Skip to content

Instantly share code, notes, and snippets.

Created July 18, 2016 22:48
Show Gist options
  • Save tjormola/98efc0c8eb8219d4a48ab75465e468c0 to your computer and use it in GitHub Desktop.
Save tjormola/98efc0c8eb8219d4a48ab75465e468c0 to your computer and use it in GitHub Desktop.
TLS protected LDAP connection problem with Postfix doing ldap_table lookups from ActiveDirectory
# Story: Postfix 3.1.0 as packaged in Ubuntu 16.04 xenial
# fails to open a STARTTLS initiated TLS protected connection
# to LDAP when using ldap_table for
# e.g. virtual_mailbox_domains with error
# Unable to allocate new TLS context -1: Can't contact LDAP server
# The target LDAP is an ActiveDirectory instance implemented
# by Samba 4.4.5. Certificate chain is ok with a custom CA.
# Everything related to LDAP lookups from Postfix work
# perfectly if not using TLS.
# The strange thing is that TLS protected connections
# to this AD work fine with other tools such as ldapsearch and
# postmap on command-line, but the processes launched by
# Postfix upon receiving mail will fail to initialize TLS
# in the LDAP client library code and generate this error.
# In Ubuntu/xenial Postfix is linked against OpenLDAP 2.4.42
# which is linked against GnuTLS 3.4.10 for the TLS stuff.
shelluser@postfix-host:~$ sudo postconf -nf
mydestination =
mydomain = domain.example
mynetworks =
smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination
virtual_mailbox_domains = ldap:/etc/postfix/
virtual_mailbox_maps = hash:/etc/postfix/
virtual_transport = lmtp:inet:dovecot-host.domain.example:24
shelluser@postfix-host:~$ sudo postconf -Mf
smtp inet n - y - - smtpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/ ${nexthop}
# /etc/postfix/ for testing without LDAP
shelluser@postfix-host:~$ cat /etc/postfix/ OK
# /etc/postfix/ the ldap_table configuration file
shelluser@postfix-host:~$ grep -v '#' /etc/postfix/
server_host = ldap://dc-host.domain.example
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = /etc/ssl/certs/ca-cert.pem
debuglevel = 1
bind = yes
bind_dn = postfix-user@DOMAIN.EXAMPLE
bind_pw = postfix-password
search_base = cn=Mail,dc=domain,dc=example
scope = one
query_filter = (CN=%s)
result_attribute = cn
# Emulate the LDAP connection and query done by Postfix using ldapsearch, this works ok
shelluser@postfix-host:~$ ldapsearch -h dc-host.domain.example -D postfix-user@DOMAIN.EXAMPLE -x -w postfix-password -ZZ -b cn=Mail,dc=domain,dc=example -s one '(' cn
# extended LDIF
# LDAPv3
# base <cn=Mail,dc=domain,dc=example> with scope oneLevel
# filter: (
# requesting: cn
#, Mail, domain.example
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
# postmap -q works too, debuglevel = 1 commented out from the ldap_table config
shelluser@postfix-host:~$ postmap -q ldap:/etc/postfix/
# Now when receiving mail, we see this in Postfix logs
Jul 19 01:23:54 postfix-host postfix[25131]: Postfix is running with backwards-compatible default settings
Jul 19 01:23:54 postfix-host postfix[25131]: See for details
Jul 19 01:23:54 postfix-host postfix[25131]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Jul 19 01:23:56 postfix-host postfix/master[25197]: daemon started -- version 3.1.0, configuration /etc/postfix
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: connect from client-host.domain.example[]
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_create
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_url_parse_ext(ldap://dc-host.domain.example)
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: TLS: could not allocate default ctx.
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_err2string
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains: ldap:/etc/postfix/ table lookup problem
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains lookup failure
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_create
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_url_parse_ext(ldap://dc-host.domain.example)
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: TLS: could not allocate default ctx.
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: dict_ldap_debug: ldap_err2string
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains: ldap:/etc/postfix/ table lookup problem
Jul 19 01:24:07 postfix-host postfix/trivial-rewrite[25349]: warning: virtual_mailbox_domains lookup failure
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: NOQUEUE: reject: RCPT from client-host.domain.example[]: 451 4.3.0 <>: Temporary lookup failure; from=<shelluser@dc-host.domain.example> to=<> proto=SMTP helo=<dc-host.domain.example>
Jul 19 01:24:07 postfix-host postfix/smtpd[25337]: disconnect from client-host.domain.example[] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Copy link

csarn commented Oct 2, 2022

For anyone finding this via google:
smtpd is running inside a chroot, where the CA certificate does not exist. You have to copy (or bind-mount) /etc/ssl/certs/ca-cert.pem to /var/spool/postfix/etc/ssl/certs/ca-cert.pem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment