1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - ldap_table(5) </title> 6</head> <body> <pre> 7LDAP_TABLE(5) LDAP_TABLE(5) 8 9<b>NAME</b> 10 ldap_table - Postfix LDAP client configuration 11 12<b>SYNOPSIS</b> 13 <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> 14 15 <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> 16 17<b>DESCRIPTION</b> 18 The Postfix mail system uses optional tables for address rewriting or 19 mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format. 20 21 Alternatively, lookup tables can be specified as LDAP databases. 22 23 In order to use LDAP lookups, define an LDAP source as a lookup table 24 in <a href="postconf.5.html">main.cf</a>, for example: 25 26 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 27 28 The file /etc/postfix/ldap-aliases.cf has the same format as the Post- 29 fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below. An 30 example is given at the end of this manual. 31 32 This configuration method is available with Postfix version 2.1 and 33 later. See the section "BACKWARDS COMPATIBILITY" below for older Post- 34 fix versions. 35 36 For details about LDAP SSL and STARTTLS, see the section on SSL and 37 STARTTLS below. 38 39<b>BACKWARDS COMPATIBILITY</b> 40 For backwards compatibility with Postfix version 2.0 and earlier, LDAP 41 parameters can also be defined in <a href="postconf.5.html">main.cf</a>. Specify as LDAP source a 42 name that doesn't begin with a slash or a dot. The LDAP parameters 43 will then be accessible as the name you've given the source in its def- 44 inition, an underscore, and the name of the parameter. For example, if 45 the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the "server_host" parameter 46 below would be defined in <a href="postconf.5.html">main.cf</a> as "<i>ldapsource</i>_server_host". 47 48 Note: with this form, the passwords for the LDAP sources are written in 49 <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form will 50 be removed in a future Postfix version. 51 52 For backwards compatibility with the pre 2.2 LDAP clients, <b>result_fil-</b> 53 <b>ter</b> can for now be used instead of <b>result_format</b>, when the latter 54 parameter is not also set. The new name better reflects the function 55 of the parameter. This compatibility interface may be removed in a 56 future release. 57 58<b>LIST MEMBERSHIP</b> 59 When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, 60 $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under- 61 stand that the table must store each list member as a separate key. The 62 table lookup verifies the *existence* of the key. See "Postfix lists 63 versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion. 64 65 Do NOT create tables that return the full list of domains in $<a href="postconf.5.html#mydestination">mydesti</a>- 66 <a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>. 67 68 DO create tables with each matching item as a key and with an arbitrary 69 value. With LDAP databases it is not uncommon to return the key itself. 70 71 For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>: 72 73 query_filter = domain=* 74 result_attribute = domain 75 76 Do this instead: 77 78 query_filter = domain=%s 79 result_attribute = domain 80 81<b>GENERAL LDAP PARAMETERS</b> 82 In the text below, default values are given in parentheses. Note: 83 don't use quotes in these variables; at least, not until the Postfix 84 configuration routines understand how to deal with quoted strings. 85 86 <b>server_host (default: localhost)</b> 87 The name of the host running the LDAP server, e.g. 88 89 server_host = ldap.example.com 90 91 Depending on the LDAP client library you're using, it should be 92 possible to specify multiple servers here, with the library try- 93 ing them in order should the first one fail. It should also be 94 possible to give each server in the list a different port (over- 95 riding <b>server_port</b> below), by naming them like 96 97 server_host = ldap.example.com:1444 98 99 With OpenLDAP, a (list of) LDAP URLs can be used to specify both 100 the hostname(s) and the port(s): 101 102 server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444 103 <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444 104 105 All LDAP URLs accepted by the OpenLDAP library are supported, 106 including connections over UNIX domain sockets, and LDAP SSL 107 (the last one provided that OpenLDAP was compiled with support 108 for SSL): 109 110 server_host = ldapi://%2Fsome%2Fpath 111 ldaps://ldap.example.com:636 112 113 <b>server_port (default: 389)</b> 114 The port the LDAP server listens on, e.g. 115 116 server_port = 778 117 118 <b>timeout (default: 10 seconds)</b> 119 The number of seconds a search can take before timing out, e.g. 120 121 timeout = 5 122 123 <b>search_base (No default; you must configure this)</b> 124 The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g. 125 126 search_base = dc=your, dc=com 127 128 With Postfix 2.2 and later this parameter supports the following 129 '%' expansions: 130 131 <b>%%</b> This is replaced by a literal '%' character. 