xref: /netbsd-src/external/ibm-public/postfix/dist/proto/ldap_table (revision 059c16a85b0b39d60ad6d18f53c09510815afa2b) 
1#++
2# NAME
3#	ldap_table 5
4# SUMMARY
5#	Postfix LDAP client configuration
6# SYNOPSIS
7#	\fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/\fIfilename\fR
8#
9#	\fBpostmap -q - ldap:/etc/postfix/\fIfilename\fB <\fIinputfile\fR
10# DESCRIPTION
11#	The Postfix mail system uses optional tables for address
12#	rewriting or mail routing. These tables are usually in
13#	\fBdbm\fR or \fBdb\fR format.
14#
15#	Alternatively, lookup tables can be specified as LDAP databases.
16#
17#	In order to use LDAP lookups, define an LDAP source as a lookup
18#	table in main.cf, for example:
19#
20# .nf
21#	    alias_maps = ldap:/etc/postfix/ldap-aliases.cf
22# .fi
23#
24#	The file /etc/postfix/ldap-aliases.cf has the same format as
25#	the Postfix main.cf file, and can specify the parameters
26#	described below. An example is given at the end of this manual.
27#
28#	This configuration method is available with Postfix version
29#	2.1 and later.  See the section "OBSOLETE MAIN.CF PARAMETERS"
30#	below for older Postfix versions.
31#
32#	For details about LDAP SSL and STARTTLS, see the section
33#	on SSL and STARTTLS below.
34# LIST MEMBERSHIP
35# .ad
36# .fi
37#	When using LDAP to store lists such as $mynetworks,
38#	$mydestination, $relay_domains, $local_recipient_maps,
39#	etc., it is important to understand that the table must
40#	store each list member as a separate key. The table lookup
41#	verifies the *existence* of the key. See "Postfix lists
42#	versus tables" in the DATABASE_README document for a
43#	discussion.
44#
45#	Do NOT create tables that return the full list of domains
46#	in $mydestination or $relay_domains etc., or IP addresses
47#	in $mynetworks.
48#
49#	DO create tables with each matching item as a key and with
50#	an arbitrary value. With LDAP databases it is not uncommon to
51#	return the key itself.
52#
53#	For example, NEVER do this in a map defining $mydestination:
54#
55# .nf
56#	    query_filter = domain=*
57#	    result_attribute = domain
58# .fi
59#
60#	Do this instead:
61#
62# .nf
63#	    query_filter = domain=%s
64#	    result_attribute = domain
65# .fi
66# GENERAL LDAP PARAMETERS
67# .ad
68# .fi
69#	In the text below, default values are given in parentheses.
70#	Note: don't use quotes in these variables; at least, not until the
71#	Postfix configuration routines understand how to deal with quoted
72#	strings.
73# .IP "\fBserver_host (default: localhost)\fR"
74#	The name of the host running the LDAP server, e.g.
75#
76# .nf
77#	    server_host = ldap.example.com
78# .fi
79#
80#	Depending on the LDAP client library you're using, it should
81#	be possible to specify multiple servers here, with the library
82#	trying them in order should the first one fail. It should also
83#	be possible to give each server in the list a different port
84#	(overriding \fBserver_port\fR below), by naming them like
85#
86# .nf
87#	    server_host = ldap.example.com:1444
88# .fi
89#
90#	With OpenLDAP, a (list of) LDAP URLs can be used to specify both
91#	the hostname(s) and the port(s):
92#
93# .nf
94#	    server_host = ldap://ldap.example.com:1444
95#	                ldap://ldap2.example.com:1444
96# .fi
97#
98#	All LDAP URLs accepted by the OpenLDAP library are supported,
99#	including connections over UNIX domain sockets, and LDAP SSL
100#	(the last one provided that OpenLDAP was compiled with support
101#	for SSL):
102#
103# .nf
104#	    server_host = ldapi://%2Fsome%2Fpath
105#	                ldaps://ldap.example.com:636
106# .fi
107# .IP "\fBserver_port (default: 389)\fR"
108#	The port the LDAP server listens on, e.g.
109#
110# .nf
111#	    server_port = 778
112# .fi
113# .IP "\fBtimeout (default: 10 seconds)\fR"
114#	The number of seconds a search can take before timing out, e.g.
115#
116# .fi
117#	    timeout = 5
118# .fi
119# .IP "\fBsearch_base (No default; you must configure this)\fR"
120#	The RFC2253 base DN at which to conduct the search, e.g.
