1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 5<title> Postfix manual - ldap_table(5) </title> 6</head> <body> <pre> 7LDAP_TABLE(5) LDAP_TABLE(5) 8 9<b>NAME</b> 10 ldap_table - Postfix LDAP client configuration 11 12<b>SYNOPSIS</b> 13 <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> 14 15 <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> 16 17<b>DESCRIPTION</b> 18 The Postfix mail system uses optional tables for address rewriting or 19 mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format. 20 21 Alternatively, lookup tables can be specified as LDAP databases. 22 23 In order to use LDAP lookups, define an LDAP source as a lookup table 24 in <a href="postconf.5.html">main.cf</a>, for example: 25 26 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 27 28 The file /etc/postfix/ldap-aliases.cf has the same format as the Post- 29 fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below. An 30 example is given at the end of this manual. 31 32 This configuration method is available with Postfix version 2.1 and 33 later. See the section "OBSOLETE MAIN.CF PARAMETERS" below for older 34 Postfix versions. 35 36 For details about LDAP SSL and STARTTLS, see the section on SSL and 37 STARTTLS below. 38 39<b>LIST MEMBERSHIP</b> 40 When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, 41 $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under- 42 stand that the table must store each list member as a separate key. The 43 table lookup verifies the *existence* of the key. See "Postfix lists 44 versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion. 45 46 Do NOT create tables that return the full list of domains in $<a href="postconf.5.html#mydestination">mydesti</a>- 47 <a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>. 48 49 DO create tables with each matching item as a key and with an arbitrary 50 value. With LDAP databases it is not uncommon to return the key itself. 51 52 For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>: 53 54 query_filter = domain=* 55 result_attribute = domain 56 57 Do this instead: 58 59 query_filter = domain=%s 60 result_attribute = domain 61 62<b>GENERAL LDAP PARAMETERS</b> 63 In the text below, default values are given in parentheses. Note: 64 don't use quotes in these variables; at least, not until the Postfix 65 configuration routines understand how to deal with quoted strings. 66 67 <b>server_host (default: localhost)</b> 68 The name of the host running the LDAP server, e.g. 69 70 server_host = ldap.example.com 71 72 Depending on the LDAP client library you're using, it should be 73 possible to specify multiple servers here, with the library try- 74 ing them in order should the first one fail. It should also be 75 possible to give each server in the list a different port (over- 76 riding <b>server_port</b> below), by naming them like 77 78 server_host = ldap.example.com:1444 79 80 With OpenLDAP, a (list of) LDAP URLs can be used to specify both 81 the hostname(s) and the port(s): 82 83 server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444 84 <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444 85 86 All LDAP URLs accepted by the OpenLDAP library are supported, 87 including connections over UNIX domain sockets, and LDAP SSL 88 (the last one provided that OpenLDAP was compiled with support 89 for SSL): 90 91 server_host = <a href="ldap_table.5.html">ldapi</a>://%2Fsome%2Fpath 92 <a href="ldap_table.5.html">ldaps</a>://ldap.example.com:636 93 94 <b>server_port (default: 389)</b> 95 The port the LDAP server listens on, e.g. 96 97 server_port = 778 98 99 <b>timeout (default: 10 seconds)</b> 100 The number of seconds a search can take before timing out, e.g. 101 102 timeout = 5 103 104 <b>search_base (No default; you must configure this)</b> 105 The <a href="https://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g. 106 107 search_base = dc=your, dc=com 108 109 With Postfix 2.2 and later this parameter supports the following 110 '%' expansions: 111 112 <b>%%</b> This is replaced by a literal '%' character. 113 114 <b>%s</b> This is replaced by the input key. <a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is 115 used to make sure that the input key does not add unex- 116 pected metacharacters. 117 118 <b>%u</b> When the input key is an address of the form user@domain, 119 <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the 120 address. Otherwise, <b>%u</b> is replaced by the entire search 121 string. If the localpart is empty, the search is sup- 122 pressed and returns no results. 123 124 <b>%d</b> When the input key is an address of the form user@domain, 125 <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of 126 the address. Otherwise, the search is suppressed and 127 returns no results. 128 129 <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents 130 of the above expansions behave identically to their 131 lower-case counter-parts. With the <b>result_format</b> parame- 132 ter (previously called <b>result_filter</b> see the OTHER OBSO- 133 LETE FEATURES section and below), they expand to the cor- 134 responding components of input key rather than the result 135 value. 