1#++ 2# NAME 3# ldap_table 5 4# SUMMARY 5# Postfix LDAP client configuration 6# SYNOPSIS 7# \fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/\fIfilename\fR 8# 9# \fBpostmap -q - ldap:/etc/postfix/\fIfilename\fB <\fIinputfile\fR 10# DESCRIPTION 11# The Postfix mail system uses optional tables for address 12# rewriting or mail routing. These tables are usually in 13# \fBdbm\fR or \fBdb\fR format. 14# 15# Alternatively, lookup tables can be specified as LDAP databases. 16# 17# In order to use LDAP lookups, define an LDAP source as a lookup 18# table in main.cf, for example: 19# 20# .nf 21# alias_maps = ldap:/etc/postfix/ldap-aliases.cf 22# .fi 23# 24# The file /etc/postfix/ldap-aliases.cf has the same format as 25# the Postfix main.cf file, and can specify the parameters 26# described below. An example is given at the end of this manual. 27# 28# This configuration method is available with Postfix version 29# 2.1 and later. See the section "OBSOLETE MAIN.CF PARAMETERS" 30# below for older Postfix versions. 31# 32# For details about LDAP SSL and STARTTLS, see the section 33# on SSL and STARTTLS below. 34# LIST MEMBERSHIP 35# .ad 36# .fi 37# When using LDAP to store lists such as $mynetworks, 38# $mydestination, $relay_domains, $local_recipient_maps, 39# etc., it is important to understand that the table must 40# store each list member as a separate key. The table lookup 41# verifies the *existence* of the key. See "Postfix lists 42# versus tables" in the DATABASE_README document for a 43# discussion. 44# 45# Do NOT create tables that return the full list of domains 46# in $mydestination or $relay_domains etc., or IP addresses 47# in $mynetworks. 48# 49# DO create tables with each matching item as a key and with 50# an arbitrary value. With LDAP databases it is not uncommon to 51# return the key itself. 52# 53# For example, NEVER do this in a map defining $mydestination: 54# 55# .nf 56# query_filter = domain=* 57# result_attribute = domain 58# .fi 59# 60# Do this instead: 61# 62# .nf 63# query_filter = domain=%s 64# result_attribute = domain 65# .fi 66# GENERAL LDAP PARAMETERS 67# .ad 68# .fi 69# In the text below, default values are given in parentheses. 70# Note: don't use quotes in these variables; at least, not until the 71# Postfix configuration routines understand how to deal with quoted 72# strings. 73# .IP "\fBserver_host (default: localhost)\fR" 74# The name of the host running the LDAP server, e.g. 75# 76# .nf 77# server_host = ldap.example.com 78# .fi 79# 80# Depending on the LDAP client library you're using, it should 81# be possible to specify multiple servers here, with the library 82# trying them in order should the first one fail. It should also 83# be possible to give each server in the list a different port 84# (overriding \fBserver_port\fR below), by naming them like 85# 86# .nf 87# server_host = ldap.example.com:1444 88# .fi 89# 90# NOTE: this client will reconnect immediately after a single 91# failure, and will fail a lookup request after a second attempt 92# also fails. 93# 94# With OpenLDAP, a (list of) LDAP URLs can be used to specify both 95# the hostname(s) and the port(s): 96# 97# .nf 98# server_host = ldap://ldap.example.com:1444 99# ldap://ldap2.example.com:1444 100# .fi 101# 102# All LDAP URLs accepted by the OpenLDAP library are supported, 103# including connections over UNIX domain sockets, and LDAP SSL 104# (the last one provided that OpenLDAP was compiled with support 105# for SSL): 106# 107# .nf 108# server_host = ldapi://%2Fsome%2Fpath 109# ldaps://ldap.example.com:636 110# .fi 111# .IP "\fBserver_port (default: 389)\fR" 112# The port the LDAP server listens on, e.g. 113# 114# .nf 115# server_port = 778 116# .fi 117# .IP "\fBtimeout (default: 10 seconds)\fR" 118# The number of seconds a search can take before timing out, e.g. 119# 120# .fi 121# timeout = 5 122# .fi 123# .IP "\fBsearch_base (No default; you must configure this)\fR" 124# The RFC2253 base DN at which to conduct the search, e.g. 125# 126# .nf 127# search_base = dc=your, dc=com 128# .fi 129# .IP 130# With Postfix 2.2 and later this parameter supports the 131# following '%' expansions: 132# .RS 133# .IP "\fB%%\fR" 134# This is replaced by a literal '%' character. 135# .IP "\fB%s\fR" 136# This is replaced by the input key. 137# RFC 2253 quoting is used to make sure that the input key 138# does not add unexpected metacharacters. 139# .IP "\fB%u\fR" 140# When the input key is an address of the form user@domain, \fB%u\fR 141# is replaced by the (RFC 2253) quoted local part of the address. 142# Otherwise, \fB%u\fR is replaced by the entire search string. 