminator) Apr 1 05:34:52 mail postfix/smtpd[89697]: input attribute name: (end) Apr 1 05:34:52 mail postfix/smtpd[89697]: resolve_clnt: `' -> `[email protected]' -> transp=`CHANNEL NOT UPDATED' host=`NEXTHOP NOT UPDATED' rcpt=`[email protected]' flags=fail class= Apr 1 05:34:52 mail postfix/smtpd[89697]: ctable_locate: install entry key [email protected] Apr 1 05:34:52 mail postfix/smtpd[89697]: extract_addr: in: <[email protected]>, result: [email protected] Apr 1 05:34:52 mail postfix/smtpd[89697]: send attr request = rewrite Apr 1 05:34:52 mail postfix/smtpd[89697]: send attr rule = local Apr 1 05:34:52 mail postfix/smtpd[89697]: send attr address = double-bounce Apr 1 05:34:52 mail postfix/smtpd[89697]: private/rewrite socket: wanted attribute: flags postconf -n
alias_database = alias_maps = command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 default_process_limit = 10 html_directory = no inet_interfaces = all inet_protocols = all mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix milter_default_action = accept milter_protocol = 6 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = mydomain.io myhostname = mail.mydomain.io myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = inet:localhost:12301 readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_sasl_auth_enable = no smtp_sasl_mechanism_filter = LOGIN, PLAIN smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_banner = Ehlo from mydomain.io smtpd_client_restrictions = permit permit_mynetworks permit_sasl_authenticated smtpd_milters = inet:localhost:12301 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_recipient_domain smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks permit_sasl_authenticated defer_unauth_destination}} smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/letsencrypt/live/mail.mydomain.io/chain.pem smtpd_tls_CApath = /etc/pki/tls/certs smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.io/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.io/privkey.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = ldap:/etc/postfix/ldap/ldap-aliases.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap/ldap-recipients.cf ldap-aliases.cf
server_host = ldap://knox.mydomain.io server_port = 1389 search_base = dc=mydomain,dc=io query_filter = (mail=%s) result_attribute = mail bind_dn = cn=admin,dc=mydomain,dc=io bind_pw = mysecretpass # scope = sub version = 3 ldap-recipients.cf
server_host = ldap://knox.mydomain.io:1389 server_port = 1389 bind_dn = cn=admin,dc=mydomain,dc=io bind_pw = mysecretpass search_base = dc=mydomain,dc=io query_filter = (&(mail=%s)(|(mail=*@mydomain.io))) result_attribute = homeDirectory version = 3 scope = sub Why is it doing this? I have LDAP proxied through a jump box on port 1389 to 389 on the application server, and can connect to it fine with Apache Directory Manager no problem.
smtpd_banneris wrong. Its supposed to start with$myhostnamebut Postfix just copies whatever you configure .. even if that gets clients confused as they try to confirm your servers FQDN.