121#
122# .nf
123#	    search_base = dc=your, dc=com
124# .fi
125# .IP
126#	With Postfix 2.2 and later this parameter supports the
127#	following '%' expansions:
128# .RS
129# .IP "\fB%%\fR"
130#	This is replaced by a literal '%' character.
131# .IP "\fB%s\fR"
132#	This is replaced by the input key.
133#	RFC 2253 quoting is used to make sure that the input key
134#	does not add unexpected metacharacters.
135# .IP "\fB%u\fR"
136#	When the input key is an address of the form user@domain, \fB%u\fR
137#	is replaced by the (RFC 2253) quoted local part of the address.
138#	Otherwise, \fB%u\fR is replaced by the entire search string.
139#	If the localpart is empty, the search is suppressed and returns
140#	no results.
141# .IP "\fB%d\fR"
142#	When the input key is an address of the form user@domain, \fB%d\fR
143#	is replaced by the (RFC 2253) quoted domain part of the address.
144#	Otherwise, the search is suppressed and returns no results.
145# .IP "\fB%[SUD]\fR"
146#	For the \fBsearch_base\fR parameter, the upper-case equivalents
147#	of the above expansions behave identically to their lower-case
148#	counter-parts. With the \fBresult_format\fR parameter (previously
149#	called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
150#	and below), they expand to the corresponding components of input
151#	key rather than the result value.
152# .IP "\fB%[1-9]\fR"
153#	The patterns %1, %2, ... %9 are replaced by the corresponding
154#	most significant component of the input key's domain. If the
155#	input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
156#	%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
157#	unqualified or does not have enough domain components to satisfy
158#	all the specified patterns, the search is suppressed and returns
159#	no results.
160# .RE
161# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR"
162#	The RFC2254 filter used to search the directory, where \fB%s\fR
163#	is a substitute for the address Postfix is trying to resolve,
164#	e.g.
165#
166# .nf
167#	    query_filter = (&(mail=%s)(paid_up=true))
168# .fi
169#
170#	This parameter supports the following '%' expansions:
171# .RS
172# .IP "\fB%%\fR"
173#	This is replaced by a literal '%' character. (Postfix 2.2 and later).
174# .IP "\fB%s\fR"
175#	This is replaced by the input key.
176#	RFC 2254 quoting is used to make sure that the input key
177#	does not add unexpected metacharacters.
178# .IP "\fB%u\fR"
179#	When the input key is an address of the form user@domain, \fB%u\fR
180#	is replaced by the (RFC 2254) quoted local part of the address.
181#	Otherwise, \fB%u\fR is replaced by the entire search string.
182#	If the localpart is empty, the search is suppressed and returns
183#	no results.
184# .IP "\fB%d\fR"
185#	When the input key is an address of the form user@domain, \fB%d\fR
186#	is replaced by the (RFC 2254) quoted domain part of the address.
187#	Otherwise, the search is suppressed and returns no results.
188# .IP "\fB%[SUD]\fR"
189#	The upper-case equivalents of the above expansions behave in the
190#	\fBquery_filter\fR parameter identically to their lower-case
191#	counter-parts. With the \fBresult_format\fR parameter (previously
192#	called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
193#	and below), they expand to the corresponding components of input
194#	key rather than the result value.
195# .IP
196#	The above %S, %U and %D expansions are available with Postfix 2.2
197#	and later.
198# .IP "\fB%[1-9]\fR"
199#	The patterns %1, %2, ... %9 are replaced by the corresponding
200#	most significant component of the input key's domain. If the
201#	input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
202#	%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
203#	unqualified or does not have enough domain components to satisfy
204#	all the specified patterns, the search is suppressed and returns
205#	no results.
206# .IP
207#	The above %1, ..., %9 expansions are available with Postfix 2.2
208#	and later.
209# .RE
210# .IP
211#	The "domain" parameter described below limits the input
212#	keys to addresses in matching domains. When the "domain"
213#	parameter is non-empty, LDAP queries for unqualified
214#	addresses or addresses in non-matching domains are suppressed
215#	and return no results.
216#
217#	NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter.
218# .IP "\fBresult_format (default: \fB%s\fR)\fR"
219#	Called \fBresult_filter\fR in Postfix releases prior to 2.2.
