1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - ldap_table(5) </title> 6</head> <body> <pre> 7LDAP_TABLE(5) LDAP_TABLE(5) 8 9<b>NAME</b> 10 ldap_table - Postfix LDAP client configuration 11 12<b>SYNOPSIS</b> 13 <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/filename</b> 14 15 <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> 16 17<b>DESCRIPTION</b> 18 The Postfix mail system uses optional tables for address 19 rewriting or mail routing. These tables are usually in <b>dbm</b> 20 or <b>db</b> format. 21 22 Alternatively, lookup tables can be specified as LDAP 23 databases. 24 25 In order to use LDAP lookups, define an LDAP source as a 26 lookup table in <a href="postconf.5.html">main.cf</a>, for example: 27 28 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 29 30 The file /etc/postfix/ldap-aliases.cf has the same format 31 as the Postfix <a href="postconf.5.html">main.cf</a> file, and can specify the parame- 32 ters described below. An example is given at the end of 33 this manual. 34 35 This configuration method is available with Postfix ver- 36 sion 2.1 and later. See the section "BACKWARDS COMPATI- 37 BILITY" below for older Postfix versions. 38 39 For details about LDAP SSL and STARTTLS, see the section 40 on SSL and STARTTLS below. 41 42<b>BACKWARDS COMPATIBILITY</b> 43 For backwards compatibility with Postfix version 2.0 and 44 earlier, LDAP parameters can also be defined in <a href="postconf.5.html">main.cf</a>. 45 Specify as LDAP source a name that doesn't begin with a 46 slash or a dot. The LDAP parameters will then be accessi- 47 ble as the name you've given the source in its definition, 48 an underscore, and the name of the parameter. For exam- 49 ple, if the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the 50 "server_host" parameter below would be defined in <a href="postconf.5.html">main.cf</a> 51 as "<i>ldapsource</i>_server_host". 52 53 Note: with this form, the passwords for the LDAP sources 54 are written in <a href="postconf.5.html">main.cf</a>, which is normally world-readable. 55 Support for this form will be removed in a future Postfix 56 version. 57 58 Postfix 2.2 has enhanced query interfaces for MySQL and 59 PostgreSQL. These include features that were previously 60 available only in the Postfix LDAP client. This work also 61 created an opportunity for improvements in the LDAP inter- 62 face. The primary compatibility issue is that <b>result_fil-</b> 63 <b>ter</b> (a name that has caused some confusion as to its mean- 64 ing in the past) has been renamed to <b>result_format</b>. For 65 backwards compatibility with the pre 2.2 LDAP client, 66 <b>result_filter</b> can for now be used instead of <b>result_for-</b> 67 <b>mat</b>, when the latter parameter is not also set. The new 68 name better reflects the function of the parameter. This 69 compatibility interface may be removed in a future 70 release. 71 72<b>LIST MEMBERSHIP</b> 73 When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, 74 $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, 75 etc., it is important to understand that the table must 76 store each list member as a separate key. The table lookup 77 verifies the *existence* of the key. See "Postfix lists 78 versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis- 79 cussion. 80 81 Do NOT create tables that return the full list of domains 82 in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses 83 in $<a href="postconf.5.html#mynetworks">mynetworks</a>. 84 85 DO create tables with each matching item as a key and with 86 an arbitrary value. With LDAP databases it is not uncommon 87 to return the key itself. 88 89 For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>- 90 <a href="postconf.5.html#mydestination">tion</a>: 91 92 query_filter = domain=* 93 result_attribute = domain 94 95 Do this instead: 96 97 query_filter = domain=%s 98 result_attribute = domain 99 100<b>GENERAL LDAP PARAMETERS</b> 101 In the text below, default values are given in parenthe- 102 ses. Note: don't use quotes in these variables; at least, 103 not until the Postfix configuration routines understand 104 how to deal with quoted strings. 