TLS protected LDAP connection problem with Postfix doing ldap_table lookups from ActiveDirectory

gistfile1.txt

############################################################
# Story: Postfix 3.1.0 as packaged in Ubuntu 16.04 xenial
# fails to open a STARTTLS initiated TLS protected connection
# to LDAP when using ldap_table for
# e.g. virtual_mailbox_domains with error
#
# Unable to allocate new TLS context -1: Can't contact LDAP server
#
# The target LDAP is an ActiveDirectory instance implemented
# by Samba 4.4.5. Certificate chain is ok with a custom CA.
# Everything related to LDAP lookups from Postfix work
# perfectly if not using TLS.
#
# The strange thing is that TLS protected connections
# to this AD work fine with other tools such as ldapsearch and
# postmap on command-line, but the processes launched by
# Postfix upon receiving mail will fail to initialize TLS
# in the LDAP client library code and generate this error.
#
# In Ubuntu/xenial Postfix is linked against OpenLDAP 2.4.42
# which is linked against GnuTLS 3.4.10 for the TLS stuff.
############################################################

############################################################
# main.cf
############################################################
shelluser@postfix-host:~$ sudo postconf -nf
mydestination =
mydomain = domain.example
mynetworks = 127.0.0.0/8 10.16.0.0/16
smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination
virtual_mailbox_domains = ldap:/etc/postfix/virtual-mailbox-domains.cf
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps-dummy-test.cf
virtual_transport = lmtp:inet:dovecot-host.domain.example:24
############################################################

############################################################
# master.cf
############################################################
shelluser@postfix-host:~$ sudo postconf -Mf
smtp       inet  n       -       y       -       -       smtpd
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}
############################################################

############################################################
# /etc/postfix/virtual-mailbox-maps-dummy-test.cf for testing without LDAP
############################################################
shelluser@postfix-host:~$ cat /etc/postfix/virtual-mailbox-maps-dummy-test.cf
test@example.com OK
############################################################

############################################################
# /etc/postfix/virtual-mailbox-domains.cf the ldap_table configuration file
############################################################
shelluser@postfix-host:~$ grep -v '#' /etc/postfix/virtual-mailbox-domains.cf
server_host = ldap://dc-host.domain.example
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = /etc/ssl/certs/ca-cert.pem
debuglevel = 1
bind = yes
bind_dn = postfix-user@DOMAIN.EXAMPLE
bind_pw = postfix-password
search_base = cn=Mail,dc=domain,dc=example
scope = one
query_filter = (CN=%s)
result_attribute = cn
############################################################

############################################################
# Emulate the LDAP connection and query done by Postfix using ldapsearch, this works ok
############################################################
shelluser@postfix-host:~$ ldapsearch -h dc-host.domain.example -D postfix-user@DOMAIN.EXAMPLE -x -w postfix-password -ZZ -b cn=Mail,dc=domain,dc=example -s one '(CN=example.com)' cn
# extended LDIF
#
# LDAPv3
# base <cn=Mail,dc=domain,dc=example> with scope oneLevel
# filter: (CN=example.com)
# requesting: cn 
#

# example.com, Mail, domain.example
dn: CN=example.com,CN=Mail,DC=domain,DC=example
cn: example.com

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
############################################################

############################################################
# postmap -q works too, debuglevel = 1 commented out from the ldap_table config
############################################################
shelluser@postfix-host:~$ postmap -q example.com ldap:/etc/postfix/virtual-mailbox-domains.cf
example.com
############################################################

############################################################
# Now when receiving mail, we see this in Postfix logs
############################################################
Jul 19 01:23:54 postfix-host postfix[25131]: Postfix is running with backwards-compatible default settings
Jul 19 01:23:54 postfix-host postfix[25131]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Jul 19 01:23:54 postfix-host postfix[25131]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Jul 19 01:23:56 postfix-host postfix/master[25197]: daemon started -- version 3.1.0, configuration /etc/postfix
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: connect from client-host.domain.example[10.16.12.10]
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_create
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_url_parse_ext(ldap://dc-host.domain.example)
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: TLS: could not allocate default ctx.
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_err2string
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains: ldap:/etc/postfix/virtual-mailbox-domains.cf: table lookup problem
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains lookup failure
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_create
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_url_parse_ext(ldap://dc-host.domain.example)
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: TLS: could not allocate default ctx.
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_err2string
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains: ldap:/etc/postfix/virtual-mailbox-domains.cf: table lookup problem
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains lookup failure
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: NOQUEUE: reject: RCPT from client-host.domain.example[10.16.12.10]: 451 4.3.0 <test@example.com>: Temporary lookup failure; from=<shelluser@dc-host.domain.example> to=<test@example.com> proto=SMTP helo=<dc-host.domain.example>
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: disconnect from client-host.domain.example[10.16.12.10] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
############################################################

I'm experiencing the exact same issue now! Did you ever resolve this, by any chance? I'd love to know how you fixed it; been looking for hours on end...

For anyone finding this via google:
smtpd is running inside a chroot, where the CA certificate does not exist. You have to copy (or bind-mount) /etc/ssl/certs/ca-cert.pem to /var/spool/postfix/etc/ssl/certs/ca-cert.pem.