136 137 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- 138 sponding most significant component of the input key's 139 domain. If the input key is <i>user@mail.example.com</i>, then 140 %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key 141 is unqualified or does not have enough domain components 142 to satisfy all the specified patterns, the search is sup- 143 pressed and returns no results. 144 145 <b>query_filter (default: mailacceptinggeneralid=%s)</b> 146 The <a href="https://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a 147 substitute for the address Postfix is trying to resolve, e.g. 148 149 query_filter = (&(mail=%s)(paid_up=true)) 150 151 This parameter supports the following '%' expansions: 152 153 <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 154 and later). 155 156 <b>%s</b> This is replaced by the input key. <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is 157 used to make sure that the input key does not add unex- 158 pected metacharacters. 159 160 <b>%u</b> When the input key is an address of the form user@domain, 161 <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the 162 address. Otherwise, <b>%u</b> is replaced by the entire search 163 string. If the localpart is empty, the search is sup- 164 pressed and returns no results. 165 166 <b>%d</b> When the input key is an address of the form user@domain, 167 <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of 168 the address. Otherwise, the search is suppressed and 169 returns no results. 170 171 <b>%[SUD]</b> The upper-case equivalents of the above expansions behave 172 in the <b>query_filter</b> parameter identically to their 173 lower-case counter-parts. With the <b>result_format</b> parame- 174 ter (previously called <b>result_filter</b> see the OTHER OBSO- 175 LETE FEATURES section and below), they expand to the cor- 176 responding components of input key rather than the result 177 value. 178 179 The above %S, %U and %D expansions are available with 180 Postfix 2.2 and later. 181 182 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- 183 sponding most significant component of the input key's 184 domain. If the input key is <i>user@mail.example.com</i>, then 185 %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key 186 is unqualified or does not have enough domain components 187 to satisfy all the specified patterns, the search is sup- 188 pressed and returns no results. 189 190 The above %1, ..., %9 expansions are available with Post- 191 fix 2.2 and later. 192 193 The "domain" parameter described below limits the input keys to 194 addresses in matching domains. When the "domain" parameter is 195 non-empty, LDAP queries for unqualified addresses or addresses 196 in non-matching domains are suppressed and return no results. 197 198 NOTE: DO NOT put quotes around the <b>query_filter</b> parameter. 199 200 <b>result_format (default: %s</b>) 201 Called <b>result_filter</b> in Postfix releases prior to 2.2. Format 202 template applied to result attributes. Most commonly used to 203 append (or prepend) text to the result. This parameter supports 204 the following '%' expansions: 205 206 <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 207 and later). 208 209 <b>%s</b> This is replaced by the value of the result attribute. 210 When result is empty it is skipped. 211 212 <b>%u</b> When the result attribute value is an address of the form 213 user@domain, <b>%u</b> is replaced by the local part of the 214 address. When the result has an empty localpart it is 215 skipped. 216 217 <b>%d</b> When a result attribute value is an address of the form 218 user@domain, <b>%d</b> is replaced by the domain part of the 219 attribute value. When the result is unqualified it is 220 skipped. 221 222 <b>%[SUD1-9]</b> 223 The upper-case and decimal digit expansions interpolate 224 the parts of the input key rather than the result. Their 225 behavior is identical to that described with <b>query_fil-</b> 226 <b>ter</b>, and in fact because the input key is known in 227 advance, lookups whose key does not contain all the 228 information specified in the result template are sup- 229 pressed and return no results. 230 231 The above %S, %U, %D and %1, ..., %9 expansions are 232 available with Postfix 2.2 and later. 233 234 For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use 235 a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After 236 applying the result format, multiple values are concatenated as 237 comma separated strings. The expansion_limit and size_limit 238 parameters explained below allow one to restrict the number of 239 values in the result, which is especially useful for maps that 240 should return a single value. 