105 106 <b>server_host (default: localhost)</b> 107 The name of the host running the LDAP server, e.g. 108 109 server_host = ldap.example.com 110 111 Depending on the LDAP client library you're using, 112 it should be possible to specify multiple servers 113 here, with the library trying them in order should 114 the first one fail. It should also be possible to 115 give each server in the list a different port 116 (overriding <b>server_port</b> below), by naming them like 117 118 server_host = ldap.example.com:1444 119 120 With OpenLDAP, a (list of) LDAP URLs can be used to 121 specify both the hostname(s) and the port(s): 122 123 server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444 124 <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444 125 126 All LDAP URLs accepted by the OpenLDAP library are 127 supported, including connections over UNIX domain 128 sockets, and LDAP SSL (the last one provided that 129 OpenLDAP was compiled with support for SSL): 130 131 server_host = ldapi://%2Fsome%2Fpath 132 ldaps://ldap.example.com:636 133 134 <b>server_port (default: 389)</b> 135 The port the LDAP server listens on, e.g. 136 137 server_port = 778 138 139 <b>timeout (default: 10 seconds)</b> 140 The number of seconds a search can take before tim- 141 ing out, e.g. 142 143 timeout = 5 144 145 <b>search_base (No default; you must configure this)</b> 146 The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, 147 e.g. 148 149 search_base = dc=your, dc=com 150 151 With Postfix 2.2 and later this parameter supports 152 the following '%' expansions: 153 154 <b>%%</b> This is replaced by a literal '%' character. 155 156 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> 157 quoting is used to make sure that the input 158 key does not add unexpected metacharacters. 159 160 <b>%u</b> When the input key is an address of the form 161 user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a> 162 <a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address. 163 Otherwise, <b>%u</b> is replaced by the entire 164 search string. If the localpart is empty, 165 the search is suppressed and returns no 166 results. 167 168 <b>%d</b> When the input key is an address of the form 169 user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a> 170 <a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address. 171 Otherwise, the search is suppressed and 172 returns no results. 173 174 <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper- 175 case equivalents of the above expansions 176 behave identically to their lower-case 177 counter-parts. With the <b>result_format</b> param- 178 eter (previously called <b>result_filter</b> see 179 the COMPATIBILITY section and below), they 180 expand to the corresponding components of 181 input key rather than the result value. 182 183 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by 184 the corresponding most significant component 185 of the input key's domain. If the input key 186 is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2 187 is <b>example</b> and %3 is <b>mail</b>. If the input key 188 is unqualified or does not have enough 189 domain components to satisfy all the speci- 190 fied patterns, the search is suppressed and 191 returns no results. 192 193 <b>query_filter (default: mailacceptinggeneralid=%s)</b> 194 The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, 195 where <b>%s</b> is a substitute for the address Postfix is 196 trying to resolve, e.g. 197 198 query_filter = (&(mail=%s)(paid_up=true)) 199 200 This parameter supports the following '%' expan- 201 sions: 202 203 <b>%%</b> This is replaced by a literal '%' character. 204 (Postfix 2.2 and later). 205 206 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> 207 quoting is used to make sure that the input 208 key does not add unexpected metacharacters. 209 210 <b>%u</b> When the input key is an address of the form 211 user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a> 212 <a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address. 213 Otherwise, <b>%u</b> is replaced by the entire 214 search string. If the localpart is empty, 215 the search is suppressed and returns no 216 results. 217 218 <b>%d</b> When the input key is an address of the form 219 user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a> 220 <a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address. 221 Otherwise, the search is suppressed and 222 returns no results. 