LDAP: "unused parameter: start_tls=yes"?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP: "unused parameter: start_tls=yes"?

Ralf Hildebrandt-2
postconf complains:
/usr/sbin/postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: start_tls=yes

according to http://www.postfix.org/ldap_table.5.html

STARTTLS can be turned on with the start_tls parameter:
   start_tls = yes
Both forms require LDAP protocol version 3, which has to be set explicitly with:
   version = 3

I'm using:

=== snip ===
server_host = 10.28.0.31
              10.28.0.32
search_base = dc=laborberlin,dc=intern
version = 3
           
bind_dn = CN=somecn
bind_pw = secret

query_filter = (proxyAddresses=smtp:%s)
result_attribute = mail

start_tls = yes
=== snip ===

Reply | Threaded
Open this post in threaded view
|

Re: LDAP: "unused parameter: start_tls=yes"?

Ralf Hildebrandt-2
* Ralf Hildebrandt <[hidden email]>:
> postconf complains:
> /usr/sbin/postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: start_tls=yes
>
> according to http://www.postfix.org/ldap_table.5.html

postfix-3.3-20170716 is complaining,
postfix-3.3-20170611 is not complaining.

I suspect

20170617

Cleanup: the postconf command warns about unknown parameter
names in a database configuration file, specified as an
absolute pathname (for example, ldap:/path/to/file). This
code was mostly written in January 2017, and it still is a
partial implementation.  Files: postconf/postconf_dbms.c,
postconf/Makefile.in, postconf/test66.ref.

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
                                           
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

PATCH: LDAP: "unused parameter: start_tls=yes"?

Wietse Venema
Ralf Hildebrandt:

> * Ralf Hildebrandt <[hidden email]>:
> > postconf complains:
> > /usr/sbin/postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: start_tls=yes
> >
> > according to http://www.postfix.org/ldap_table.5.html
>
> postfix-3.3-20170716 is complaining,
> postfix-3.3-20170611 is not complaining.
>
> I suspect
>
> 20170617
>
> Cleanup: the postconf command warns about unknown parameter
> names in a database configuration file, specified as an
> absolute pathname (for example, ldap:/path/to/file). This
> code was mostly written in January 2017, and it still is a
> partial implementation.  Files: postconf/postconf_dbms.c,
> postconf/Makefile.in, postconf/test66.ref.

Looks like a ton of parameters were added since I wrote this code.

        Wietse

diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -bur /var/tmp/postfix-3.3-20170716/src/postconf/postconf_dbms.c ./postconf_dbms.c
--- /var/tmp/postfix-3.3-20170716/src/postconf/postconf_dbms.c 2017-06-18 09:48:43.000000000 -0400
+++ ./postconf_dbms.c 2017-07-21 10:03:43.000000000 -0400
@@ -94,10 +94,13 @@
     "bind", "bind_dn", "bind_pw", "cache", "cache_expiry", "cache_size",
     "chase_referrals", "debuglevel", "dereference", "domain",
     "expansion_limit", "leaf_result_attribute", "query_filter",
-    "recursion_limit", "result_attribute", "result_format", "scope",
-    "search_base", "server_host", "server_port", "size_limit",
-    "special_result_attribute", "terminal_result_attribute",
-    "timeout", "version", 0,
+    "recursion_limit", "result_attribute", "result_format",
+    "sasl_authz_id", "sasl_mechs", "sasl_minssf", "sasl_realm",
+    "scope", "search_base", "server_host", "server_port", "size_limit",
+    "special_result_attribute", "start_tls", "terminal_result_attribute",
+    "timeout", "tls_ca_cert_dir", "tls_ca_cert_file", "tls_cert",
+    "tls_cipher_suite", "tls_key", "tls_random_file", "tls_require_cert",
+    "version", 0,
 };
 
 /* See mysql_table(5). */

Reply | Threaded
Open this post in threaded view
|

Re: PATCH: LDAP: "unused parameter: start_tls=yes"?