132 133 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is 134 used to make sure that the input key does not add unex- 135 pected metacharacters. 136 137 <b>%u</b> When the input key is an address of the form user@domain, 138 <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the 139 address. Otherwise, <b>%u</b> is replaced by the entire search 140 string. If the localpart is empty, the search is sup- 141 pressed and returns no results. 142 143 <b>%d</b> When the input key is an address of the form user@domain, 144 <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of 145 the address. Otherwise, the search is suppressed and 146 returns no results. 147 148 <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents 149 of the above expansions behave identically to their 150 lower-case counter-parts. With the <b>result_format</b> parame- 151 ter (previously called <b>result_filter</b> see the COMPATIBIL- 152 ITY section and below), they expand to the corresponding 153 components of input key rather than the result value. 154 155 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- 156 sponding most significant component of the input key's 157 domain. If the input key is <i>user@mail.example.com</i>, then 158 %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key 159 is unqualified or does not have enough domain components 160 to satisfy all the specified patterns, the search is sup- 161 pressed and returns no results. 162 163 <b>query_filter (default: mailacceptinggeneralid=%s)</b> 164 The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a 165 substitute for the address Postfix is trying to resolve, e.g. 166 167 query_filter = (&(mail=%s)(paid_up=true)) 168 169 This parameter supports the following '%' expansions: 170 171 <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 172 and later). 173 174 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is 175 used to make sure that the input key does not add unex- 176 pected metacharacters. 177 178 <b>%u</b> When the input key is an address of the form user@domain, 179 <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the 180 address. Otherwise, <b>%u</b> is replaced by the entire search 181 string. If the localpart is empty, the search is sup- 182 pressed and returns no results. 183 184 <b>%d</b> When the input key is an address of the form user@domain, 185 <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of 186 the address. Otherwise, the search is suppressed and 187 returns no results. 188 189 <b>%[SUD]</b> The upper-case equivalents of the above expansions behave 190 in the <b>query_filter</b> parameter identically to their 191 lower-case counter-parts. With the <b>result_format</b> parame- 192 ter (previously called <b>result_filter</b> see the COMPATIBIL- 193 ITY section and below), they expand to the corresponding 194 components of input key rather than the result value. 195 196 The above %S, %U and %D expansions are available with 197 Postfix 2.2 and later. 198 199 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- 200 sponding most significant component of the input key's 201 domain. If the input key is <i>user@mail.example.com</i>, then 202 %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key 203 is unqualified or does not have enough domain components 204 to satisfy all the specified patterns, the search is sup- 205 pressed and returns no results. 206 207 The above %1, ..., %9 expansions are available with Post- 208 fix 2.2 and later. 209 210 The "domain" parameter described below limits the input keys to 211 addresses in matching domains. When the "domain" parameter is 212 non-empty, LDAP queries for unqualified addresses or addresses 213 in non-matching domains are suppressed and return no results. 214 215 NOTE: DO NOT put quotes around the <b>query_filter</b> parameter. 216 217 <b>result_format (default: %s</b>) 218 Called <b>result_filter</b> in Postfix releases prior to 2.2. Format 219 template applied to result attributes. Most commonly used to 220 append (or prepend) text to the result. This parameter supports 221 the following '%' expansions: 222 223 <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 224 and later). 225 226 <b>%s</b> This is replaced by the value of the result attribute. 227 When result is empty it is skipped. 228 229 <b>%u</b> When the result attribute value is an address of the form 230 user@domain, <b>%u</b> is replaced by the local part of the 231 address. When the result has an empty localpart it is 232 skipped. 233 234 <b>%d</b> When a result attribute value is an address of the form 235 user@domain, <b>%d</b> is replaced by the domain part of the 236 attribute value. When the result is unqualified it is 237 skipped. 