241 242 The default value <b>%s</b> specifies that each attribute value should 243 be used as is. 244 245 This parameter was called <b>result_filter</b> in Postfix releases 246 prior to 2.2. If no "result_format" is specified, the value of 247 "result_filter" will be used instead before resorting to the 248 default value. This provides compatibility with old configura- 249 tion files. 250 251 NOTE: DO NOT put quotes around the result format! 252 253 <b>domain (default: no domain list)</b> 254 This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>" 255 databases. When specified, only fully qualified search keys with 256 a *non-empty* localpart and a matching domain are eligible for 257 lookup: 'user' lookups, bare domain lookups and "@domain" 258 lookups are not performed. This can significantly reduce the 259 query load on the LDAP server. 260 261 domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains 262 263 It is best not to use LDAP to store the domains eligible for 264 LDAP lookups. 265 266 NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases. 267 268 This feature is available in Postfix 1.0 and later. 269 270 <b>result_attribute (default: maildrop)</b> 271 The attribute(s) Postfix will read from any directory entries 272 returned by the lookup, to be resolved to an email address. 273 274 result_attribute = mailbox, maildrop 275 276 Don't rely on the default value ("maildrop"). Set the 277 result_attribute explicitly in all ldap table configuration 278 files. This is particularly relevant when no result_attribute is 279 applicable, e.g. cases in which leaf_result_attribute and/or 280 terminal_result_attribute are used instead. The default value is 281 harmless if "maildrop" is also listed as a leaf or terminal 282 result attribute, but it is best to not leave this to chance. 283 284 <b>special_result_attribute (default: empty)</b> 285 The attribute(s) of directory entries that can contain DNs or 286 <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to 287 retrieve the entry referenced by the DN, or the entries matched 288 by the URL query. 289 290 special_result_attribute = memberdn 291 292 DN recursion retrieves the same result_attributes as the main 293 query, including the special attributes for further recursion. 294 295 URL processing retrieves only those attributes that are included 296 in both the URL definition and as result attributes (ordinary, 297 special, leaf or terminal) in the Postfix table definition. If 298 the URL lists any of the table's special result attributes, 299 these are retrieved and used recursively. A URL that does not 300 specify any attribute selection, is equivalent (<a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a 301 URL that selects all attributes, in which case the selected 302 attributes will be the full set of result attributes in the 303 Postfix table. 304 305 If an LDAP URL attribute-descriptor or the corresponding Postfix 306 LDAP table result attribute (but not both) uses <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a> 307 sub-type options ("attr;option"), the attribute requested from 308 the LDAP server will include the sub-type option. In all other 309 cases, the URL attribute and the table attribute must match 310 exactly. Attributes with options in both the URL and the Postfix 311 table are requested only when the options are identical. LDAP 312 attribute-descriptor options are very rarely used, most LDAP 313 users will not need to concern themselves with this level of 314 nuanced detail. 315 316 <b>terminal_result_attribute (default: empty)</b> 317 When one or more terminal result attributes are found in an LDAP 318 entry, all other result attributes are ignored and only the ter- 319 minal result attributes are returned. This is useful for dele- 320 gating expansion of group members to a particular host, by using 321 an optional "maildrop" attribute on selected groups to route the 322 group to a specific host, where the group is expanded, possibly 323 via mailing-list manager or other special processing. 324 325 result_attribute = 326 terminal_result_attribute = maildrop 327 328 When using terminal and/or leaf result attributes, the 329 result_attribute is best set to an empty value when it is not 330 used, or else explicitly set to the desired value, even if it is 331 the default value "maildrop". 332 333 This feature is available with Postfix 2.4 or later. 334 335 <b>leaf_result_attribute (default: empty)</b> 336 When one or more special result attributes are found in a 337 non-terminal (see above) LDAP entry, leaf result attributes are 338 excluded from the expansion of that entry. This is useful when 339 expanding groups and the desired mail address attribute(s) of 340 the member objects obtained via DN or URI recursion are also 341 present in the group object. To only return the attribute values 342 from the leaf objects and not the containing group, add the 343 attribute to the leaf_result_attribute list, and not the 344 result_attribute list, which is always expanded. Note, the 345 default value of "result_attribute" is not empty, you may want 346 to set it explicitly empty when using "leaf_result_attribute" to 347 expand the group to a list of member DN addresses. If groups 348 have both member DN references AND attributes that hold multiple 349 string valued rfc822 addresses, then the string attributes go in 350 "result_attribute". The attributes that represent the email 351 addresses of objects referenced via a DN (or LDAP URI) go in 352 "leaf_result_attribute". 