143# If the localpart is empty, the search is suppressed and returns 144# no results. 145# .IP "\fB%d\fR" 146# When the input key is an address of the form user@domain, \fB%d\fR 147# is replaced by the (RFC 2253) quoted domain part of the address. 148# Otherwise, the search is suppressed and returns no results. 149# .IP "\fB%[SUD]\fR" 150# For the \fBsearch_base\fR parameter, the upper-case equivalents 151# of the above expansions behave identically to their lower-case 152# counter-parts. With the \fBresult_format\fR parameter (previously 153# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section 154# and below), they expand to the corresponding components of input 155# key rather than the result value. 156# .IP "\fB%[1-9]\fR" 157# The patterns %1, %2, ... %9 are replaced by the corresponding 158# most significant component of the input key's domain. If the 159# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR, 160# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is 161# unqualified or does not have enough domain components to satisfy 162# all the specified patterns, the search is suppressed and returns 163# no results. 164# .RE 165# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR" 166# The RFC2254 filter used to search the directory, where \fB%s\fR 167# is a substitute for the address Postfix is trying to resolve, 168# e.g. 169# 170# .nf 171# query_filter = (&(mail=%s)(paid_up=true)) 172# .fi 173# 174# This parameter supports the following '%' expansions: 175# .RS 176# .IP "\fB%%\fR" 177# This is replaced by a literal '%' character. (Postfix 2.2 and later). 178# .IP "\fB%s\fR" 179# This is replaced by the input key. 180# RFC 2254 quoting is used to make sure that the input key 181# does not add unexpected metacharacters. 182# .IP "\fB%u\fR" 183# When the input key is an address of the form user@domain, \fB%u\fR 184# is replaced by the (RFC 2254) quoted local part of the address. 185# Otherwise, \fB%u\fR is replaced by the entire search string. 186# If the localpart is empty, the search is suppressed and returns 187# no results. 188# .IP "\fB%d\fR" 189# When the input key is an address of the form user@domain, \fB%d\fR 190# is replaced by the (RFC 2254) quoted domain part of the address. 191# Otherwise, the search is suppressed and returns no results. 192# .IP "\fB%[SUD]\fR" 193# The upper-case equivalents of the above expansions behave in the 194# \fBquery_filter\fR parameter identically to their lower-case 195# counter-parts. With the \fBresult_format\fR parameter (previously 196# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section 197# and below), they expand to the corresponding components of input 198# key rather than the result value. 199# .IP 200# The above %S, %U and %D expansions are available with Postfix 2.2 201# and later. 202# .IP "\fB%[1-9]\fR" 203# The patterns %1, %2, ... %9 are replaced by the corresponding 204# most significant component of the input key's domain. If the 205# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR, 206# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is 207# unqualified or does not have enough domain components to satisfy 208# all the specified patterns, the search is suppressed and returns 209# no results. 210# .IP 211# The above %1, ..., %9 expansions are available with Postfix 2.2 212# and later. 213# .RE 214# .IP 215# The "domain" parameter described below limits the input 216# keys to addresses in matching domains. When the "domain" 217# parameter is non-empty, LDAP queries for unqualified 218# addresses or addresses in non-matching domains are suppressed 219# and return no results. 220# 221# NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter. 222# .IP "\fBresult_format (default: \fB%s\fR)\fR" 223# Called \fBresult_filter\fR in Postfix releases prior to 2.2. 224# Format template applied to result attributes. Most commonly used 225# to append (or prepend) text to the result. This parameter supports 226# the following '%' expansions: 227# .RS 228# .IP "\fB%%\fR" 229# This is replaced by a literal '%' character. (Postfix 2.2 and later). 230# .IP "\fB%s\fR" 231# This is replaced by the value of the result attribute. When 232# result is empty it is skipped. 233# .IP "\fB%u\fR 234# When the result attribute value is an address of the form 235# user@domain, \fB%u\fR is replaced by the local part of the 236# address. When the result has an empty localpart it is skipped. 237# .IP "\fB%d\fR" 238# When a result attribute value is an address of the form 239# user@domain, \fB%d\fR is replaced by the domain part of 240# the attribute value. When the result is unqualified it 241# is skipped. 