238 239 <b>%[SUD1-9]</b> 240 The upper-case and decimal digit expansions interpolate 241 the parts of the input key rather than the result. Their 242 behavior is identical to that described with <b>query_fil-</b> 243 <b>ter</b>, and in fact because the input key is known in 244 advance, lookups whose key does not contain all the 245 information specified in the result template are sup- 246 pressed and return no results. 247 248 The above %S, %U, %D and %1, ..., %9 expansions are 249 available with Postfix 2.2 and later. 250 251 For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use 252 a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After 253 applying the result format, multiple values are concatenated as 254 comma separated strings. The expansion_limit and size_limit 255 parameters explained below allow one to restrict the number of 256 values in the result, which is especially useful for maps that 257 should return a single value. 258 259 The default value <b>%s</b> specifies that each attribute value should 260 be used as is. 261 262 This parameter was called <b>result_filter</b> in Postfix releases 263 prior to 2.2. If no "result_format" is specified, the value of 264 "result_filter" will be used instead before resorting to the 265 default value. This provides compatibility with old configura- 266 tion files. 267 268 NOTE: DO NOT put quotes around the result format! 269 270 <b>domain (default: no domain list)</b> 271 This is a list of domain names, paths to files, or dictionaries. 272 When specified, only fully qualified search keys with a 273 *non-empty* localpart and a matching domain are eligible for 274 lookup: 'user' lookups, bare domain lookups and "@domain" 275 lookups are not performed. This can significantly reduce the 276 query load on the LDAP server. 277 278 domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains 279 280 It is best not to use LDAP to store the domains eligible for 281 LDAP lookups. 282 283 NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases. 284 285 This feature is available in Postfix 1.0 and later. 286 287 <b>result_attribute (default: maildrop)</b> 288 The attribute(s) Postfix will read from any directory entries 289 returned by the lookup, to be resolved to an email address. 290 291 result_attribute = mailbox, maildrop 292 293 Don't rely on the default value ("maildrop"). Set the 294 result_attribute explicitly in all ldap table configuration 295 files. This is particularly relevant when no result_attribute is 296 applicable, e.g. cases in which leaf_result_attribute and/or 297 terminal_result_attribute are used instead. The default value is 298 harmless if "maildrop" is also listed as a leaf or terminal 299 result attribute, but it is best to not leave this to chance. 300 301 <b>special_result_attribute (default: empty)</b> 302 The attribute(s) of directory entries that can contain DNs or 303 <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to 304 retrieve the entry referenced by the DN, or the entries matched 305 by the URL query. 306 307 special_result_attribute = memberdn 308 309 DN recursion retrieves the same result_attributes as the main 310 query, including the special attributes for further recursion. 311 312 URL processing retrieves only those attributes that are included 313 in both the URL definition and as result attributes (ordinary, 314 special, leaf or terminal) in the Postfix table definition. If 315 the URL lists any of the table's special result attributes, 316 these are retrieved and used recursively. A URL that does not 317 specify any attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a 318 URL that selects all attributes, in which case the selected 319 attributes will be the full set of result attributes in the 320 Postfix table. 321 322 If an LDAP URL attribute-descriptor or the corresponding Postfix 323 LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> 324 sub-type options ("attr;option"), the attribute requested from 325 the LDAP server will include the sub-type option. In all other 326 cases, the URL attribute and the table attribute must match 327 exactly. Attributes with options in both the URL and the Postfix 328 table are requested only when the options are identical. LDAP 329 attribute-descriptor options are very rarely used, most LDAP 330 users will not need to concern themselves with this level of 331 nuanced detail. 332 333 <b>terminal_result_attribute (default: empty)</b> 334 When one or more terminal result attributes are found in an LDAP 335 entry, all other result attributes are ignored and only the ter- 336 minal result attributes are returned. This is useful for dele- 337 gating expansion of group members to a particular host, by using 338 an optional "maildrop" attribute on selected groups to route the 339 group to a specific host, where the group is expanded, possibly 340 via mailing-list manager or other special processing. 