1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
|
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<title> Postfix manual - ldap_table(5) </title>
</head> <body> <pre>
LDAP_TABLE(5) LDAP_TABLE(5)
<b>NAME</b>
ldap_table - Postfix LDAP client configuration
<b>SYNOPSIS</b>
<b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/filename</b>
<b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
<b>DESCRIPTION</b>
The Postfix mail system uses optional tables for address
rewriting or mail routing. These tables are usually in <b>dbm</b>
or <b>db</b> format.
Alternatively, lookup tables can be specified as LDAP
databases.
In order to use LDAP lookups, define an LDAP source as a
lookup table in <a href="postconf.5.html">main.cf</a>, for example:
<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
The file /etc/postfix/ldap-aliases.cf has the same format
as the Postfix <a href="postconf.5.html">main.cf</a> file, and can specify the parame-
ters described below. An example is given at the end of
this manual.
This configuration method is available with Postfix ver-
sion 2.1 and later. See the section "BACKWARDS COMPATI-
BILITY" below for older Postfix versions.
For details about LDAP SSL and STARTTLS, see the section
on SSL and STARTTLS below.
<b>BACKWARDS COMPATIBILITY</b>
For backwards compatibility with Postfix version 2.0 and
earlier, LDAP parameters can also be defined in <a href="postconf.5.html">main.cf</a>.
Specify as LDAP source a name that doesn't begin with a
slash or a dot. The LDAP parameters will then be accessi-
ble as the name you've given the source in its definition,
an underscore, and the name of the parameter. For exam-
ple, if the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the
"server_host" parameter below would be defined in <a href="postconf.5.html">main.cf</a>
as "<i>ldapsource</i>_server_host".
Note: with this form, the passwords for the LDAP sources
are written in <a href="postconf.5.html">main.cf</a>, which is normally world-readable.
Support for this form will be removed in a future Postfix
version.
Postfix 2.2 has enhanced query interfaces for MySQL and
PostgreSQL. These include features that were previously
available only in the Postfix LDAP client. This work also
created an opportunity for improvements in the LDAP inter-
face. The primary compatibility issue is that <b>result_fil-</b>
<b>ter</b> (a name that has caused some confusion as to its mean-
ing in the past) has been renamed to <b>result_format</b>. For
backwards compatibility with the pre 2.2 LDAP client,
<b>result_filter</b> can for now be used instead of <b>result_for-</b>
<b>mat</b>, when the latter parameter is not also set. The new
name better reflects the function of the parameter. This
compatibility interface may be removed in a future
release.
<b>LIST MEMBERSHIP</b>
When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>,
$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>,
etc., it is important to understand that the table must
store each list member as a separate key. The table lookup
verifies the *existence* of the key. See "Postfix lists
versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis-
cussion.
Do NOT create tables that return the full list of domains
in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses
in $<a href="postconf.5.html#mynetworks">mynetworks</a>.
DO create tables with each matching item as a key and with
an arbitrary value. With LDAP databases it is not uncommon
to return the key itself.
For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-
<a href="postconf.5.html#mydestination">tion</a>:
query_filter = domain=*
result_attribute = domain
Do this instead:
query_filter = domain=%s
result_attribute = domain
<b>GENERAL LDAP PARAMETERS</b>
In the text below, default values are given in parenthe-
ses. Note: don't use quotes in these variables; at least,
not until the Postfix configuration routines understand
how to deal with quoted strings.