Tuomo Soini
On Fri, 21 Jul 2017 10:06:54 -0400 (EDT)
[hidden email] (Wietse Venema) wrote:

> > 20170617
> >
> > Cleanup: the postconf command warns about unknown parameter
> > names in a database configuration file, specified as an
> > absolute pathname (for example, ldap:/path/to/file). This
> > code was mostly written in January 2017, and it still is a
> > partial implementation.  Files: postconf/postconf_dbms.c,
> > postconf/Makefile.in, postconf/test66.ref.  
>
> Looks like a ton of parameters were added since I wrote this code.

Also mysql tables suffers from same issue. At lest following config
options are logged:

/usr/sbin/postconf: warning: mysql:/etc/postfix/virtual.cf: unused
parameter: password=xxxxxxxxxxx
/usr/sbin/postconf: warning: mysql:/etc/postfix/virtual.cf: unused
parameter: dbname=sqldbname
/usr/sbin/postconf: warning: mysql:/etc/postfix/virtual.cf: unused
parameter: tls_CApath=/etc/pki/tls/certs/cacert-name.crt
/usr/sbin/postconf: warning: mysql:/etc/postfix/virtual.cf: unused
parameter: query=SELECT goto FROM alias WHERE address='%s' AND active =
'1'
/usr/sbin/postconf: warning: mysql:/etc/postfix/virtual.cf: unused
parameter: user=postfix_ro /usr/sbin/postconf: warning:
mysql:/etc/postfix/virtual.cf: unused parameter: hosts=localhost

Especially logging password to maillog is a really bad thing.

Version of postfix is 3.3.1. And I'm sure this affects postgresql and
other database types too.

--
Tuomo Soini <[hidden email]>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: LDAP: "unused parameter: start_tls=yes"?

Wietse Venema
Tuomo Soini:

> On Fri, 21 Jul 2017 10:06:54 -0400 (EDT)
> [hidden email] (Wietse Venema) wrote:
>
> > > 20170617
> > >
> > > Cleanup: the postconf command warns about unknown parameter
> > > names in a database configuration file, specified as an
> > > absolute pathname (for example, ldap:/path/to/file). This
> > > code was mostly written in January 2017, and it still is a
> > > partial implementation.  Files: postconf/postconf_dbms.c,
> > > postconf/Makefile.in, postconf/test66.ref.  
> >
> > Looks like a ton of parameters were added since I wrote this code.
>
> Also mysql tables suffers from same issue. At lest following config
> options are logged:
>
> /usr/sbin/postconf: warning: mysql:/etc/postfix/virtual.cf: unused
> parameter: password=xxxxxxxxxxx

Someone messed up and built Postfix on a machine that does not have
the m4 preprocessor installed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: LDAP: "unused parameter: start_tls=yes"?

Tuomo Soini
On Wed, 1 Aug 2018 09:35:01 -0400 (EDT)
Wietse Venema <[hidden email]> wrote:

> Someone messed up and built Postfix on a machine that does not have
> the m4 preprocessor installed.

Thank you - adding m4 to build system fixed the issue.
How about failing the build if m4 is not present?

--
Tuomo Soini <[hidden email]>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
Reply | Threaded
Open this post in threaded view
|

Re: PATCH: LDAP: "unused parameter: start_tls=yes"?

Wietse Venema
Tuomo Soini:
> On Wed, 1 Aug 2018 09:35:01 -0400 (EDT)
> Wietse Venema <[hidden email]> wrote:
>
> > Someone messed up and built Postfix on a machine that does not have
> > the m4 preprocessor installed.
>
> Thank you - adding m4 to build system fixed the issue.
> How about failing the build if m4 is not present?

That was added in the unstable release, and it will probably be
included with Postfix 3.3.2.

But seriously, if we go down that path, then I should prepend every
Postfix script with probes to ascertain that awk, grep, perl, sed
exist just in case they might appear somewhere in a pipeline (an
error in the middle of a pipeline is notoriously hard to detect).

Note, it would not be sufficient to have such checks on the build
system. Some Postfix scripts would still break if someone decides
it is a good idea to remove ls or grep from their production system.

        Wietse