341 342 result_attribute = 343 terminal_result_attribute = maildrop 344 345 When using terminal and/or leaf result attributes, the 346 result_attribute is best set to an empty value when it is not 347 used, or else explicitly set to the desired value, even if it is 348 the default value "maildrop". 349 350 This feature is available with Postfix 2.4 or later. 351 352 <b>leaf_result_attribute (default: empty)</b> 353 When one or more special result attributes are found in a 354 non-terminal (see above) LDAP entry, leaf result attributes are 355 excluded from the expansion of that entry. This is useful when 356 expanding groups and the desired mail address attribute(s) of 357 the member objects obtained via DN or URI recursion are also 358 present in the group object. To only return the attribute values 359 from the leaf objects and not the containing group, add the 360 attribute to the leaf_result_attribute list, and not the 361 result_attribute list, which is always expanded. Note, the 362 default value of "result_attribute" is not empty, you may want 363 to set it explicitly empty when using "leaf_result_attribute" to 364 expand the group to a list of member DN addresses. If groups 365 have both member DN references AND attributes that hold multiple 366 string valued rfc822 addresses, then the string attributes go in 367 "result_attribute". The attributes that represent the email 368 addresses of objects referenced via a DN (or LDAP URI) go in 369 "leaf_result_attribute". 370 371 result_attribute = memberaddr 372 special_result_attribute = memberdn 373 terminal_result_attribute = maildrop 374 leaf_result_attribute = mail 375 376 When using terminal and/or leaf result attributes, the 377 result_attribute is best set to an empty value when it is not 378 used, or else explicitly set to the desired value, even if it is 379 the default value "maildrop". 380 381 This feature is available with Postfix 2.4 or later. 382 383 <b>scope (default: sub)</b> 384 The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These translate into 385 LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL. 386 387 <b>bind (default: yes)</b> 388 Whether or how to bind to the LDAP server. Newer LDAP implemen- 389 tations don't require clients to bind, which saves time. Exam- 390 ple: 391 392 # Don't bind 393 bind = no 394 # Use SIMPLE bind 395 bind = yes 396 # Use SASL bind 397 bind = sasl 398 399 Postfix versions prior to 2.8 only support "bind = no" which 400 means don't bind, and "bind = yes" which means do a SIMPLE bind. 401 Postfix 2.8 and later also supports "bind = SASL" when compiled 402 with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds 403 the synonyms "bind = none" and "bind = simple" for "bind = no" 404 and "bind = yes" respectively. See the SASL section below for 405 additional parameters available with "bind = sasl". 406 407 If you do need to bind, you might consider configuring Postfix 408 to connect to the local machine on a port that's an SSL tunnel 409 to your LDAP server. If your LDAP server doesn't natively sup- 410 port SSL, put a tunnel (wrapper, proxy, whatever you want to 411 call it) on that system too. This should prevent the password 412 from traversing the network in the clear. 413 414 <b>bind_dn (default: empty)</b> 415 If you do have to bind, do it with this distinguished name. 416 Example: 417 418 bind_dn = uid=postfix, dc=your, dc=com 419 With "bind = sasl" (see above) the DN may be optional for some 420 SASL mechanisms, don't specify a DN if not needed. 421 422 <b>bind_pw (default: empty)</b> 423 The password for the distinguished name above. If you have to 424 use this, you probably want to make the map configuration file 425 readable only by the Postfix user. When using the obsolete 426 <a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is 427 not possible to securely store the bind password. This is 428 because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow local 429 accounts to submit mail via the sendmail command. Example: 430 431 bind_pw = postfixpw 432 With "bind = sasl" (see above) the password may be optional for 433 some SASL mechanisms, don't specify a password if not needed. 434 435 <b>cache (IGNORED with a warning)</b> 436 437 <b>cache_expiry (IGNORED with a warning)</b> 438 439 <b>cache_size (IGNORED with a warning)</b> 440 The above parameters are NO LONGER SUPPORTED by Postfix. Cache 441 support has been dropped from OpenLDAP as of release 2.1.13. 442 443 <b>recursion_limit (default: 1000)</b> 444 A limit on the nesting depth of DN and URL special result 445 attribute evaluation. The limit must be a non-zero positive num- 446 ber. 447 448 <b>expansion_limit (default: 0)</b> 449 A limit on the total number of result elements returned (as a 450 comma separated list) by a lookup against the map. A setting of 451 zero disables the limit. Lookups fail with a temporary error if 452 the limit is exceeded. Setting the limit to 1 ensures that 453 lookups do not return multiple values. 