<b>server_host (default: localhost)</b>
The name of the host running the LDAP server, e.g.
server_host = ldap.example.com
Depending on the LDAP client library you're using,
it should be possible to specify multiple servers
here, with the library trying them in order should
the first one fail. It should also be possible to
give each server in the list a different port
(overriding <b>server_port</b> below), by naming them like
server_host = ldap.example.com:1444
With OpenLDAP, a (list of) LDAP URLs can be used to
specify both the hostname(s) and the port(s):
server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444
<a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444
All LDAP URLs accepted by the OpenLDAP library are
supported, including connections over UNIX domain
sockets, and LDAP SSL (the last one provided that
OpenLDAP was compiled with support for SSL):
server_host = ldapi://%2Fsome%2Fpath
ldaps://ldap.example.com:636
<b>server_port (default: 389)</b>
The port the LDAP server listens on, e.g.
server_port = 778
<b>timeout (default: 10 seconds)</b>
The number of seconds a search can take before tim-
ing out, e.g.
timeout = 5
<b>search_base (No default; you must configure this)</b>
The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search,
e.g.
search_base = dc=your, dc=com
With Postfix 2.2 and later this parameter supports
the following '%' expansions:
<b>%%</b> This is replaced by a literal '%' character.
<b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>
quoting is used to make sure that the input
key does not add unexpected metacharacters.
<b>%u</b> When the input key is an address of the form
user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.
Otherwise, <b>%u</b> is replaced by the entire
search string. If the localpart is empty,
the search is suppressed and returns no
results.
<b>%d</b> When the input key is an address of the form
user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.
Otherwise, the search is suppressed and
returns no results.
<b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-
case equivalents of the above expansions
behave identically to their lower-case
counter-parts. With the <b>result_format</b> param-
eter (previously called <b>result_filter</b> see
the COMPATIBILITY section and below), they
expand to the corresponding components of
input key rather than the result value.
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
the corresponding most significant component
of the input key's domain. If the input key
is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
is <b>example</b> and %3 is <b>mail</b>. If the input key
is unqualified or does not have enough
domain components to satisfy all the speci-
fied patterns, the search is suppressed and
returns no results.
<b>query_filter (default: mailacceptinggeneralid=%s)</b>
The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,
where <b>%s</b> is a substitute for the address Postfix is
trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
This parameter supports the following '%' expan-
sions:
<b>%%</b> This is replaced by a literal '%' character.
(Postfix 2.2 and later).
<b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>
quoting is used to make sure that the input
key does not add unexpected metacharacters.
<b>%u</b> When the input key is an address of the form
user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.
Otherwise, <b>%u</b> is replaced by the entire
search string. If the localpart is empty,
the search is suppressed and returns no
results.
<b>%d</b> When the input key is an address of the form
user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.
Otherwise, the search is suppressed and
returns no results.
<b>%[SUD]</b> The upper-case equivalents of the above
expansions behave in the <b>query_filter</b> param-
eter identically to their lower-case
counter-parts. With the <b>result_format</b> param-
eter (previously called <b>result_filter</b> see
the COMPATIBILITY section and below), they
expand to the corresponding components of
input key rather than the result value.
The above %S, %U and %D expansions are
available with Postfix 2.2 and later.
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
the corresponding most significant component
of the input key's domain. If the input key
is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
is <b>example</b> and %3 is <b>mail</b>. If the input key
is unqualified or does not have enough
domain components to satisfy all the speci-
fied patterns, the search is suppressed and
returns no results.
The above %1, ..., %9 expansions are avail-
able with Postfix 2.2 and later.
The "domain" parameter described below limits the
input keys to addresses in matching domains. When
the "domain" parameter is non-empty, LDAP queries
for unqualified addresses or addresses in non-
matching domains are suppressed and return no
results.
NOTE: DO NOT put quotes around the <b>query_filter</b>
parameter.
<b>result_format (default: %s</b>)
Called <b>result_filter</b> in Postfix releases prior to
2.2. Format template applied to result attributes.
Most commonly used to append (or prepend) text to
the result. This parameter supports the following
'%' expansions:
<b>%%</b> This is replaced by a literal '%' character.
(Postfix 2.2 and later).
<b>%s</b> This is replaced by the value of the result
attribute. When result is empty it is
skipped.
<b>%u</b> When the result attribute value is an
address of the form user@domain, <b>%u</b> is
replaced by the local part of the address.