353 354 result_attribute = memberaddr 355 special_result_attribute = memberdn 356 terminal_result_attribute = maildrop 357 leaf_result_attribute = mail 358 359 When using terminal and/or leaf result attributes, the 360 result_attribute is best set to an empty value when it is not 361 used, or else explicitly set to the desired value, even if it is 362 the default value "maildrop". 363 364 This feature is available with Postfix 2.4 or later. 365 366 <b>scope (default: sub)</b> 367 The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These translate into 368 LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL. 369 370 <b>bind (default: yes)</b> 371 Whether or how to bind to the LDAP server. Newer LDAP implemen- 372 tations don't require clients to bind, which saves time. Exam- 373 ple: 374 375 # Don't bind 376 bind = no 377 # Use SIMPLE bind 378 bind = yes 379 # Use SASL bind 380 bind = sasl 381 382 Postfix versions prior to 2.8 only support "bind = no" which 383 means don't bind, and "bind = yes" which means do a SIMPLE bind. 384 Postfix 2.8 and later also supports "bind = SASL" when compiled 385 with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds 386 the synonyms "bind = none" and "bind = simple" for "bind = no" 387 and "bind = yes" respectively. See the SASL section below for 388 additional parameters available with "bind = sasl". 389 390 If you do need to bind, you might consider configuring Postfix 391 to connect to the local machine on a port that's an SSL tunnel 392 to your LDAP server. If your LDAP server doesn't natively sup- 393 port SSL, put a tunnel (wrapper, proxy, whatever you want to 394 call it) on that system too. This should prevent the password 395 from traversing the network in the clear. 396 397 <b>bind_dn (default: empty)</b> 398 If you do have to bind, do it with this distinguished name. 399 Example: 400 401 bind_dn = uid=postfix, dc=your, dc=com 402 With "bind = sasl" (see above) the DN may be optional for some 403 SASL mechanisms, don't specify a DN if not needed. 404 405 <b>bind_pw (default: empty)</b> 406 The password for the distinguished name above. If you have to 407 use this, you probably want to make the map configuration file 408 readable only by the Postfix user. When using the obsolete 409 <a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is 410 not possible to securely store the bind password. This is 411 because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow local 412 accounts to submit mail via the sendmail command. Example: 413 414 bind_pw = postfixpw 415 With "bind = sasl" (see above) the password may be optional for 416 some SASL mechanisms, don't specify a password if not needed. 417 418 <b>cache (IGNORED with a warning)</b> 419 420 <b>cache_expiry (IGNORED with a warning)</b> 421 422 <b>cache_size (IGNORED with a warning)</b> 423 The above parameters are NO LONGER SUPPORTED by Postfix. Cache 424 support has been dropped from OpenLDAP as of release 2.1.13. 425 426 <b>recursion_limit (default: 1000)</b> 427 A limit on the nesting depth of DN and URL special result 428 attribute evaluation. The limit must be a non-zero positive num- 429 ber. 430 431 <b>expansion_limit (default: 0)</b> 432 A limit on the total number of result elements returned (as a 433 comma separated list) by a lookup against the map. A setting of 434 zero disables the limit. Lookups fail with a temporary error if 435 the limit is exceeded. Setting the limit to 1 ensures that 436 lookups do not return multiple values. 437 438 <b>size_limit (default: $expansion_limit)</b> 439 A limit on the number of LDAP entries returned by any single 440 LDAP search performed as part of the lookup. A setting of 0 dis- 441 ables the limit. Expansion of DN and URL references involves 442 nested LDAP queries, each of which is separately subjected to 443 this limit. 444 445 Note: even a single LDAP entry can generate multiple lookup 446 results, via multiple result attributes and/or multi-valued 447 result attributes. This limit caps the per search resource uti- 448 lization on the LDAP server, not the final multiplicity of the 449 lookup result. It is analogous to the "-z" option of 450 "ldapsearch". 