223 224 <b>%[SUD]</b> The upper-case equivalents of the above 225 expansions behave in the <b>query_filter</b> param- 226 eter identically to their lower-case 227 counter-parts. With the <b>result_format</b> param- 228 eter (previously called <b>result_filter</b> see 229 the COMPATIBILITY section and below), they 230 expand to the corresponding components of 231 input key rather than the result value. 232 233 The above %S, %U and %D expansions are 234 available with Postfix 2.2 and later. 235 236 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by 237 the corresponding most significant component 238 of the input key's domain. If the input key 239 is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2 240 is <b>example</b> and %3 is <b>mail</b>. If the input key 241 is unqualified or does not have enough 242 domain components to satisfy all the speci- 243 fied patterns, the search is suppressed and 244 returns no results. 245 246 The above %1, ..., %9 expansions are avail- 247 able with Postfix 2.2 and later. 248 249 The "domain" parameter described below limits the 250 input keys to addresses in matching domains. When 251 the "domain" parameter is non-empty, LDAP queries 252 for unqualified addresses or addresses in non- 253 matching domains are suppressed and return no 254 results. 255 256 NOTE: DO NOT put quotes around the <b>query_filter</b> 257 parameter. 258 259 <b>result_format (default: %s</b>) 260 Called <b>result_filter</b> in Postfix releases prior to 261 2.2. Format template applied to result attributes. 262 Most commonly used to append (or prepend) text to 263 the result. This parameter supports the following 264 '%' expansions: 265 266 <b>%%</b> This is replaced by a literal '%' character. 267 (Postfix 2.2 and later). 268 269 <b>%s</b> This is replaced by the value of the result 270 attribute. When result is empty it is 271 skipped. 272 273 <b>%u</b> When the result attribute value is an 274 address of the form user@domain, <b>%u</b> is 275 replaced by the local part of the address. 276 When the result has an empty localpart it is 277 skipped. 278 279 <b>%d</b> When a result attribute value is an address 280 of the form user@domain, <b>%d</b> is replaced by 281 the domain part of the attribute value. When 282 the result is unqualified it is skipped. 283 284 <b>%[SUD1-9]</b> 285 The upper-case and decimal digit expansions 286 interpolate the parts of the input key 287 rather than the result. Their behavior is 288 identical to that described with <b>query_fil-</b> 289 <b>ter</b>, and in fact because the input key is 290 known in advance, lookups whose key does not 291 contain all the information specified in the 292 result template are suppressed and return no 293 results. 294 295 The above %S, %U, %D and %1, ..., %9 expan- 296 sions are available with Postfix 2.2 and 297 later. 298 299 For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" 300 allows one to use a mailHost attribute as the basis 301 of a <a href="transport.5.html">transport(5)</a> table. After applying the result 302 format, multiple values are concatenated as comma 303 separated strings. The expansion_limit and 304 size_limit parameters explained below allow one to 305 restrict the number of values in the result, which 306 is especially useful for maps that should return a 307 single value. 308 309 The default value <b>%s</b> specifies that each attribute 310 value should be used as is. 311 312 This parameter was called <b>result_filter</b> in Postfix 313 releases prior to 2.2. If no "result_format" is 314 specified, the value of "result_filter" will be 315 used instead before resorting to the default value. 316 This provides compatibility with old configuration 317 files. 318 319 NOTE: DO NOT put quotes around the result format! 320 321 <b>domain (default: no domain list)</b> 322 This is a list of domain names, paths to files, or 323 dictionaries. When specified, only fully qualified 324 search keys with a *non-empty* localpart and a 325 matching domain are eligible for lookup: 'user' 326 lookups, bare domain lookups and "@domain" lookups 327 are not performed. This can significantly reduce 328 the query load on the LDAP server. 329 330 domain = postfix.org, hash:/etc/postfix/searchdomains 331 332 It is best not to use LDAP to store the domains 333 eligible for LDAP lookups. 334 335 NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> 336 aliases. 337 338 This feature is available in Postfix 1.0 and later. 