A bug somewhere in the management of LDAP tables?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

A bug somewhere in the management of LDAP tables?

Olivier Nicole-2
Hi,

I just made a typo writting a filter in an LDAP table: i typed s%
instead of %s:

   query_filter = (&(mail=s%)(csimAccountPermission=mail)(!(uid=vw)))

should be:

   query_filter = (&(mail=%s)(csimAccountPermission=mail)(!(uid=vw)))

as a result, postmap would coredump (and eventually mail would not be
delivered by postFix).

Maybe there is a need for a better check of the syntax of the LDAP
tables.

Best regards,

Olivier
Reply | Threaded
Open this post in threaded view
|

Re: A bug somewhere in the management of LDAP tables?

Wietse Venema
Olivier Nicole:

> Hi,
>
> I just made a typo writting a filter in an LDAP table: i typed s%
> instead of %s:
>
>    query_filter = (&(mail=s%)(csimAccountPermission=mail)(!(uid=vw)))
>
> should be:
>
>    query_filter = (&(mail=%s)(csimAccountPermission=mail)(!(uid=vw)))
>
> as a result, postmap would coredump (and eventually mail would not be
> delivered by postFix).
>
> Maybe there is a need for a better check of the syntax of the LDAP
> tables.
>
> Best regards,
>

Which Postfix version?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: A bug somewhere in the management of LDAP tables?

Victor Duchovni
In reply to this post by Olivier Nicole-2
On Mon, Oct 05, 2009 at 10:27:42AM +0700, Olivier Nicole wrote:

> Hi,
>
> I just made a typo writting a filter in an LDAP table: i typed s%
> instead of %s:
>
>    query_filter = (&(mail=s%)(csimAccountPermission=mail)(!(uid=vw)))
>
> should be:
>
>    query_filter = (&(mail=%s)(csimAccountPermission=mail)(!(uid=vw)))
>
> as a result, postmap would coredump (and eventually mail would not be
> delivered by postFix).
>
> Maybe there is a need for a better check of the syntax of the LDAP
> tables.

Actually, the syntax *is* checked, the problem is that the "fatal"
message that is issued in this case attempts to use the table name,
via a NULL handle. You get a fatal error either way, only with the
repaired code a more useful error message and no core dump.

Patch:

Index: src/global/db_common.c
--- src/global/db_common.c 27 Apr 2009 03:36:00 -0000 1.1.1.1
+++ src/global/db_common.c 5 Oct 2009 20:29:23 -0000
@@ -228,7 +228,7 @@
  break;
     default:
  msg_fatal("db_common_parse: %s: Invalid %s template: %s",
-  dict->name, query ? "query" : "result", format);
+  ctx->dict->name, query ? "query" : "result", format);
     }
     return dynamic;
 }

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Can I give a different CERT for local or remote clients?

phorgan1
My issue has to do with supporting our remote users.  They've been told
to create ssh tunnels for sending email (or any other contact with our
server).  That means that they send their mail to localhost, but get a
cert for our fqdn.  Of course we want the cert to have our fqdn because
other mail servers will relay mail to us for delivery to our domain.  Is
there any way to make this work?

Patrick

Reply | Threaded
Open this post in threaded view
|

Re: Can I give a different CERT for local or remote clients?

Victor Duchovni
On Mon, Oct 05, 2009 at 02:17:02PM -0700, Patrick Horgan wrote:

> My issue has to do with supporting our remote users.  They've been told to
> create ssh tunnels for sending email (or any other contact with our
> server).  That means that they send their mail to localhost, but get a cert
> for our fqdn.  Of course we want the cert to have our fqdn because other
> mail servers will relay mail to us for delivery to our domain.  Is there
> any way to make this work?

They can add the FQDN of your server to /etc/hosts (or similar) with
127.0.0.1 as the IP address, and use a different name to find the
IP endpoint for the SSH tunnels.

Otherwise, get their MUA to turn off certificate checks (and lose
MITM protection).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.