When the result has an empty localpart it is
skipped.
<b>%d</b> When a result attribute value is an address
of the form user@domain, <b>%d</b> is replaced by
the domain part of the attribute value. When
the result is unqualified it is skipped.
<b>%[SUD1-9]</b>
The upper-case and decimal digit expansions
interpolate the parts of the input key
rather than the result. Their behavior is
identical to that described with <b>query_fil-</b>
<b>ter</b>, and in fact because the input key is
known in advance, lookups whose key does not
contain all the information specified in the
result template are suppressed and return no
results.
The above %S, %U, %D and %1, ..., %9 expan-
sions are available with Postfix 2.2 and
later.
For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]"
allows one to use a mailHost attribute as the basis
of a <a href="transport.5.html">transport(5)</a> table. After applying the result
format, multiple values are concatenated as comma
separated strings. The expansion_limit and
size_limit parameters explained below allow one to
restrict the number of values in the result, which
is especially useful for maps that should return a
single value.
The default value <b>%s</b> specifies that each attribute
value should be used as is.
This parameter was called <b>result_filter</b> in Postfix
releases prior to 2.2. If no "result_format" is
specified, the value of "result_filter" will be
used instead before resorting to the default value.
This provides compatibility with old configuration
files.
NOTE: DO NOT put quotes around the result format!
<b>domain (default: no domain list)</b>
This is a list of domain names, paths to files, or
dictionaries. When specified, only fully qualified
search keys with a *non-empty* localpart and a
matching domain are eligible for lookup: 'user'
lookups, bare domain lookups and "@domain" lookups
are not performed. This can significantly reduce
the query load on the LDAP server.
domain = postfix.org, hash:/etc/postfix/searchdomains
It is best not to use LDAP to store the domains
eligible for LDAP lookups.
NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>
aliases.
This feature is available in Postfix 1.0 and later.
<b>result_attribute (default: maildrop)</b>
The attribute(s) Postfix will read from any direc-
tory entries returned by the lookup, to be resolved
to an email address.
result_attribute = mailbox, maildrop
<b>special_result_attribute (default: empty)</b>
The attribute(s) of directory entries that can con-
tain DNs or URLs. If found, a recursive subsequent
search is done using their values.
special_result_attribute = memberdn
DN recursion retrieves the same result_attributes
as the main query, including the special attributes
for further recursion. URI processing retrieves
only those attributes that are included in the URI
definition and are *also* listed in
"result_attribute". If the URI lists any of the
map's special result attributes, these are also
retrieved and used recursively.
<b>terminal_result_attribute (default: empty)</b>
When one or more terminal result attributes are
found in an LDAP entry, all other result attributes
are ignored and only the terminal result attributes
are returned. This is useful for delegating expan-
sion of group members to a particular host, by
using an optional "maildrop" attribute on selected
groups to route the group to a specific host, where
the group is expanded, possibly via mailing-list
manager or other special processing.
terminal_result_attribute = maildrop
This feature is available with Postfix 2.4 or
later.
<b>leaf_result_attribute (default: empty)</b>
When one or more special result attributes are
found in a non-terminal (see above) LDAP entry,
leaf result attributes are excluded from the expan-
sion of that entry. This is useful when expanding
groups and the desired mail address attribute(s) of
the member objects obtained via DN or URI recursion
are also present in the group object. To only
return the attribute values from the leaf objects
and not the containing group, add the attribute to
the leaf_result_attribute list, and not the
result_attribute list, which is always expanded.
Note, the default value of "result_attribute" is
not empty, you may want to set it explicitly empty
when using "leaf_result_attribute" to expand the
group to a list of member DN addresses. If groups
have both member DN references AND attributes that
hold multiple string valued rfc822 addresses, then
the string attributes go in "result_attribute".
