Postfix: LDAP Verification Does Not Work for a Domain

Discussion in 'Server Operation' started by Paulux32, Oct 27, 2018.

  1. Paulux32

    Paulux32 New Member


    I expose here a problem a little twisted ...
    So, first of all, the products concerned:

    CentOs 7.5 servers
    Postfix 2.11

    My problem :
    I have several postfix mail relays at work, all of which were found on the same date and at the same time, at the same time, to no longer reject the "unknown recipients", and only for one domain (we manage thirty).
    Clearly, we can write to 'hjkggmydomain', the message is accepted, and transmitted.
    On the other hand, if I write to 'jlkjklsousdomain.mydomain' the rejection is effective after ldap verification.

    After long researches, no modification of our maps on the date said, neither of the nor the
    No stop / restart of postfix, no rehash ... (log analysis)
    Of course, is part of the map set in relay_domains of the ldap check instance ...
    So I made the test to remove from this map a domain that is well checked and rejected if the recipient is not known.
    Obviously, in this case, the verification does not take place for this other domain.

    I'm going crazy. If someone has already encountered this type of problem and especially solved it, I am clearly a taker!

    An info that may be important: it is the main domain name.
    (sorry for my english, i used Google Traduction)

    Thank you :)
  2. Paulux32

    Paulux32 New Member


    Well, no answers, but the problem was special ...

    I found :
    By increasing the debug to level 10:
    The LDAP verification on Postfix is done in two steps: the first is the verification of the whole address "name(@)".
    If the first check did not "match", which was the case at my job, the second step is to check the existence of the address "@"

    So I made the ldapsearch request by targeting the mail "".
    Bingo, an account existed with this address ...

    The Active Directory team had created an account with an email address "(@)", a stupid scripting error.
    So the LDAP check was right, and let the mails go, even if the left side of the mail was unknown.

    If it can help someone ...
    Taleman likes this.

Share This Page