220#	Format template applied to result attributes. Most commonly used
221#	to append (or prepend) text to the result. This parameter supports
222#	the following '%' expansions:
223# .RS
224# .IP "\fB%%\fR"
225#	This is replaced by a literal '%' character. (Postfix 2.2 and later).
226# .IP "\fB%s\fR"
227#	This is replaced by the value of the result attribute. When
228#	result is empty it is skipped.
229# .IP "\fB%u\fR
230#	When the result attribute value is an address of the form
231#	user@domain, \fB%u\fR is replaced by the local part of the
232#	address. When the result has an empty localpart it is skipped.
233# .IP "\fB%d\fR"
234#	When a result attribute value is an address of the form
235#	user@domain, \fB%d\fR is replaced by the domain part of
236#	the attribute value. When the result is unqualified it
237#	is skipped.
238# .IP "\fB%[SUD1-9]\fR"
239#	The upper-case and decimal digit expansions interpolate
240#	the parts of the input key rather than the result. Their
241#	behavior is identical to that described with \fBquery_filter\fR,
242#	and in fact because the input key is known in advance, lookups
243#	whose key does not contain all the information specified in
244#	the result template are suppressed and return no results.
245# .IP
246#	The above %S, %U, %D and %1, ..., %9 expansions are available with
247#	Postfix 2.2 and later.
248# .RE
249# .IP
250#	For example, using "result_format = smtp:[%s]" allows one
251#	to use a mailHost attribute as the basis of a transport(5)
252#	table. After applying the result format, multiple values
253#	are concatenated as comma separated strings. The expansion_limit
254#	and size_limit parameters explained below allow one to
255#	restrict the number of values in the result, which is
256#	especially useful for maps that should return a single
257#	value.
258#
259#	The default value \fB%s\fR specifies that each
260#	attribute value should be used as is.
261#
262#	This parameter was called \fBresult_filter\fR in Postfix
263#	releases prior to 2.2. If no "result_format" is specified,
264#	the value of "result_filter" will be used instead before
265#	resorting to the default value. This provides compatibility
266#	with old configuration files.
267#
268#	NOTE: DO NOT put quotes around the result format!
269# .IP "\fBdomain (default: no domain list)\fR"
270#	This is a list of domain names, paths to files, or
271#	"type:table" databases. When specified, only fully qualified search
272#	keys with a *non-empty* localpart and a matching domain
273#	are eligible for lookup: 'user' lookups, bare domain lookups
274#	and "@domain" lookups are not performed. This can significantly
275#	reduce the query load on the LDAP server.
276#
277# .nf
278#	    domain = postfix.org, hash:/etc/postfix/searchdomains
279# .fi
280#
281#	It is best not to use LDAP to store the domains eligible
282#	for LDAP lookups.
283#
284#	NOTE: DO NOT define this parameter for local(8) aliases.
285#
286#	This feature is available in Postfix 1.0 and later.
287# .IP "\fBresult_attribute (default: maildrop)\fR"
288#	The attribute(s) Postfix will read from any directory
289#	entries returned by the lookup, to be resolved to an email
290#	address.
291#
292# .nf
293#	    result_attribute = mailbox, maildrop
294# .fi
295#
296#	Don't rely on the default value ("maildrop"). Set the
297#	result_attribute explicitly in all ldap table configuration
298#	files. This is particularly relevant when no result_attribute
299#	is applicable, e.g. cases in which leaf_result_attribute and/or
300#	terminal_result_attribute are used instead. The default value
301#	is harmless if "maildrop" is also listed as a leaf or terminal
302#	result attribute, but it is best to not leave this to chance.
303# .IP "\fBspecial_result_attribute (default: empty)\fR"
304#	The attribute(s) of directory entries that can contain DNs
305#	or RFC 2255 LDAP URLs. If found, a recursive search
306#	is performed to retrieve the entry referenced by the DN, or
307#	the entries matched by the URL query.
308#
309# .nf
310#	    special_result_attribute = memberdn
311# .fi
312#
313#	DN recursion retrieves the same result_attributes as the
314#	main query, including the special attributes for further
315#	recursion.
316#
317#	URL processing retrieves only those attributes that are included
318#	in both the URL definition and as result attributes (ordinary,
319#	special, leaf or terminal) in the Postfix table definition.
320#	If the URL lists any of the table's special result attributes,
321#	these are retrieved and used recursively. A URL that does not
322#	specify any attribute selection, is equivalent (RFC 2255) to a
323#	URL that selects all attributes, in which case the selected
324#	attributes will be the full set of result attributes in the
325#	Postfix table.
