1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - ldap_table(5) </title> 6</head> <body> <pre> 7LDAP_TABLE(5) LDAP_TABLE(5) 8 9<b>NAME</b> 10 ldap_table - Postfix LDAP client configuration 11 12<b>SYNOPSIS</b> 13 <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> 14 15 <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> 16 17<b>DESCRIPTION</b> 18 The Postfix mail system uses optional tables for address rewriting or 19 mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format. 20 21 Alternatively, lookup tables can be specified as LDAP databases. 22 23 In order to use LDAP lookups, define an LDAP source as a lookup table 24 in <a href="postconf.5.html">main.cf</a>, for example: 25 26 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 27 28 The file /etc/postfix/ldap-aliases.cf has the same format as the Post- 29 fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below. An 30 example is given at the end of this manual. 31 32 This configuration method is available with Postfix version 2.1 and 33 later. See the section "OBSOLETE MAIN.CF PARAMETERS" below for older 34 Postfix versions. 35 36 For details about LDAP SSL and STARTTLS, see the section on SSL and 37 STARTTLS below. 38 39<b>LIST MEMBERSHIP</b> 40 When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, 41 $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under- 42 stand that the table must store each list member as a separate key. The 43 table lookup verifies the *existence* of the key. See "Postfix lists 44 versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion. 45 46 Do NOT create tables that return the full list of domains in $<a href="postconf.5.html#mydestination">mydesti</a>- 47 <a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>. 48 49 DO create tables with each matching item as a key and with an arbitrary 50 value. With LDAP databases it is not uncommon to return the key itself. 51 52 For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>: 53 54 query_filter = domain=* 55 result_attribute = domain 56 57 Do this instead: 58 59 query_filter = domain=%s 60 result_attribute = domain 61 62<b>GENERAL LDAP PARAMETERS</b> 63 In the text below, default values are given in parentheses. Note: 64 don't use quotes in these variables; at least, not until the Postfix 65 configuration routines understand how to deal with quoted strings. 66 67 <b>server_host (default: localhost)</b> 68 The name of the host running the LDAP server, e.g. 69 70 server_host = ldap.example.com 71 72 Depending on the LDAP client library you're using, it should be 73 possible to specify multiple servers here, with the library try- 74 ing them in order should the first one fail. It should also be 75 possible to give each server in the list a different port (over- 76 riding <b>server_port</b> below), by naming them like 77 78 server_host = ldap.example.com:1444 79 80 With OpenLDAP, a (list of) LDAP URLs can be used to specify both 81 the hostname(s) and the port(s): 82 83 server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444 84 <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444 85 86 All LDAP URLs accepted by the OpenLDAP library are supported, 87 including connections over UNIX domain sockets, and LDAP SSL 88 (the last one provided that OpenLDAP was compiled with support 89 for SSL): 90 91 server_host = ldapi://%2Fsome%2Fpath 92 ldaps://ldap.example.com:636 93 94 <b>server_port (default: 389)</b> 95 The port the LDAP server listens on, e.g. 96 97 server_port = 778 98 99 <b>timeout (default: 10 seconds)</b> 100 The number of seconds a search can take before timing out, e.g. 101 102 timeout = 5 103 104 <b>search_base (No default; you must configure this)</b> 105 The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g. 106 107 search_base = dc=your, dc=com 108 109 With Postfix 2.2 and later this parameter supports the following 110 '%' expansions: 111 112 <b>%%</b> This is replaced by a literal '%' character. 113 114 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is 115 used to make sure that the input key does not add unex- 116 pected metacharacters. 117 118 <b>%u</b> When the input key is an address of the form user@domain, 119 <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the 120 address. Otherwise, <b>%u</b> is replaced by the entire search 121 string. If the localpart is empty, the search is sup- 122 pressed and returns no results. 123 124 <b>%d</b> When the input key is an address of the form user@domain, 125 <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of 126 the address. Otherwise, the search is suppressed and 127 returns no results. 128 129 <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents 130 of the above expansions behave identically to their 131 lower-case counter-parts. With the <b>result_format</b> parame- 132 ter (previously called <b>result_filter</b> see the COMPATIBIL- 133 ITY section and below), they expand to the corresponding 134 components of input key rather than the result value. 