454 455 <b>size_limit (default: $expansion_limit)</b> 456 A limit on the number of LDAP entries returned by any single 457 LDAP search performed as part of the lookup. A setting of 0 dis- 458 ables the limit. Expansion of DN and URL references involves 459 nested LDAP queries, each of which is separately subjected to 460 this limit. 461 462 Note: even a single LDAP entry can generate multiple lookup 463 results, via multiple result attributes and/or multi-valued 464 result attributes. This limit caps the per search resource uti- 465 lization on the LDAP server, not the final multiplicity of the 466 lookup result. It is analogous to the "-z" option of 467 "ldapsearch". 468 469 <b>dereference (default: 0)</b> 470 When to dereference LDAP aliases. (Note that this has nothing do 471 with Postfix aliases.) The permitted values are those legal for 472 the OpenLDAP/UM LDAP implementations: 473 474 0 never 475 476 1 when searching 477 478 2 when locating the base object for the search 479 480 3 always 481 482 See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for 483 more information. And if you're using an LDAP package that has 484 other possible values, please bring it to the attention of the 485 postfix-users@postfix.org mailing list. 486 487 <b>chase_referrals (default: 0)</b> 488 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 489 support). 490 491 <b>version (default: 2)</b> 492 Specifies the LDAP protocol version to use. 493 494 <b>debuglevel (default: 0)</b> 495 What level to set for debugging in the OpenLDAP libraries. 496 497<b>LDAP SASL PARAMETERS</b> 498 If you're using the OpenLDAP libraries compiled with SASL support, 499 Postfix 2.8 and later built with LDAP SASL support as described in 500 <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL. 501 502 This enables authentication to the LDAP server via mechanisms other 503 than a simple password. The added flexibility has a cost: it is no 504 longer practical to set an explicit timeout on the duration of an LDAP 505 bind operation. Under adverse conditions, whether a SASL bind times 506 out, or if it does, the duration of the timeout is determined by the 507 LDAP and SASL libraries. 508 509 It is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way 510 the requesting process can time-out the proxymap request. This also 511 lets you tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> 512 <a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5). Special environment set- 513 tings may be needed to configure GSSAPI credential caches or other SASL 514 mechanism specific options. The GSSAPI credentials used for LDAP 515 lookups may need to be different than say those used for the Postfix 516 SMTP client to authenticate to remote servers. 517 518 Using SASL mechanisms requires LDAP protocol version 3, the default 519 protocol version is 2 for backwards compatibility. You must set "ver- 520 sion = 3" in addition to "bind = sasl". 521 522 The following parameters are relevant to using LDAP with SASL 523 524 <b>sasl_mechs (default: empty)</b> 525 Space separated list of SASL mechanism(s) to try. 526 527 <b>sasl_realm (default: empty)</b> 528 SASL Realm to use, if applicable. 529 530 <b>sasl_authz_id (default: empty)</b> 531 The SASL authorization identity to assert, if applicable. 532 533 <b>sasl_minssf (default: 0)</b> 534 The minimum required sasl security factor required to establish 535 a connection. 536 537<b>LDAP SSL AND STARTTLS PARAMETERS</b> 538 If you're using the OpenLDAP libraries compiled with SSL support, Post- 539 fix can connect to LDAP SSL servers and can issue the STARTTLS command. 540 541 LDAP SSL service can be requested by using a LDAP SSL URL in the 542 server_host parameter: 543 544 server_host = ldaps://ldap.example.com:636 545 546 STARTTLS can be turned on with the start_tls parameter: 547 548 start_tls = yes 549 550 Both forms require LDAP protocol version 3, which has to be set explic- 551 itly with: 552 553 version = 3 554 555 If any of the Postfix programs querying the map is configured in <a href="master.5.html">mas- 556 ter.cf</a> to run chrooted, all the certificates and keys involved have to 557 be copied to the chroot jail. Of course, the private keys should only 558 be readable by the user "postfix". 559 560 The following parameters are relevant to LDAP SSL and STARTTLS: 561 562 <b>start_tls (default: no)</b> 563 Whether or not to issue STARTTLS upon connection to the server. 564 Don't set this with LDAP SSL (the SSL session is setup automati- 565 cally when the TCP connection is opened). 566 567 <b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b> 568 Directory containing X509 Certification Authority certificates 569 in PEM format which are to be recognized by the client in 570 SSL/TLS connections. The files each contain one CA certificate. 