326#
327#	If an LDAP URL attribute-descriptor or the corresponding Postfix
328#	LDAP table result attribute (but not both) uses RFC 2255 sub-type
329#	options ("attr;option"), the attribute requested from the LDAP server
330#	will include the sub-type option. In all other cases, the URL
331#	attribute and the table attribute must match exactly. Attributes
332#	with options in both the URL and the Postfix table are requested
333#	only when the options are identical. LDAP attribute-descriptor
334#	options are very rarely used, most LDAP users will not
335#	need to concern themselves with this level of nuanced detail.
336# .IP "\fBterminal_result_attribute (default: empty)\fR"
337#	When one or more terminal result attributes are found in an LDAP
338#	entry, all other result attributes are ignored and only the terminal
339#	result attributes are returned. This is useful for delegating expansion
340#	of group members to a particular host, by using an optional "maildrop"
341#	attribute on selected groups to route the group to a specific host,
342#	where the group is expanded, possibly via mailing-list manager or
343#	other special processing.
344#
345# .nf
346#	    result_attribute =
347#	    terminal_result_attribute = maildrop
348# .fi
349#
350#	When using terminal and/or leaf result attributes, the
351#	result_attribute is best set to an empty value when it is not
352#	used, or else explicitly set to the desired value, even if it is
353#	the default value "maildrop".
354#
355#	This feature is available with Postfix 2.4 or later.
356# .IP "\fBleaf_result_attribute (default: empty)\fR"
357#	When one or more special result attributes are found in a non-terminal
358#	(see above) LDAP entry, leaf result attributes are excluded from the
359#	expansion of that entry. This is useful when expanding groups and the
360#	desired mail address attribute(s) of the member objects obtained via
361#	DN or URI recursion are also present in the group object. To only
362#	return the attribute values from the leaf objects and not the
363#	containing group, add the attribute to the leaf_result_attribute list,
364#	and not the result_attribute list, which is always expanded. Note,
365#	the default value of "result_attribute" is not empty, you may want to
366#	set it explicitly empty when using "leaf_result_attribute" to expand
367#	the group to a list of member DN addresses. If groups have both
368#	member DN references AND attributes that hold multiple string valued
369#	rfc822 addresses, then the string attributes go in "result_attribute".
370#	The attributes that represent the email addresses of objects
371#	referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
372#
373# .nf
374#	    result_attribute = memberaddr
375#	    special_result_attribute = memberdn
376#	    terminal_result_attribute = maildrop
377#	    leaf_result_attribute = mail
378# .fi
379#
380#	When using terminal and/or leaf result attributes, the
381#	result_attribute is best set to an empty value when it is not
382#	used, or else explicitly set to the desired value, even if it is
383#	the default value "maildrop".
384#
385#	This feature is available with Postfix 2.4 or later.
386# .IP "\fBscope (default: sub)\fR"
387#	The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
388#	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
389#	and LDAP_SCOPE_ONELEVEL.
390# .IP "\fBbind (default: yes)\fR"
391#	Whether or how to bind to the LDAP server. Newer LDAP
392#	implementations don't require clients to bind, which saves
393#	time. Example:
394#
395# .nf
396#	    # Don't bind
397#	    bind = no
398#	    # Use SIMPLE bind
399#	    bind = yes
400#	    # Use SASL bind
401#	    bind = sasl
402# .fi
403#
404#	Postfix versions prior to 2.8 only support "bind = no" which
405#	means don't bind, and "bind = yes" which means do a SIMPLE bind.
406#	Postfix 2.8 and later also supports "bind = SASL" when compiled
407#	with LDAP SASL support as described in LDAP_README, it also adds
408#	the synonyms "bind = none" and "bind = simple" for "bind = no"
409#	and "bind = yes" respectively. See the SASL section below for
410#	additional parameters available with "bind = sasl".
411#
412#	If you do need to bind, you might consider configuring
413#	Postfix to connect to the local machine on a port that's
414#	an SSL tunnel to your LDAP server. If your LDAP server
415#	doesn't natively support SSL, put a tunnel (wrapper, proxy,
416#	whatever you want to call it) on that system too. This
417#	should prevent the password from traversing the network in
418#	the clear.