135 136 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- 137 sponding most significant component of the input key's 138 domain. If the input key is <i>user@mail.example.com</i>, then 139 %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key 140 is unqualified or does not have enough domain components 141 to satisfy all the specified patterns, the search is sup- 142 pressed and returns no results. 143 144 <b>query_filter (default: mailacceptinggeneralid=%s)</b> 145 The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a 146 substitute for the address Postfix is trying to resolve, e.g. 147 148 query_filter = (&(mail=%s)(paid_up=true)) 149 150 This parameter supports the following '%' expansions: 151 152 <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 153 and later). 154 155 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is 156 used to make sure that the input key does not add unex- 157 pected metacharacters. 158 159 <b>%u</b> When the input key is an address of the form user@domain, 160 <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the 161 address. Otherwise, <b>%u</b> is replaced by the entire search 162 string. If the localpart is empty, the search is sup- 163 pressed and returns no results. 164 165 <b>%d</b> When the input key is an address of the form user@domain, 166 <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of 167 the address. Otherwise, the search is suppressed and 168 returns no results. 169 170 <b>%[SUD]</b> The upper-case equivalents of the above expansions behave 171 in the <b>query_filter</b> parameter identically to their 172 lower-case counter-parts. With the <b>result_format</b> parame- 173 ter (previously called <b>result_filter</b> see the COMPATIBIL- 174 ITY section and below), they expand to the corresponding 175 components of input key rather than the result value. 176 177 The above %S, %U and %D expansions are available with 178 Postfix 2.2 and later. 179 180 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- 181 sponding most significant component of the input key's 182 domain. If the input key is <i>user@mail.example.com</i>, then 183 %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key 184 is unqualified or does not have enough domain components 185 to satisfy all the specified patterns, the search is sup- 186 pressed and returns no results. 187 188 The above %1, ..., %9 expansions are available with Post- 189 fix 2.2 and later. 190 191 The "domain" parameter described below limits the input keys to 192 addresses in matching domains. When the "domain" parameter is 193 non-empty, LDAP queries for unqualified addresses or addresses 194 in non-matching domains are suppressed and return no results. 195 196 NOTE: DO NOT put quotes around the <b>query_filter</b> parameter. 197 198 <b>result_format (default: %s</b>) 199 Called <b>result_filter</b> in Postfix releases prior to 2.2. Format 200 template applied to result attributes. Most commonly used to 201 append (or prepend) text to the result. This parameter supports 202 the following '%' expansions: 203 204 <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 205 and later). 206 207 <b>%s</b> This is replaced by the value of the result attribute. 208 When result is empty it is skipped. 209 210 <b>%u</b> When the result attribute value is an address of the form 211 user@domain, <b>%u</b> is replaced by the local part of the 212 address. When the result has an empty localpart it is 213 skipped. 214 215 <b>%d</b> When a result attribute value is an address of the form 216 user@domain, <b>%d</b> is replaced by the domain part of the 217 attribute value. When the result is unqualified it is 218 skipped. 219 220 <b>%[SUD1-9]</b> 221 The upper-case and decimal digit expansions interpolate 222 the parts of the input key rather than the result. Their 223 behavior is identical to that described with <b>query_fil-</b> 224 <b>ter</b>, and in fact because the input key is known in 225 advance, lookups whose key does not contain all the 226 information specified in the result template are sup- 227 pressed and return no results. 228 229 The above %S, %U, %D and %1, ..., %9 expansions are 230 available with Postfix 2.2 and later. 231 232 For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use 233 a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After 234 applying the result format, multiple values are concatenated as 235 comma separated strings. The expansion_limit and size_limit 236 parameters explained below allow one to restrict the number of 237 values in the result, which is especially useful for maps that 238 should return a single value. 239 240 The default value <b>%s</b> specifies that each attribute value should 241 be used as is. 242 243 This parameter was called <b>result_filter</b> in Postfix releases 244 prior to 2.2. If no "result_format" is specified, the value of 245 "result_filter" will be used instead before resorting to the 246 default value. This provides compatibility with old configura- 247 tion files. 