571 The files are looked up by the CA subject name hash value, which 572 must hence be available. If more than one CA certificate with 573 the same name hash value exist, the extension must be different 574 (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in 575 the ordering of the extension number, regardless of other prop- 576 erties of the certificates. Use the c_rehash utility (from the 577 OpenSSL distribution) to create the necessary links. 578 579 <b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b> 580 File containing the X509 Certification Authority certificates in 581 PEM format which are to be recognized by the client in SSL/TLS 582 connections. This setting takes precedence over tls_ca_cert_dir. 583 584 <b>tls_cert (No default; you must set this)</b> 585 File containing client's X509 certificate to be used by the 586 client in SSL/ TLS connections. 587 588 <b>tls_key (No default; you must set this)</b> 589 File containing the private key corresponding to the above 590 tls_cert. 591 592 <b>tls_require_cert (default: no)</b> 593 Whether or not to request server's X509 certificate and check 594 its validity when establishing SSL/TLS connections. The sup- 595 ported values are <b>no</b> and <b>yes</b>. 596 597 With <b>no</b>, the server certificate trust chain is not checked, but 598 with OpenLDAP prior to 2.1.13, the name in the server certifi- 599 cate must still match the LDAP server name. With OpenLDAP 2.0.0 600 to 2.0.11 the server name is not necessarily what you specified, 601 rather it is determined (by reverse lookup) from the IP address 602 of the LDAP server connection. With OpenLDAP prior to 2.0.13, 603 subjectAlternativeName extensions in the LDAP server certificate 604 are ignored: the server name must match the subject CommonName. 605 The <b>no</b> setting corresponds to the <b>never</b> value of <b>TLS_REQCERT</b> in 606 LDAP client configuration files. 607 608 Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) 609 if you can avoid it. 610 611 With <b>yes</b>, the server certificate must be issued by a trusted CA, 612 and not be expired. The LDAP server name must match one of the 613 name(s) found in the certificate (see above for OpenLDAP library 614 version dependent behavior). The <b>yes</b> setting corresponds to the 615 <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client configuration files. 616 617 The "try" and "allow" values of <b>TLS_REQCERT</b> have no equivalents 618 here. They are not available with OpenLDAP 2.0, and in any case 619 have questionable security properties. Either you want TLS veri- 620 fied LDAP connections, or you don't. 621 622 The <b>yes</b> value only works correctly with Postfix 2.5 and later, 623 or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP 624 releases don't work together with this setting. Support for LDAP 625 over TLS was added to Postfix based on the OpenLDAP 2.0 API. 626 627 <b>tls_random_file (No default)</b> 628 Path of a file to obtain random bits from when /dev/[u]random is 629 not available, to be used by the client in SSL/TLS connections. 630 631 <b>tls_cipher_suite (No default)</b> 632 Cipher suite to use in SSL/TLS negotiations. 633 634<b>EXAMPLE</b> 635 Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> aliases. 636 Assume that in <a href="postconf.5.html">main.cf</a>, you have: 637 638 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases, 639 <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 640 641 and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have: 642 643 server_host = ldap.example.com 644 search_base = dc=example, dc=com 645 646 Upon receiving mail for a local address "ldapuser" that isn't found in 647 the /etc/aliases database, Postfix will search the LDAP server listen- 648 ing at port 389 on ldap.example.com. It will bind anonymously, search 649 for any directory entries whose mailacceptinggeneralid attribute is 650 "ldapuser", read the "maildrop" attributes of those found, and build a 651 list of their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to 652 which the message will be delivered. 653 654<b>SEE ALSO</b> 655 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager 656 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 657 <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables 658 <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables 659 660<b>README FILES</b> 661 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 662 <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide 663 664<b>LICENSE</b> 665 The Secure Mailer license must be distributed with this software. 666 667<b>AUTHOR(S)</b> 668 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM- 669 ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh, 670 Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others. 671 672 LDAP_TABLE(5) 673</pre> </body> </html> 674