451 452 <b>dereference (default: 0)</b> 453 When to dereference LDAP aliases. (Note that this has nothing do 454 with Postfix aliases.) The permitted values are those legal for 455 the OpenLDAP/UM LDAP implementations: 456 457 0 never 458 459 1 when searching 460 461 2 when locating the base object for the search 462 463 3 always 464 465 See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for 466 more information. And if you're using an LDAP package that has 467 other possible values, please bring it to the attention of the 468 postfix-users@postfix.org mailing list. 469 470 <b>chase_referrals (default: 0)</b> 471 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 472 support). 473 474 <b>version (default: 2)</b> 475 Specifies the LDAP protocol version to use. 476 477 <b>debuglevel (default: 0)</b> 478 What level to set for debugging in the OpenLDAP libraries. 479 480<b>LDAP SASL PARAMETERS</b> 481 If you're using the OpenLDAP libraries compiled with SASL support, 482 Postfix 2.8 and later built with LDAP SASL support as described in 483 <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL. 484 485 This enables authentication to the LDAP server via mechanisms other 486 than a simple password. The added flexibility has a cost: it is no 487 longer practical to set an explicit timeout on the duration of an LDAP 488 bind operation. Under adverse conditions, whether a SASL bind times 489 out, or if it does, the duration of the timeout is determined by the 490 LDAP and SASL libraries. 491 492 It is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way 493 the requesting process can time-out the proxymap request. This also 494 lets you tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> 495 <a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5). Special environment set- 496 tings may be needed to configure GSSAPI credential caches or other SASL 497 mechanism specific options. The GSSAPI credentials used for LDAP 498 lookups may need to be different than say those used for the Postfix 499 SMTP client to authenticate to remote servers. 500 501 Using SASL mechanisms requires LDAP protocol version 3, the default 502 protocol version is 2 for backwards compatibility. You must set "ver- 503 sion = 3" in addition to "bind = sasl". 504 505 The following parameters are relevant to using LDAP with SASL 506 507 <b>sasl_mechs (default: empty)</b> 508 Space separated list of SASL mechanism(s) to try. 509 510 <b>sasl_realm (default: empty)</b> 511 SASL Realm to use, if applicable. 512 513 <b>sasl_authz_id (default: empty)</b> 514 The SASL authorization identity to assert, if applicable. 515 516 <b>sasl_minssf (default: 0)</b> 517 The minimum required sasl security factor required to establish 518 a connection. 519 520<b>LDAP SSL AND STARTTLS PARAMETERS</b> 521 If you're using the OpenLDAP libraries compiled with SSL support, Post- 522 fix can connect to LDAP SSL servers and can issue the STARTTLS command. 523 524 LDAP SSL service can be requested by using a LDAP SSL URL in the 525 server_host parameter: 526 527 server_host = <a href="ldap_table.5.html">ldaps</a>://ldap.example.com:636 528 529 STARTTLS can be turned on with the start_tls parameter: 530 531 start_tls = yes 532 533 Both forms require LDAP protocol version 3, which has to be set explic- 534 itly with: 535 536 version = 3 537 538 If any of the Postfix programs querying the map is configured in <a href="master.5.html">mas- 539 ter.cf</a> to run chrooted, all the certificates and keys involved have to 540 be copied to the chroot jail. Of course, the private keys should only 541 be readable by the user "postfix". 542 543 The following parameters are relevant to LDAP SSL and STARTTLS: 544 545 <b>start_tls (default: no)</b> 546 Whether or not to issue STARTTLS upon connection to the server. 547 Don't set this with LDAP SSL (the SSL session is setup automati- 548 cally when the TCP connection is opened). 549 550 <b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b> 551 Directory containing X509 Certification Authority certificates 552 in PEM format which are to be recognized by the client in 553 SSL/TLS connections. The files each contain one CA certificate. 554 The files are looked up by the CA subject name hash value, which 555 must hence be available. If more than one CA certificate with 556 the same name hash value exist, the extension must be different 557 (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in 558 the ordering of the extension number, regardless of other prop- 559 erties of the certificates. Use the c_rehash utility (from the 560 OpenSSL distribution) to create the necessary links. 561 562 <b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b> 563 File containing the X509 Certification Authority certificates in 564 PEM format which are to be recognized by the client in SSL/TLS 565 connections. This setting takes precedence over tls_ca_cert_dir. 566 567 <b>tls_cert (No default; you must set this)</b> 568 File containing client's X509 certificate to be used by the 569 client in SSL/ TLS connections. 570 571 <b>tls_key (No default; you must set this)</b> 572 File containing the private key corresponding to the above 573 tls_cert. 574 575 <b>tls_require_cert (default: no)</b> 576 Whether or not to request server's X509 certificate and check 577 its validity when establishing SSL/TLS connections. The sup- 578 ported values are <b>no</b> and <b>yes</b>. 