339 340 <b>result_attribute (default: maildrop)</b> 341 The attribute(s) Postfix will read from any direc- 342 tory entries returned by the lookup, to be resolved 343 to an email address. 344 345 result_attribute = mailbox, maildrop 346 347 <b>special_result_attribute (default: empty)</b> 348 The attribute(s) of directory entries that can con- 349 tain DNs or URLs. If found, a recursive subsequent 350 search is done using their values. 351 352 special_result_attribute = memberdn 353 354 DN recursion retrieves the same result_attributes 355 as the main query, including the special attributes 356 for further recursion. URI processing retrieves 357 only those attributes that are included in the URI 358 definition and are *also* listed in 359 "result_attribute". If the URI lists any of the 360 map's special result attributes, these are also 361 retrieved and used recursively. 362 363 <b>terminal_result_attribute (default: empty)</b> 364 When one or more terminal result attributes are 365 found in an LDAP entry, all other result attributes 366 are ignored and only the terminal result attributes 367 are returned. This is useful for delegating expan- 368 sion of group members to a particular host, by 369 using an optional "maildrop" attribute on selected 370 groups to route the group to a specific host, where 371 the group is expanded, possibly via mailing-list 372 manager or other special processing. 373 374 terminal_result_attribute = maildrop 375 376 This feature is available with Postfix 2.4 or 377 later. 378 379 <b>leaf_result_attribute (default: empty)</b> 380 When one or more special result attributes are 381 found in a non-terminal (see above) LDAP entry, 382 leaf result attributes are excluded from the expan- 383 sion of that entry. This is useful when expanding 384 groups and the desired mail address attribute(s) of 385 the member objects obtained via DN or URI recursion 386 are also present in the group object. To only 387 return the attribute values from the leaf objects 388 and not the containing group, add the attribute to 389 the leaf_result_attribute list, and not the 390 result_attribute list, which is always expanded. 391 Note, the default value of "result_attribute" is 392 not empty, you may want to set it explicitly empty 393 when using "leaf_result_attribute" to expand the 394 group to a list of member DN addresses. If groups 395 have both member DN references AND attributes that 396 hold multiple string valued rfc822 addresses, then 397 the string attributes go in "result_attribute". 398 The attributes that represent the email addresses 399 of objects referenced via a DN (or LDAP URI) go in 400 "leaf_result_attribute". 401 402 result_attribute = memberaddr 403 special_result_attribute = memberdn 404 terminal_result_attribute = maildrop 405 leaf_result_attribute = mail 406 407 This feature is available with Postfix 2.4 or 408 later. 409 410 <b>scope (default: sub)</b> 411 The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These 412 translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, 413 and LDAP_SCOPE_ONELEVEL. 414 415 <b>bind (default: yes)</b> 416 Whether or not to bind to the LDAP server. Newer 417 LDAP implementations don't require clients to bind, 418 which saves time. Example: 419 420 bind = no 421 422 If you do need to bind, you might consider config- 423 uring Postfix to connect to the local machine on a 424 port that's an SSL tunnel to your LDAP server. If 425 your LDAP server doesn't natively support SSL, put 426 a tunnel (wrapper, proxy, whatever you want to call 427 it) on that system too. This should prevent the 428 password from traversing the network in the clear. 429 430 <b>bind_dn (default: empty)</b> 431 If you do have to bind, do it with this distin- 432 guished name. Example: 433 434 bind_dn = uid=postfix, dc=your, dc=com 435 436 <b>bind_pw (default: empty)</b> 437 The password for the distinguished name above. If 438 you have to use this, you probably want to make the 439 map configuration file readable only by the Postfix 440 user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn- 441 tax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is not pos- 442 sible to securely store the bind password. This is 443 because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow 444 local accounts to submit mail via the sendmail com- 445 mand. Example: 446 447 bind_pw = postfixpw 448 449 <b>cache (IGNORED with a warning)</b> 450 451 <b>cache_expiry (IGNORED with a warning)</b> 452 453 <b>cache_size (IGNORED with a warning)</b> 454 The above parameters are NO LONGER SUPPORTED by 455 Postfix. Cache support has been dropped from 456 OpenLDAP as of release 2.1.13. 