419# .IP "\fBbind_dn (default: empty)\fR"
420#	If you do have to bind, do it with this distinguished name. Example:
421#
422# .nf
423#	    bind_dn = uid=postfix, dc=your, dc=com
424# .fi
425#	With "bind = sasl" (see above) the DN may be optional for some SASL
426#	mechanisms, don't specify a DN if not needed.
427# .IP "\fBbind_pw (default: empty)\fR"
428#	The password for the distinguished name above. If you have
429#	to use this, you probably want to make the map configuration
430#	file readable only by the Postfix user. When using the
431#	obsolete ldap:ldapsource syntax, with map parameters in
432#	main.cf, it is not possible to securely store the bind
433#	password. This is because main.cf needs to be world readable
434#	to allow local accounts to submit mail via the sendmail
435#	command. Example:
436#
437# .nf
438#	    bind_pw = postfixpw
439# .fi
440#	With "bind = sasl" (see above) the password may be optional
441#	for some SASL mechanisms, don't specify a password if not needed.
442# .IP "\fBcache (IGNORED with a warning)\fR"
443# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
444# .IP "\fBcache_size (IGNORED with a warning)\fR"
445#	The above parameters are NO LONGER SUPPORTED by Postfix.
446#	Cache support has been dropped from OpenLDAP as of release
447#	2.1.13.
448# .IP "\fBrecursion_limit (default: 1000)\fR"
449#	A limit on the nesting depth of DN and URL special result
450#	attribute evaluation. The limit must be a non-zero positive
451#	number.
452# .IP "\fBexpansion_limit (default: 0)\fR"
453#	A limit on the total number of result elements returned
454#	(as a comma separated list) by a lookup against the map.
455#	A setting of zero disables the limit. Lookups fail with a
456#	temporary error if the limit is exceeded.  Setting the
457#	limit to 1 ensures that lookups do not return multiple
458#	values.
459# .IP "\fBsize_limit (default: $expansion_limit)\fR"
460#	A limit on the number of LDAP entries returned by any single
461#	LDAP search performed as part of the lookup. A setting of
462#	0 disables the limit.  Expansion of DN and URL references
463#	involves nested LDAP queries, each of which is separately
464#	subjected to this limit.
465#
466#	Note: even a single LDAP entry can generate multiple lookup
467#	results, via multiple result attributes and/or multi-valued
468#	result attributes. This limit caps the per search resource
469#	utilization on the LDAP server, not the final multiplicity
470#	of the lookup result. It is analogous to the "-z" option
471#	of "ldapsearch".
472# .IP "\fBdereference (default: 0)\fR"
473#	When to dereference LDAP aliases. (Note that this has
474#	nothing do with Postfix aliases.) The permitted values are
475#	those legal for the OpenLDAP/UM LDAP implementations:
476# .RS
477# .IP 0
478#	never
479# .IP 1
480#	when searching
481# .IP 2
482#	when locating the base object for the search
483# .IP 3
484#	always
485# .RE
486# .IP
487#	See ldap.h or the ldap_open(3) or ldapsearch(1) man pages
488#	for more information. And if you're using an LDAP package
489#	that has other possible values, please bring it to the
490#	attention of the postfix-users@postfix.org mailing list.
491# .IP "\fBchase_referrals (default: 0)\fR"
492#	Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
493#	3 support).
494# .IP "\fBversion (default: 2)\fR"
495#	Specifies the LDAP protocol version to use.
496# .IP "\fBdebuglevel (default: 0)\fR"
497#	What level to set for debugging in the OpenLDAP libraries.
498# LDAP SASL PARAMETERS
499# .ad
500# .fi
501#	If you're using the OpenLDAP libraries compiled with SASL
502#	support, Postfix 2.8 and later built with LDAP SASL support
503#	as described in LDAP_README can authenticate to LDAP servers
504#	via SASL.
505#
506#	This enables authentication to the LDAP server via mechanisms
507#	other than a simple password. The added flexibility has a cost:
508#	it is no longer practical to set an explicit timeout on the duration
509#	of an LDAP bind operation. Under adverse conditions, whether a SASL
510#	bind times out, or if it does, the duration of the timeout is
511#	determined by the LDAP and SASL libraries.
512#
513# 	It is best to use tables that use SASL binds via proxymap(8), this
514#	way the requesting process can time-out the proxymap request. This
515#	also lets you tailer the process environment by overriding the
516#	proxymap(8) import_environment setting in master.cf(5). Special
517#	environment settings may be needed to configure GSSAPI credential
518#	caches or other SASL mechanism specific options. The GSSAPI
519#	credentials used for LDAP lookups may need to be different than
520#	say those used for the Postfix SMTP client to authenticate to remote
521#	servers.