The attributes that represent the email addresses
of objects referenced via a DN (or LDAP URI) go in
"leaf_result_attribute".
result_attribute = memberaddr
special_result_attribute = memberdn
terminal_result_attribute = maildrop
leaf_result_attribute = mail
This feature is available with Postfix 2.4 or
later.
<b>scope (default: sub)</b>
The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These
translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
and LDAP_SCOPE_ONELEVEL.
<b>bind (default: yes)</b>
Whether or not to bind to the LDAP server. Newer
LDAP implementations don't require clients to bind,
which saves time. Example:
bind = no
If you do need to bind, you might consider config-
uring Postfix to connect to the local machine on a
port that's an SSL tunnel to your LDAP server. If
your LDAP server doesn't natively support SSL, put
a tunnel (wrapper, proxy, whatever you want to call
it) on that system too. This should prevent the
password from traversing the network in the clear.
<b>bind_dn (default: empty)</b>
If you do have to bind, do it with this distin-
guished name. Example:
bind_dn = uid=postfix, dc=your, dc=com
<b>bind_pw (default: empty)</b>
The password for the distinguished name above. If
you have to use this, you probably want to make the
map configuration file readable only by the Postfix
user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-
tax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is not pos-
sible to securely store the bind password. This is
because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow
local accounts to submit mail via the sendmail com-
mand. Example:
bind_pw = postfixpw
<b>cache (IGNORED with a warning)</b>
<b>cache_expiry (IGNORED with a warning)</b>
<b>cache_size (IGNORED with a warning)</b>
The above parameters are NO LONGER SUPPORTED by
Postfix. Cache support has been dropped from
OpenLDAP as of release 2.1.13.
<b>recursion_limit (default: 1000)</b>
A limit on the nesting depth of DN and URL special
result attribute evaluation. The limit must be a
non-zero positive number.
<b>expansion_limit (default: 0)</b>
A limit on the total number of result elements
returned (as a comma separated list) by a lookup
against the map. A setting of zero disables the
limit. Lookups fail with a temporary error if the
limit is exceeded. Setting the limit to 1 ensures
that lookups do not return multiple values.
<b>size_limit (default: $expansion_limit)</b>
A limit on the number of LDAP entries returned by
any single LDAP search performed as part of the
lookup. A setting of 0 disables the limit. Expan-
sion of DN and URL references involves nested LDAP
queries, each of which is separately subjected to
this limit.
Note: even a single LDAP entry can generate multi-
ple lookup results, via multiple result attributes
and/or multi-valued result attributes. This limit
caps the per search resource utilization on the
LDAP server, not the final multiplicity of the
lookup result. It is analogous to the "-z" option
of "ldapsearch".
<b>dereference (default: 0)</b>
When to dereference LDAP aliases. (Note that this
has nothing do with Postfix aliases.) The permitted
values are those legal for the OpenLDAP/UM LDAP
implementations:
0 never
1 when searching
2 when locating the base object for the search
3 always
See ldap.h or the ldap_open(3) or ldapsearch(1) man
pages for more information. And if you're using an
LDAP package that has other possible values, please
bring it to the attention of the postfix-
users@postfix.org mailing list.
<b>chase_referrals (default: 0)</b>
Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP
version 3 support).
<b>version (default: 2)</b>
Specifies the LDAP protocol version to use.
<b>debuglevel (default: 0)</b>
What level to set for debugging in the OpenLDAP
libraries.
<b>LDAP SSL AND STARTTLS PARAMETERS</b>
If you're using the OpenLDAP libraries compiled with SSL
support, Postfix can connect to LDAP SSL servers and can
issue the STARTTLS command.
LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter:
server_host = ldaps://ldap.example.com:636
STARTTLS can be turned on with the start_tls parameter:
start_tls = yes
Both forms require LDAP protocol version 3, which has to
be set explicitly with:
version = 3
If any of the Postfix programs querying the map is config-
ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
and keys involved have to be copied to the chroot jail. Of
course, the private keys should only be readable by the
user "postfix".