242# .IP "\fB%[SUD1-9]\fR" 243# The upper-case and decimal digit expansions interpolate 244# the parts of the input key rather than the result. Their 245# behavior is identical to that described with \fBquery_filter\fR, 246# and in fact because the input key is known in advance, lookups 247# whose key does not contain all the information specified in 248# the result template are suppressed and return no results. 249# .IP 250# The above %S, %U, %D and %1, ..., %9 expansions are available with 251# Postfix 2.2 and later. 252# .RE 253# .IP 254# For example, using "result_format = smtp:[%s]" allows one 255# to use a mailHost attribute as the basis of a transport(5) 256# table. After applying the result format, multiple values 257# are concatenated as comma separated strings. The expansion_limit 258# and size_limit parameters explained below allow one to 259# restrict the number of values in the result, which is 260# especially useful for maps that should return a single 261# value. 262# 263# The default value \fB%s\fR specifies that each 264# attribute value should be used as is. 265# 266# This parameter was called \fBresult_filter\fR in Postfix 267# releases prior to 2.2. If no "result_format" is specified, 268# the value of "result_filter" will be used instead before 269# resorting to the default value. This provides compatibility 270# with old configuration files. 271# 272# NOTE: DO NOT put quotes around the result format! 273# .IP "\fBdomain (default: no domain list)\fR" 274# This is a list of domain names, paths to files, or 275# "type:table" databases. When specified, only fully qualified search 276# keys with a *non-empty* localpart and a matching domain 277# are eligible for lookup: 'user' lookups, bare domain lookups 278# and "@domain" lookups are not performed. This can significantly 279# reduce the query load on the LDAP server. 280# 281# .nf 282# domain = postfix.org, hash:/etc/postfix/searchdomains 283# .fi 284# 285# It is best not to use LDAP to store the domains eligible 286# for LDAP lookups. 287# 288# NOTE: DO NOT define this parameter for local(8) aliases. 289# 290# This feature is available in Postfix 1.0 and later. 291# .IP "\fBresult_attribute (default: maildrop)\fR" 292# The attribute(s) Postfix will read from any directory 293# entries returned by the lookup, to be resolved to an email 294# address. 295# 296# .nf 297# result_attribute = mailbox, maildrop 298# .fi 299# 300# Don't rely on the default value ("maildrop"). Set the 301# result_attribute explicitly in all ldap table configuration 302# files. This is particularly relevant when no result_attribute 303# is applicable, e.g. cases in which leaf_result_attribute and/or 304# terminal_result_attribute are used instead. The default value 305# is harmless if "maildrop" is also listed as a leaf or terminal 306# result attribute, but it is best to not leave this to chance. 307# .IP "\fBspecial_result_attribute (default: empty)\fR" 308# The attribute(s) of directory entries that can contain DNs 309# or RFC 2255 LDAP URLs. If found, a recursive search 310# is performed to retrieve the entry referenced by the DN, or 311# the entries matched by the URL query. 312# 313# .nf 314# special_result_attribute = memberdn 315# .fi 316# 317# DN recursion retrieves the same result_attributes as the 318# main query, including the special attributes for further 319# recursion. 320# 321# URL processing retrieves only those attributes that are included 322# in both the URL definition and as result attributes (ordinary, 323# special, leaf or terminal) in the Postfix table definition. 324# If the URL lists any of the table's special result attributes, 325# these are retrieved and used recursively. A URL that does not 326# specify any attribute selection, is equivalent (RFC 2255) to a 327# URL that selects all attributes, in which case the selected 328# attributes will be the full set of result attributes in the 329# Postfix table. 330# 331# If an LDAP URL attribute-descriptor or the corresponding Postfix 332# LDAP table result attribute (but not both) uses RFC 2255 sub-type 333# options ("attr;option"), the attribute requested from the LDAP server 334# will include the sub-type option. In all other cases, the URL 335# attribute and the table attribute must match exactly. Attributes 336# with options in both the URL and the Postfix table are requested 337# only when the options are identical. LDAP attribute-descriptor 338# options are very rarely used, most LDAP users will not 339# need to concern themselves with this level of nuanced detail. 