522#
523#	Using SASL mechanisms requires LDAP protocol version 3, the default
524#	protocol version is 2 for backwards compatibility. You must set
525#	"version = 3" in addition to "bind = sasl".
526#
527#	The following parameters are relevant to using LDAP with SASL
528# .IP "\fBsasl_mechs (default: empty)\fR"
529#	Space separated list of SASL mechanism(s) to try.
530# .IP "\fBsasl_realm (default: empty)\fR"
531#	SASL Realm to use, if applicable.
532# .IP "\fBsasl_authz_id (default: empty)\fR"
533#	The SASL authorization identity to assert, if applicable.
534# .IP "\fBsasl_minssf (default: 0)\fR"
535#	The minimum required sasl security factor required to establish a
536#	connection.
537# LDAP SSL AND STARTTLS PARAMETERS
538# .ad
539# .fi
540#	If you're using the OpenLDAP libraries compiled with SSL
541#	support, Postfix can connect to LDAP SSL servers and can
542#	issue the STARTTLS command.
543#
544#	LDAP SSL service can be requested by using a LDAP SSL URL
545#	in the server_host parameter:
546#
547# .nf
548#	    server_host = ldaps://ldap.example.com:636
549# .fi
550#
551#	STARTTLS can be turned on with the start_tls parameter:
552#
553# .nf
554#	    start_tls = yes
555# .fi
556#
557#	Both forms require LDAP protocol version 3, which has to be set
558#	explicitly with:
559#
560# .nf
561#	    version = 3
562# .fi
563#
564#	If any of the Postfix programs querying the map is configured in
565#	master.cf to run chrooted, all the certificates and keys involved
566#	have to be copied to the chroot jail. Of course, the private keys
567#	should only be readable by the user "postfix".
568#
569#	The following parameters are relevant to LDAP SSL and STARTTLS:
570# .IP "\fBstart_tls (default: no)\fR"
571#	Whether or not to issue STARTTLS upon connection to the
572#	server.  Don't set this with LDAP SSL (the SSL session is setup
573#	automatically when the TCP connection is opened).
574# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR"
575#	Directory containing X509 Certification Authority certificates
576#	in PEM format which are to be recognized by the client in
577#	SSL/TLS connections. The files each contain one CA certificate.
578#	The files are looked up by the CA subject name hash value,
579#	which must hence be available. If more than one CA certificate
580#	with the same name hash value exist, the extension must be
581#	different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is
582#	performed in the ordering of the extension number, regardless
583#	of other properties of the certificates. Use the c_rehash
584#	utility (from the OpenSSL distribution) to create the
585#	necessary links.
586# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR"
587#	File containing the X509 Certification Authority certificates
588#	in PEM format which are to be recognized by the client in
589#	SSL/TLS connections. This setting takes precedence over
590#	tls_ca_cert_dir.
591# .IP "\fBtls_cert (No default; you must set this)\fR"
592#	File containing client's X509 certificate to be used by
593#	the client in SSL/ TLS connections.
594# .IP "\fBtls_key (No default; you must set this)\fR"
595#	File containing the private key corresponding to the above
596#	tls_cert.
597# .IP "\fBtls_require_cert (default: no)\fR"
598#	Whether or not to request server's X509 certificate and
599#	check its validity when establishing SSL/TLS connections.
600#	The supported values are \fBno\fR and \fByes\fR.
601# .sp
602#	With \fBno\fR, the server certificate trust chain is not checked,
603#	but with OpenLDAP prior to 2.1.13, the name in the server
604#	certificate must still match the LDAP server name. With OpenLDAP
605#	2.0.0 to 2.0.11 the server name is not necessarily what you
606#	specified, rather it is determined (by reverse lookup) from the
607#	IP address of the LDAP server connection. With OpenLDAP prior to
608#	2.0.13, subjectAlternativeName extensions in the LDAP server
609#	certificate are ignored: the server name must match the subject
610#	CommonName. The \fBno\fR setting corresponds to the \fBnever\fR
611#	value of \fBTLS_REQCERT\fR in LDAP client configuration files.
612# .sp
613#	Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
614#	if you can avoid it.