457 458 <b>recursion_limit (default: 1000)</b> 459 A limit on the nesting depth of DN and URL special 460 result attribute evaluation. The limit must be a 461 non-zero positive number. 462 463 <b>expansion_limit (default: 0)</b> 464 A limit on the total number of result elements 465 returned (as a comma separated list) by a lookup 466 against the map. A setting of zero disables the 467 limit. Lookups fail with a temporary error if the 468 limit is exceeded. Setting the limit to 1 ensures 469 that lookups do not return multiple values. 470 471 <b>size_limit (default: $expansion_limit)</b> 472 A limit on the number of LDAP entries returned by 473 any single LDAP search performed as part of the 474 lookup. A setting of 0 disables the limit. Expan- 475 sion of DN and URL references involves nested LDAP 476 queries, each of which is separately subjected to 477 this limit. 478 479 Note: even a single LDAP entry can generate multi- 480 ple lookup results, via multiple result attributes 481 and/or multi-valued result attributes. This limit 482 caps the per search resource utilization on the 483 LDAP server, not the final multiplicity of the 484 lookup result. It is analogous to the "-z" option 485 of "ldapsearch". 486 487 <b>dereference (default: 0)</b> 488 When to dereference LDAP aliases. (Note that this 489 has nothing do with Postfix aliases.) The permitted 490 values are those legal for the OpenLDAP/UM LDAP 491 implementations: 492 493 0 never 494 495 1 when searching 496 497 2 when locating the base object for the search 498 499 3 always 500 501 See ldap.h or the ldap_open(3) or ldapsearch(1) man 502 pages for more information. And if you're using an 503 LDAP package that has other possible values, please 504 bring it to the attention of the postfix- 505 users@postfix.org mailing list. 506 507 <b>chase_referrals (default: 0)</b> 508 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP 509 version 3 support). 510 511 <b>version (default: 2)</b> 512 Specifies the LDAP protocol version to use. 513 514 <b>debuglevel (default: 0)</b> 515 What level to set for debugging in the OpenLDAP 516 libraries. 517 518<b>LDAP SSL AND STARTTLS PARAMETERS</b> 519 If you're using the OpenLDAP libraries compiled with SSL 520 support, Postfix can connect to LDAP SSL servers and can 521 issue the STARTTLS command. 522 523 LDAP SSL service can be requested by using a LDAP SSL URL 524 in the server_host parameter: 525 526 server_host = ldaps://ldap.example.com:636 527 528 STARTTLS can be turned on with the start_tls parameter: 529 530 start_tls = yes 531 532 Both forms require LDAP protocol version 3, which has to 533 be set explicitly with: 534 535 version = 3 536 537 If any of the Postfix programs querying the map is config- 538 ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates 539 and keys involved have to be copied to the chroot jail. Of 540 course, the private keys should only be readable by the 541 user "postfix". 542 543 The following parameters are relevant to LDAP SSL and 544 STARTTLS: 545 546 <b>start_tls (default: no)</b> 547 Whether or not to issue STARTTLS upon connection to 548 the server. Don't set this with LDAP SSL (the SSL 549 session is setup automatically when the TCP connec- 550 tion is opened). 551 552 <b>tls_ca_cert_dir (No default; set either this or</b> 553 <b>tls_ca_cert_file)</b> 554 Directory containing X509 Certificate Authority 555 certificates in PEM format which are to be recog- 556 nized by the client in SSL/TLS connections. The 557 files each contain one CA certificate. The files 558 are looked up by the CA subject name hash value, 559 which must hence be available. If more than one CA 560 certificate with the same name hash value exist, 561 the extension must be different (e.g. 9d66eef0.0, 562 9d66eef0.1 etc). The search is performed in the 563 ordering of the extension number, regardless of 564 other properties of the certificates. Use the 565 c_rehash utility (from the OpenSSL distribution) to 566 create the necessary links. 