248 249 NOTE: DO NOT put quotes around the result format! 250 251 <b>domain (default: no domain list)</b> 252 This is a list of domain names, paths to files, or dictionaries. 253 When specified, only fully qualified search keys with a 254 *non-empty* localpart and a matching domain are eligible for 255 lookup: 'user' lookups, bare domain lookups and "@domain" 256 lookups are not performed. This can significantly reduce the 257 query load on the LDAP server. 258 259 domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains 260 261 It is best not to use LDAP to store the domains eligible for 262 LDAP lookups. 263 264 NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases. 265 266 This feature is available in Postfix 1.0 and later. 267 268 <b>result_attribute (default: maildrop)</b> 269 The attribute(s) Postfix will read from any directory entries 270 returned by the lookup, to be resolved to an email address. 271 272 result_attribute = mailbox, maildrop 273 274 Don't rely on the default value ("maildrop"). Set the 275 result_attribute explicitly in all ldap table configuration 276 files. This is particularly relevant when no result_attribute is 277 applicable, e.g. cases in which leaf_result_attribute and/or 278 terminal_result_attribute are used instead. The default value is 279 harmless if "maildrop" is also listed as a leaf or terminal 280 result attribute, but it is best to not leave this to chance. 281 282 <b>special_result_attribute (default: empty)</b> 283 The attribute(s) of directory entries that can contain DNs or 284 <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to 285 retrieve the entry referenced by the DN, or the entries matched 286 by the URL query. 287 288 special_result_attribute = memberdn 289 290 DN recursion retrieves the same result_attributes as the main 291 query, including the special attributes for further recursion. 292 293 URL processing retrieves only those attributes that are included 294 in both the URL definition and as result attributes (ordinary, 295 special, leaf or terminal) in the Postfix table definition. If 296 the URL lists any of the table's special result attributes, 297 these are retrieved and used recursively. A URL that does not 298 specify any attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a 299 URL that selects all attributes, in which case the selected 300 attributes will be the full set of result attributes in the 301 Postfix table. 302 303 If an LDAP URL attribute-descriptor or the corresponding Postfix 304 LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> 305 sub-type options ("attr;option"), the attribute requested from 306 the LDAP server will include the sub-type option. In all other 307 cases, the URL attribute and the table attribute must match 308 exactly. Attributes with options in both the URL and the Postfix 309 table are requested only when the options are identical. LDAP 310 attribute-descriptor options are very rarely used, most LDAP 311 users will not need to concern themselves with this level of 312 nuanced detail. 313 314 <b>terminal_result_attribute (default: empty)</b> 315 When one or more terminal result attributes are found in an LDAP 316 entry, all other result attributes are ignored and only the ter- 317 minal result attributes are returned. This is useful for dele- 318 gating expansion of group members to a particular host, by using 319 an optional "maildrop" attribute on selected groups to route the 320 group to a specific host, where the group is expanded, possibly 321 via mailing-list manager or other special processing. 322 323 result_attribute = 324 terminal_result_attribute = maildrop 325 326 When using terminal and/or leaf result attributes, the 327 result_attribute is best set to an empty value when it is not 328 used, or else explicitly set to the desired value, even if it is 329 the default value "maildrop". 330 331 This feature is available with Postfix 2.4 or later. 332 333 <b>leaf_result_attribute (default: empty)</b> 334 When one or more special result attributes are found in a 335 non-terminal (see above) LDAP entry, leaf result attributes are 336 excluded from the expansion of that entry. This is useful when 337 expanding groups and the desired mail address attribute(s) of 338 the member objects obtained via DN or URI recursion are also 339 present in the group object. To only return the attribute values 340 from the leaf objects and not the containing group, add the 341 attribute to the leaf_result_attribute list, and not the 342 result_attribute list, which is always expanded. Note, the 343 default value of "result_attribute" is not empty, you may want 344 to set it explicitly empty when using "leaf_result_attribute" to 345 expand the group to a list of member DN addresses. If groups 346 have both member DN references AND attributes that hold multiple 347 string valued rfc822 addresses, then the string attributes go in 348 "result_attribute". The attributes that represent the email 349 addresses of objects referenced via a DN (or LDAP URI) go in 350 "leaf_result_attribute". 