The following parameters are relevant to LDAP SSL and
STARTTLS:
<b>start_tls (default: no)</b>
Whether or not to issue STARTTLS upon connection to
the server. Don't set this with LDAP SSL (the SSL
session is setup automatically when the TCP connec-
tion is opened).
<b>tls_ca_cert_dir (No default; set either this or</b>
<b>tls_ca_cert_file)</b>
Directory containing X509 Certificate Authority
certificates in PEM format which are to be recog-
nized by the client in SSL/TLS connections. The
files each contain one CA certificate. The files
are looked up by the CA subject name hash value,
which must hence be available. If more than one CA
certificate with the same name hash value exist,
the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the
ordering of the extension number, regardless of
other properties of the certificates. Use the
c_rehash utility (from the OpenSSL distribution) to
create the necessary links.
<b>tls_ca_cert_file (No default; set either this or</b>
<b>tls_ca_cert_dir)</b>
File containing the X509 Certificate Authority cer-
tificates in PEM format which are to be recognized
by the client in SSL/TLS connections. This setting
takes precedence over tls_ca_cert_dir.
<b>tls_cert (No default; you must set this)</b>
File containing client's X509 certificate to be
used by the client in SSL/ TLS connections.
<b>tls_key (No default; you must set this)</b>
File containing the private key corresponding to
the above tls_cert.
<b>tls_require_cert (default: no)</b>
Whether or not to request server's X509 certificate
and check its validity when establishing SSL/TLS
connections. The supported values are <b>no</b> and <b>yes</b>.
With <b>no</b>, the server certificate trust chain is not
checked, but with OpenLDAP prior to 2.1.13, the
name in the server certificate must still match the
LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
server name is not necessarily what you specified,
rather it is determined (by reverse lookup) from
the IP address of the LDAP server connection. With
OpenLDAP prior to 2.0.13, subjectAlternativeName
extensions in the LDAP server certificate are
ignored: the server name must match the subject
CommonName. The <b>no</b> setting corresponds to the <b>never</b>
value of <b>TLS_REQCERT</b> in LDAP client configuration
files.
Don't use TLS with OpenLDAP 2.0.x (and especially
with x <= 11) if you can avoid it.
With <b>yes</b>, the server certificate must be issued by
a trusted CA, and not be expired. The LDAP server
name must match one of the name(s) found in the
certificate (see above for OpenLDAP library version
dependent behavior). The <b>yes</b> setting corresponds to
the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
figuration files.
The "try" and "never" values of <b>TLS_REQCERT</b> have no
equivalents here. They are not available with
OpenLDAP 2.0, and in any case have questionable
security properties. Either you want TLS verified
LDAP connections, or you don't.
The <b>yes</b> value only works correctly with Postfix 2.5
and later, or with OpenLDAP 2.0. Earlier Postfix
releases or later OpenLDAP releases don't work
together with this setting. Support for LDAP over
TLS was added to Postfix based on the OpenLDAP 2.0
API.
<b>tls_random_file (No default)</b>
Path of a file to obtain random bits from when
/dev/[u]random is not available, to be used by the
client in SSL/TLS connections.
<b>tls_cipher_suite (No default)</b>
Cipher suite to use in SSL/TLS negotiations.
<b>EXAMPLE</b>
Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:
<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
<a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:
server_host = ldap.example.com
search_base = dc=example, dc=com
Upon receiving mail for a local address "ldapuser" that
isn't found in the /etc/aliases database, Postfix will
search the LDAP server listening at port 389 on ldap.exam-
ple.com. It will bind anonymously, search for any direc-
tory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found,
and build a list of their maildrops, which will be treated
as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
ered.
<b>SEE ALSO</b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
<a href="postconf.5.html">postconf(5)</a>, configuration parameters
<a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables
<a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables
<b>README FILES</b>
<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
Victor Duchovni, and many others.
LDAP_TABLE(5)
</pre> </body> </html>
|
