Root's crontab runs
# Run ldap job against internal Domino server to fetch postfix recipient whitelist 10 2 * * * /usr/local/bin/fetchwhitelist.sh > /dev/null 2&>1
fetchwhitelist.sh contains
# Fetch self-signed certificate from Domino:
# openssl s_client -connect 10.1.100.101:636 | \
# sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/etc/cert.pem
# Import certificate as NSS:
# certutil -A -a -n "example" -i /usr/local/etc/cert.pem -t Pu -d /usr/local/etc -P ""
HOSTNAME=$(hostname)
# Backup old relay_recipients file
cp /etc/postfix/relay_recipients /etc/postfix/relay_recipients.old
/usr/lib/mozldap/ldapsearch -Z -P /usr/local/etc -p 636 -h 10.1.100.101 -D "cn=username" \
-w password -s sub -b "" objectclass="top" cn mail internetaddress | \
grep "@" | awk '{print $2}' | \
sed 's/$/ OK/g' | sort | uniq -i > /etc/postfix/relay_recipients
# Append static list of @domains to relay_recipients
cat /etc/postfix/whitelist-domains | grep -v "^#" >> /etc/postfix/relay_recipients
# Test if number of lines are smaller than 10000, there might be a problem!
# Revert to old relay_recipient file.
if [ `cat /etc/postfix/relay_recipients | wc -l` -lt 10000 ]; then
cp /etc/postfix/relay_recipients /etc/postfix/relay_recipients.error
cp /etc/postfix/relay_recipients.old /etc/postfix/relay_recipients
# make alarm for Tivoli to pickup
SEVERITY="FATAL"
MSG="/etc/postfix/relay_recipients.error on $HOSTNAME is suspiciously short.
Can /usr/local/bin/fetchwhitelist.sh from root's crontab access LDAP server correctly?
If the whitelist fetched is wrong, the risk is that the mailgateway will
REJECT all incoming email! If LDAP connection is down, better make sure you i
use yesterdays backup of the relay_recipients file!"
logger -p user.err -t unix $SEVERITY OPEN status fetchwhitelist Linux $MSG
exit 1
fi
# Generate postmap - then postfix will notice new map automatically. No need to restart postfix itself.
/usr/sbin/postmap /etc/postfix/relay_recipients
/etc/postfix/main.cf contains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
/etc/postfix/whitelist-domains contains
@domain1.example.com OK @domain2.example.com OK
Remember you need to fetch, convert, and import the LDAP server's SSL certificate before the ldapsearch command will work.