351 352 result_attribute = memberaddr 353 special_result_attribute = memberdn 354 terminal_result_attribute = maildrop 355 leaf_result_attribute = mail 356 357 When using terminal and/or leaf result attributes, the 358 result_attribute is best set to an empty value when it is not 359 used, or else explicitly set to the desired value, even if it is 360 the default value "maildrop". 361 362 This feature is available with Postfix 2.4 or later. 363 364 <b>scope (default: sub)</b> 365 The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These translate into 366 LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL. 367 368 <b>bind (default: yes)</b> 369 Whether or how to bind to the LDAP server. Newer LDAP implemen- 370 tations don't require clients to bind, which saves time. Exam- 371 ple: 372 373 # Don't bind 374 bind = no 375 # Use SIMPLE bind 376 bind = yes 377 # Use SASL bind 378 bind = sasl 379 380 Postfix versions prior to 2.8 only support "bind = no" which 381 means don't bind, and "bind = yes" which means do a SIMPLE bind. 382 Postfix 2.8 and later also supports "bind = SASL" when compiled 383 with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds 384 the synonyms "bind = none" and "bind = simple" for "bind = no" 385 and "bind = yes" respectively. See the SASL section below for 386 additional parameters available with "bind = sasl". 387 388 If you do need to bind, you might consider configuring Postfix 389 to connect to the local machine on a port that's an SSL tunnel 390 to your LDAP server. If your LDAP server doesn't natively sup- 391 port SSL, put a tunnel (wrapper, proxy, whatever you want to 392 call it) on that system too. This should prevent the password 393 from traversing the network in the clear. 394 395 <b>bind_dn (default: empty)</b> 396 If you do have to bind, do it with this distinguished name. 397 Example: 398 399 bind_dn = uid=postfix, dc=your, dc=com 400 With "bind = sasl" (see above) the DN may be optional for some 401 SASL mechanisms, don't specify a DN if not needed. 402 403 <b>bind_pw (default: empty)</b> 404 The password for the distinguished name above. If you have to 405 use this, you probably want to make the map configuration file 406 readable only by the Postfix user. When using the obsolete 407 <a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is 408 not possible to securely store the bind password. This is 409 because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow local 410 accounts to submit mail via the sendmail command. Example: 411 412 bind_pw = postfixpw 413 With "bind = sasl" (see above) the password may be optional for 414 some SASL mechanisms, don't specify a password if not needed. 415 416 <b>cache (IGNORED with a warning)</b> 417 418 <b>cache_expiry (IGNORED with a warning)</b> 419 420 <b>cache_size (IGNORED with a warning)</b> 421 The above parameters are NO LONGER SUPPORTED by Postfix. Cache 422 support has been dropped from OpenLDAP as of release 2.1.13. 423 424 <b>recursion_limit (default: 1000)</b> 425 A limit on the nesting depth of DN and URL special result 426 attribute evaluation. The limit must be a non-zero positive num- 427 ber. 428 429 <b>expansion_limit (default: 0)</b> 430 A limit on the total number of result elements returned (as a 431 comma separated list) by a lookup against the map. A setting of 432 zero disables the limit. Lookups fail with a temporary error if 433 the limit is exceeded. Setting the limit to 1 ensures that 434 lookups do not return multiple values. 435 436 <b>size_limit (default: $expansion_limit)</b> 437 A limit on the number of LDAP entries returned by any single 438 LDAP search performed as part of the lookup. A setting of 0 dis- 439 ables the limit. Expansion of DN and URL references involves 440 nested LDAP queries, each of which is separately subjected to 441 this limit. 442 443 Note: even a single LDAP entry can generate multiple lookup 444 results, via multiple result attributes and/or multi-valued 445 result attributes. This limit caps the per search resource uti- 446 lization on the LDAP server, not the final multiplicity of the 447 lookup result. It is analogous to the "-z" option of 448 "ldapsearch". 449 450 <b>dereference (default: 0)</b> 451 When to dereference LDAP aliases. (Note that this has nothing do 452 with Postfix aliases.) The permitted values are those legal for 453 the OpenLDAP/UM LDAP implementations: 454 455 0 never 456 457 1 when searching 458 459 2 when locating the base object for the search 460 461 3 always 462 463 See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for 464 more information. And if you're using an LDAP package that has 465 other possible values, please bring it to the attention of the 466 postfix-users@postfix.org mailing list. 467 468 <b>chase_referrals (default: 0)</b> 469 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 470 support). 