579 580 With <b>no</b>, the server certificate trust chain is not checked, but 581 with OpenLDAP prior to 2.1.13, the name in the server certifi- 582 cate must still match the LDAP server name. With OpenLDAP 2.0.0 583 to 2.0.11 the server name is not necessarily what you specified, 584 rather it is determined (by reverse lookup) from the IP address 585 of the LDAP server connection. With OpenLDAP prior to 2.0.13, 586 subjectAlternativeName extensions in the LDAP server certificate 587 are ignored: the server name must match the subject CommonName. 588 The <b>no</b> setting corresponds to the <b>never</b> value of <b>TLS_REQCERT</b> in 589 LDAP client configuration files. 590 591 Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) 592 if you can avoid it. 593 594 With <b>yes</b>, the server certificate must be issued by a trusted CA, 595 and not be expired. The LDAP server name must match one of the 596 name(s) found in the certificate (see above for OpenLDAP library 597 version dependent behavior). The <b>yes</b> setting corresponds to the 598 <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client configuration files. 599 600 The "try" and "allow" values of <b>TLS_REQCERT</b> have no equivalents 601 here. They are not available with OpenLDAP 2.0, and in any case 602 have questionable security properties. Either you want TLS veri- 603 fied LDAP connections, or you don't. 604 605 The <b>yes</b> value only works correctly with Postfix 2.5 and later, 606 or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP 607 releases don't work together with this setting. Support for LDAP 608 over TLS was added to Postfix based on the OpenLDAP 2.0 API. 609 610 <b>tls_random_file (No default)</b> 611 Path of a file to obtain random bits from when /dev/[u]random is 612 not available, to be used by the client in SSL/TLS connections. 613 614 <b>tls_cipher_suite (No default)</b> 615 Cipher suite to use in SSL/TLS negotiations. 616 617<b>EXAMPLE</b> 618 Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> aliases. 619 Assume that in <a href="postconf.5.html">main.cf</a>, you have: 620 621 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases, 622 <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf 623 624 and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have: 625 626 server_host = ldap.example.com 627 search_base = dc=example, dc=com 628 629 Upon receiving mail for a local address "ldapuser" that isn't found in 630 the /etc/aliases database, Postfix will search the LDAP server listen- 631 ing at port 389 on ldap.example.com. It will bind anonymously, search 632 for any directory entries whose mailacceptinggeneralid attribute is 633 "ldapuser", read the "maildrop" attributes of those found, and build a 634 list of their maildrops, which will be treated as <a href="https://tools.ietf.org/html/rfc822">RFC822</a> addresses to 635 which the message will be delivered. 636 637<b>OBSOLETE MAIN.CF PARAMETERS</b> 638 For backwards compatibility with Postfix version 2.0 and earlier, LDAP 639 parameters can also be defined in <a href="postconf.5.html">main.cf</a>. Specify as LDAP source a 640 name that doesn't begin with a slash or a dot. The LDAP parameters 641 will then be accessible as the name you've given the source in its def- 642 inition, an underscore, and the name of the parameter. For example, if 643 the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the "server_host" parameter 644 below would be defined in <a href="postconf.5.html">main.cf</a> as "<i>ldapsource</i>_server_host". 645 646 Note: with this form, the passwords for the LDAP sources are written in 647 <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form will 648 be removed in a future Postfix version. 649 650<b>OTHER OBSOLETE FEATURES</b> 651 For backwards compatibility with the pre 2.2 LDAP clients, <b>result_fil-</b> 652 <b>ter</b> can for now be used instead of <b>result_format</b>, when the latter 653 parameter is not also set. The new name better reflects the function 654 of the parameter. This compatibility interface may be removed in a 655 future release. 656 657<b>SEE ALSO</b> 658 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager 659 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 660 <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables 661 <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables 662 663<b>README FILES</b> 664 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 665 <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide 666 667<b>LICENSE</b> 668 The Secure Mailer license must be distributed with this software. 669 670<b>AUTHOR(S)</b> 671 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM- 672 ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh, 673 Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others. 674 675 LDAP_TABLE(5) 676</pre> </body> </html> 677