567 568 <b>tls_ca_cert_file (No default; set either this or</b> 569 <b>tls_ca_cert_dir)</b> 570 File containing the X509 Certificate Authority cer- 571 tificates in PEM format which are to be recognized 572 by the client in SSL/TLS connections. This setting 573 takes precedence over tls_ca_cert_dir. 574 575 <b>tls_cert (No default; you must set this)</b> 576 File containing client's X509 certificate to be 577 used by the client in SSL/ TLS connections. 578 579 <b>tls_key (No default; you must set this)</b> 580 File containing the private key corresponding to 581 the above tls_cert. 582 583 <b>tls_require_cert (default: no)</b> 584 Whether or not to request server's X509 certificate 585 and check its validity when establishing SSL/TLS 586 connections. The supported values are <b>no</b> and <b>yes</b>. 587 588 With <b>no</b>, the server certificate trust chain is not 589 checked, but with OpenLDAP prior to 2.1.13, the 590 name in the server certificate must still match the 591 LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the 592 server name is not necessarily what you specified, 593 rather it is determined (by reverse lookup) from 594 the IP address of the LDAP server connection. With 595 OpenLDAP prior to 2.0.13, subjectAlternativeName 596 extensions in the LDAP server certificate are 597 ignored: the server name must match the subject 598 CommonName. The <b>no</b> setting corresponds to the <b>never</b> 599 value of <b>TLS_REQCERT</b> in LDAP client configuration 600 files. 601 602 Don't use TLS with OpenLDAP 2.0.x (and especially 603 with x <= 11) if you can avoid it. 604 605 With <b>yes</b>, the server certificate must be issued by 606 a trusted CA, and not be expired. The LDAP server 607 name must match one of the name(s) found in the 608 certificate (see above for OpenLDAP library version 609 dependent behavior). The <b>yes</b> setting corresponds to 610 the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con- 611 figuration files. 612 613 The "try" and "never" values of <b>TLS_REQCERT</b> have no 614 equivalents here. They are not available with 615 OpenLDAP 2.0, and in any case have questionable 616 security properties. Either you want TLS verified 617 LDAP connections, or you don't. 618 619 The <b>yes</b> value only works correctly with Postfix 2.5 620 and later, or with OpenLDAP 2.0. Earlier Postfix 621 releases or later OpenLDAP releases don't work 622 together with this setting. Support for LDAP over 623 TLS was added to Postfix based on the OpenLDAP 2.0 624 API. 625 626 <b>tls_random_file (No default)</b> 627 Path of a file to obtain random bits from when 628 /dev/[u]random is not available, to be used by the 629 client in SSL/TLS connections. 630 631 <b>tls_cipher_suite (No default)</b> 632 Cipher suite to use in SSL/TLS negotiations. 633 634<b>EXAMPLE</b> 635 Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> 636 aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have: 637 638 <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases, 639 <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 640 641 and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have: 642 643 server_host = ldap.example.com 644 search_base = dc=example, dc=com 645 646 Upon receiving mail for a local address "ldapuser" that 647 isn't found in the /etc/aliases database, Postfix will 648 search the LDAP server listening at port 389 on ldap.exam- 649 ple.com. It will bind anonymously, search for any direc- 650 tory entries whose mailacceptinggeneralid attribute is 651 "ldapuser", read the "maildrop" attributes of those found, 652 and build a list of their maildrops, which will be treated 653 as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv- 654 ered. 655 656<b>SEE ALSO</b> 657 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager 658 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 659 <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables 660 <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables 661 662<b>README FILES</b> 663 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 664 <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide 665 666<b>LICENSE</b> 667 The Secure Mailer license must be distributed with this 668 software. 669 670<b>AUTHOR(S)</b> 671 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith 672 Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike 673 Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu, 674 Victor Duchovni, and many others. 675 676 LDAP_TABLE(5) 677</pre> </body> </html> 678