340# .IP "\fBterminal_result_attribute (default: empty)\fR" 341# When one or more terminal result attributes are found in an LDAP 342# entry, all other result attributes are ignored and only the terminal 343# result attributes are returned. This is useful for delegating expansion 344# of group members to a particular host, by using an optional "maildrop" 345# attribute on selected groups to route the group to a specific host, 346# where the group is expanded, possibly via mailing-list manager or 347# other special processing. 348# 349# .nf 350# result_attribute = 351# terminal_result_attribute = maildrop 352# .fi 353# 354# When using terminal and/or leaf result attributes, the 355# result_attribute is best set to an empty value when it is not 356# used, or else explicitly set to the desired value, even if it is 357# the default value "maildrop". 358# 359# This feature is available with Postfix 2.4 or later. 360# .IP "\fBleaf_result_attribute (default: empty)\fR" 361# When one or more special result attributes are found in a non-terminal 362# (see above) LDAP entry, leaf result attributes are excluded from the 363# expansion of that entry. This is useful when expanding groups and the 364# desired mail address attribute(s) of the member objects obtained via 365# DN or URI recursion are also present in the group object. To only 366# return the attribute values from the leaf objects and not the 367# containing group, add the attribute to the leaf_result_attribute list, 368# and not the result_attribute list, which is always expanded. Note, 369# the default value of "result_attribute" is not empty, you may want to 370# set it explicitly empty when using "leaf_result_attribute" to expand 371# the group to a list of member DN addresses. If groups have both 372# member DN references AND attributes that hold multiple string valued 373# rfc822 addresses, then the string attributes go in "result_attribute". 374# The attributes that represent the email addresses of objects 375# referenced via a DN (or LDAP URI) go in "leaf_result_attribute". 376# 377# .nf 378# result_attribute = memberaddr 379# special_result_attribute = memberdn 380# terminal_result_attribute = maildrop 381# leaf_result_attribute = mail 382# .fi 383# 384# When using terminal and/or leaf result attributes, the 385# result_attribute is best set to an empty value when it is not 386# used, or else explicitly set to the desired value, even if it is 387# the default value "maildrop". 388# 389# This feature is available with Postfix 2.4 or later. 390# .IP "\fBscope (default: sub)\fR" 391# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR. 392# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, 393# and LDAP_SCOPE_ONELEVEL. 394# .IP "\fBbind (default: yes)\fR" 395# Whether or how to bind to the LDAP server. Newer LDAP 396# implementations don't require clients to bind, which saves 397# time. Example: 398# 399# .nf 400# # Don't bind 401# bind = no 402# # Use SIMPLE bind 403# bind = yes 404# # Use SASL bind 405# bind = sasl 406# .fi 407# 408# Postfix versions prior to 2.8 only support "bind = no" which 409# means don't bind, and "bind = yes" which means do a SIMPLE bind. 410# Postfix 2.8 and later also supports "bind = SASL" when compiled 411# with LDAP SASL support as described in LDAP_README, it also adds 412# the synonyms "bind = none" and "bind = simple" for "bind = no" 413# and "bind = yes" respectively. See the SASL section below for 414# additional parameters available with "bind = sasl". 415# 416# If you do need to bind, you might consider configuring 417# Postfix to connect to the local machine on a port that's 418# an SSL tunnel to your LDAP server. If your LDAP server 419# doesn't natively support SSL, put a tunnel (wrapper, proxy, 420# whatever you want to call it) on that system too. This 421# should prevent the password from traversing the network in 422# the clear. 423# .IP "\fBbind_dn (default: empty)\fR" 424# If you do have to bind, do it with this distinguished name. Example: 425# 426# .nf 427# bind_dn = uid=postfix, dc=your, dc=com 428# .fi 429# With "bind = sasl" (see above) the DN may be optional for some SASL 430# mechanisms, don't specify a DN if not needed. 431# .IP "\fBbind_pw (default: empty)\fR" 432# The password for the distinguished name above. If you have 433# to use this, you probably want to make the map configuration 434# file readable only by the Postfix user. When using the 435# obsolete ldap:ldapsource syntax, with map parameters in 436# main.cf, it is not possible to securely store the bind 437# password. This is because main.cf needs to be world readable 438# to allow local accounts to submit mail via the sendmail 439# command. Example: 440# 441# .nf 442# bind_pw = postfixpw 443# .fi 444# With "bind = sasl" (see above) the password may be optional 445# for some SASL mechanisms, don't specify a password if not needed. 