471 472 <b>version (default: 2)</b> 473 Specifies the LDAP protocol version to use. 474 475 <b>debuglevel (default: 0)</b> 476 What level to set for debugging in the OpenLDAP libraries. 477 478<b>LDAP SASL PARAMETERS</b> 479 If you're using the OpenLDAP libraries compiled with SASL support, 480 Postfix 2.8 and later built with LDAP SASL support as described in 481 <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL. 482 483 This enables authentication to the LDAP server via mechanisms other 484 than a simple password. The added flexibility has a cost: it is no 485 longer practical to set an explicit timeout on the duration of an LDAP 486 bind operation. Under adverse conditions, whether a SASL bind times 487 out, or if it does, the duration of the timeout is determined by the 488 LDAP and SASL libraries. 489 490 It is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way 491 the requesting process can time-out the proxymap request. This also 492 lets you tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> 493 <a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5). Special environment set- 494 tings may be needed to configure GSSAPI credential caches or other SASL 495 mechanism specific options. The GSSAPI credentials used for LDAP 496 lookups may need to be different than say those used for the Postfix 497 SMTP client to authenticate to remote servers. 498 499 Using SASL mechanisms requires LDAP protocol version 3, the default 500 protocol version is 2 for backwards compatibility. You must set "ver- 501 sion = 3" in addition to "bind = sasl". 502 503 The following parameters are relevant to using LDAP with SASL 504 505 <b>sasl_mechs (default: empty)</b> 506 Space separated list of SASL mechanism(s) to try. 507 508 <b>sasl_realm (default: empty)</b> 509 SASL Realm to use, if applicable. 510 511 <b>sasl_authz_id (default: empty)</b> 512 The SASL authorization identity to assert, if applicable. 513 514 <b>sasl_minssf (default: 0)</b> 515 The minimum required sasl security factor required to establish 516 a connection. 517 518<b>LDAP SSL AND STARTTLS PARAMETERS</b> 519 If you're using the OpenLDAP libraries compiled with SSL support, Post- 520 fix can connect to LDAP SSL servers and can issue the STARTTLS command. 521 522 LDAP SSL service can be requested by using a LDAP SSL URL in the 523 server_host parameter: 524 525 server_host = ldaps://ldap.example.com:636 526 527 STARTTLS can be turned on with the start_tls parameter: 528 529 start_tls = yes 530 531 Both forms require LDAP protocol version 3, which has to be set explic- 532 itly with: 533 534 version = 3 535 536 If any of the Postfix programs querying the map is configured in <a href="master.5.html">mas- 537 ter.cf</a> to run chrooted, all the certificates and keys involved have to 538 be copied to the chroot jail. Of course, the private keys should only 539 be readable by the user "postfix". 540 541 The following parameters are relevant to LDAP SSL and STARTTLS: 542 543 <b>start_tls (default: no)</b> 544 Whether or not to issue STARTTLS upon connection to the server. 545 Don't set this with LDAP SSL (the SSL session is setup automati- 546 cally when the TCP connection is opened). 547 548 <b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b> 549 Directory containing X509 Certification Authority certificates 550 in PEM format which are to be recognized by the client in 551 SSL/TLS connections. The files each contain one CA certificate. 552 The files are looked up by the CA subject name hash value, which 553 must hence be available. If more than one CA certificate with 554 the same name hash value exist, the extension must be different 555 (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in 556 the ordering of the extension number, regardless of other prop- 557 erties of the certificates. Use the c_rehash utility (from the 558 OpenSSL distribution) to create the necessary links. 559 560 <b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b> 561 File containing the X509 Certification Authority certificates in 562 PEM format which are to be recognized by the client in SSL/TLS 563 connections. This setting takes precedence over tls_ca_cert_dir. 564 565 <b>tls_cert (No default; you must set this)</b> 566 File containing client's X509 certificate to be used by the 567 client in SSL/ TLS connections. 568 569 <b>tls_key (No default; you must set this)</b> 570 File containing the private key corresponding to the above 571 tls_cert. 572 573 <b>tls_require_cert (default: no)</b> 574 Whether or not to request server's X509 certificate and check 575 its validity when establishing SSL/TLS connections. The sup- 576 ported values are <b>no</b> and <b>yes</b>. 