615# .sp
616#	With \fByes\fR, the server certificate must be issued by a trusted
617#	CA, and not be expired. The LDAP server name must match one of the
618#	name(s) found in the certificate (see above for OpenLDAP library
619#	version dependent behavior). The \fByes\fR setting corresponds to the
620#	\fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration
621#	files.
622# .sp
623#	The "try" and "allow" values of \fBTLS_REQCERT\fR have no equivalents
624#	here. They are not available with OpenLDAP 2.0, and in any case have
625#	questionable security properties. Either you want TLS verified LDAP
626#	connections, or you don't.
627# .sp
628#	The \fByes\fR value only works correctly with Postfix 2.5 and later,
629#	or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
630#	releases don't work together with this setting. Support for LDAP
631#	over TLS was added to Postfix based on the OpenLDAP 2.0 API.
632# .IP "\fBtls_random_file (No default)\fR"
633#	Path of a file to obtain random bits from when /dev/[u]random
634#	is not available, to be used by the client in SSL/TLS
635#	connections.
636# .IP "\fBtls_cipher_suite (No default)\fR"
637#	Cipher suite to use in SSL/TLS negotiations.
638# EXAMPLE
639# .ad
640# .fi
641#	Here's a basic example for using LDAP to look up local(8)
642#	aliases.
643#	Assume that in main.cf, you have:
644#
645# .nf
646#	    alias_maps = hash:/etc/aliases,
647#	            ldap:/etc/postfix/ldap-aliases.cf
648# .fi
649#
650#	and in ldap:/etc/postfix/ldap-aliases.cf you have:
651#
652# .nf
653#	    server_host = ldap.example.com
654#	    search_base = dc=example, dc=com
655# .fi
656#
657#	Upon receiving mail for a local address "ldapuser" that
658#	isn't found in the /etc/aliases database, Postfix will
659#	search the LDAP server listening at port 389 on ldap.example.com.
660#	It will bind anonymously, search for any directory entries
661#	whose mailacceptinggeneralid attribute is "ldapuser", read
662#	the "maildrop" attributes of those found, and build a list
663#	of their maildrops, which will be treated as RFC822 addresses
664#	to which the message will be delivered.
665# OBSOLETE MAIN.CF PARAMETERS
666# .ad
667# .fi
668#	For backwards compatibility with Postfix version 2.0 and earlier,
669#	LDAP parameters can also be defined in main.cf.  Specify
670#	as LDAP source a name that doesn't begin with a slash or
671#	a dot.  The LDAP parameters will then be accessible as the
672#	name you've given the source in its definition, an underscore,
673#	and the name of the parameter.  For example, if the map is
674#	specified as "ldap:\fIldapsource\fR", the "server_host"
675#	parameter below would be defined in main.cf as
676#	"\fIldapsource\fR_server_host".
677#
678#	Note: with this form, the passwords for the LDAP sources are
679#	written in main.cf, which is normally world-readable.  Support
680#	for this form will be removed in a future Postfix version.
681# OTHER OBSOLETE FEATURES
682# .ad
683# .fi
684# .IP "\fBresult_filter (No default)\fR"
685#	For backwards compatibility with the pre
686#	2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
687#	of \fBresult_format\fR, when the latter parameter is not also set.
688#	The new name better reflects the function of the parameter. This
689#	compatibility interface may be removed in a future release.
690# SEE ALSO
691#	postmap(1), Postfix lookup table manager
692#	postconf(5), configuration parameters
693#	mysql_table(5), MySQL lookup tables
694#	pgsql_table(5), PostgreSQL lookup tables
695# README FILES
696# .ad
697# .fi
698#	Use "\fBpostconf readme_directory\fR" or
699#	"\fBpostconf html_directory\fR" to locate this information.
700# .na
701# .nf
702#	DATABASE_README, Postfix lookup table overview
703#	LDAP_README, Postfix LDAP client guide
704# LICENSE
705# .ad
706# .fi
707#	The Secure Mailer license must be distributed with this software.
708# AUTHOR(S)
709# .ad
710# .fi
711#	Carsten Hoeger,
712#	Hery Rakotoarisoa,
713#	John Hensley,
714#	Keith Stevenson,
715#	LaMont Jones,
716#	Liviu Daia,
717#	Manuel Guesdon,
718#	Mike Mattice,
719#	Prabhat K Singh,
720#	Sami Haahtinen,
721#	Samuel Tardieu,
722#	Victor Duchovni,
723#	and many others.
724#--
725