577 578 With <b>no</b>, the server certificate trust chain is not checked, but 579 with OpenLDAP prior to 2.1.13, the name in the server certifi- 580 cate must still match the LDAP server name. With OpenLDAP 2.0.0 581 to 2.0.11 the server name is not necessarily what you specified, 582 rather it is determined (by reverse lookup) from the IP address 583 of the LDAP server connection. With OpenLDAP prior to 2.0.13, 584 subjectAlternativeName extensions in the LDAP server certificate 585 are ignored: the server name must match the subject CommonName. 586 The <b>no</b> setting corresponds to the <b>never</b> value of <b>TLS_REQCERT</b> in 587 LDAP client configuration files. 588 589 Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) 590 if you can avoid it. 591 592 With <b>yes</b>, the server certificate must be issued by a trusted CA, 593 and not be expired. The LDAP server name must match one of the 594 name(s) found in the certificate (see above for OpenLDAP library 595 version dependent behavior). The <b>yes</b> setting corresponds to the 596 <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client configuration files. 597 598 The "try" and "allow" values of <b>TLS_REQCERT</b> have no equivalents 599 here. They are not available with OpenLDAP 2.0, and in any case 600 have questionable security properties. Either you want TLS veri- 601 fied LDAP connections, or you don't. 602 603 The <b>yes</b> value only works correctly with Postfix 2.5 and later, 604 or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP 605 releases don't work together with this setting. Support for LDAP 606 over TLS was added to Postfix based on the OpenLDAP 2.0 API. 607 608 <b>tls_random_file (No default)</b> 609 Path of a file to obtain random bits from when /dev/[u]random is 610 not available, to be used by the client in SSL/TLS connections. 611 612 <b>tls_cipher_suite (No default)</b> 613 Cipher suite to use in SSL/TLS negotiations. 614 615<b>EXAMPLE</b> 616 Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> aliases. 617 Assume that in <a href="postconf.5.html">main.cf</a>, you have: 618 619 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases, 620 <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 621 622 and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have: 623 624 server_host = ldap.example.com 625 search_base = dc=example, dc=com 626 627 Upon receiving mail for a local address "ldapuser" that isn't found in 628 the /etc/aliases database, Postfix will search the LDAP server listen- 629 ing at port 389 on ldap.example.com. It will bind anonymously, search 630 for any directory entries whose mailacceptinggeneralid attribute is 631 "ldapuser", read the "maildrop" attributes of those found, and build a 632 list of their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to 633 which the message will be delivered. 634 635<b>OBSOLETE MAIN.CF PARAMETERS</b> 636 For backwards compatibility with Postfix version 2.0 and earlier, LDAP 637 parameters can also be defined in <a href="postconf.5.html">main.cf</a>. Specify as LDAP source a 638 name that doesn't begin with a slash or a dot. The LDAP parameters 639 will then be accessible as the name you've given the source in its def- 640 inition, an underscore, and the name of the parameter. For example, if 641 the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the "server_host" parameter 642 below would be defined in <a href="postconf.5.html">main.cf</a> as "<i>ldapsource</i>_server_host". 643 644 Note: with this form, the passwords for the LDAP sources are written in 645 <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form will 646 be removed in a future Postfix version. 647 648<b>OTHER OBSOLETE FEATURES</b> 649 For backwards compatibility with the pre 2.2 LDAP clients, <b>result_fil-</b> 650 <b>ter</b> can for now be used instead of <b>result_format</b>, when the latter 651 parameter is not also set. The new name better reflects the function 652 of the parameter. This compatibility interface may be removed in a 653 future release. 654 655<b>SEE ALSO</b> 656 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager 657 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 658 <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables 659 <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables 660 661<b>README FILES</b> 662 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 663 <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide 664 665<b>LICENSE</b> 666 The Secure Mailer license must be distributed with this software. 667 668<b>AUTHOR(S)</b> 669 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM- 670 ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh, 671 Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others. 672 673 LDAP_TABLE(5) 674</pre> </body> </html> 675