446# .IP "\fBcache (IGNORED with a warning)\fR" 447# .IP "\fBcache_expiry (IGNORED with a warning)\fR" 448# .IP "\fBcache_size (IGNORED with a warning)\fR" 449# The above parameters are NO LONGER SUPPORTED by Postfix. 450# Cache support has been dropped from OpenLDAP as of release 451# 2.1.13. 452# .IP "\fBrecursion_limit (default: 1000)\fR" 453# A limit on the nesting depth of DN and URL special result 454# attribute evaluation. The limit must be a non-zero positive 455# number. 456# .IP "\fBexpansion_limit (default: 0)\fR" 457# A limit on the total number of result elements returned 458# (as a comma separated list) by a lookup against the map. 459# A setting of zero disables the limit. Lookups fail with a 460# temporary error if the limit is exceeded. Setting the 461# limit to 1 ensures that lookups do not return multiple 462# values. 463# .IP "\fBsize_limit (default: $expansion_limit)\fR" 464# A limit on the number of LDAP entries returned by any single 465# LDAP search performed as part of the lookup. A setting of 466# 0 disables the limit. Expansion of DN and URL references 467# involves nested LDAP queries, each of which is separately 468# subjected to this limit. 469# 470# Note: even a single LDAP entry can generate multiple lookup 471# results, via multiple result attributes and/or multi-valued 472# result attributes. This limit caps the per search resource 473# utilization on the LDAP server, not the final multiplicity 474# of the lookup result. It is analogous to the "-z" option 475# of "ldapsearch". 476# .IP "\fBdereference (default: 0)\fR" 477# When to dereference LDAP aliases. (Note that this has 478# nothing do with Postfix aliases.) The permitted values are 479# those legal for the OpenLDAP/UM LDAP implementations: 480# .RS 481# .IP 0 482# never 483# .IP 1 484# when searching 485# .IP 2 486# when locating the base object for the search 487# .IP 3 488# always 489# .RE 490# .IP 491# See ldap.h or the ldap_open(3) or ldapsearch(1) man pages 492# for more information. And if you're using an LDAP package 493# that has other possible values, please bring it to the 494# attention of the postfix-users@postfix.org mailing list. 495# .IP "\fBchase_referrals (default: 0)\fR" 496# Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 497# 3 support). 498# .IP "\fBversion (default: 2)\fR" 499# Specifies the LDAP protocol version to use. 500# .IP "\fBdebuglevel (default: 0)\fR" 501# What level to set for debugging in the OpenLDAP libraries. 502# LDAP SASL PARAMETERS 503# .ad 504# .fi 505# If you're using the OpenLDAP libraries compiled with SASL 506# support, Postfix 2.8 and later built with LDAP SASL support 507# as described in LDAP_README can authenticate to LDAP servers 508# via SASL. 509# 510# This enables authentication to the LDAP server via mechanisms 511# other than a simple password. The added flexibility has a cost: 512# it is no longer practical to set an explicit timeout on the duration 513# of an LDAP bind operation. Under adverse conditions, whether a SASL 514# bind times out, or if it does, the duration of the timeout is 515# determined by the LDAP and SASL libraries. 516# 517# It is best to use tables that use SASL binds via proxymap(8), this 518# way the requesting process can time-out the proxymap request. This 519# also lets you tailer the process environment by overriding the 520# proxymap(8) import_environment setting in master.cf(5). Special 521# environment settings may be needed to configure GSSAPI credential 522# caches or other SASL mechanism specific options. The GSSAPI 523# credentials used for LDAP lookups may need to be different than 524# say those used for the Postfix SMTP client to authenticate to remote 525# servers. 526# 527# Using SASL mechanisms requires LDAP protocol version 3, the default 528# protocol version is 2 for backwards compatibility. You must set 529# "version = 3" in addition to "bind = sasl". 530# 531# The following parameters are relevant to using LDAP with SASL 532# .IP "\fBsasl_mechs (default: empty)\fR" 533# Space separated list of SASL mechanism(s) to try. 534# .IP "\fBsasl_realm (default: empty)\fR" 535# SASL Realm to use, if applicable. 536# .IP "\fBsasl_authz_id (default: empty)\fR" 537# The SASL authorization identity to assert, if applicable. 538# .IP "\fBsasl_minssf (default: 0)\fR" 539# The minimum required sasl security factor required to establish a 540# connection. 541# LDAP SSL AND STARTTLS PARAMETERS 542# .ad 543# .fi 544# If you're using the OpenLDAP libraries compiled with SSL 545# support, Postfix can connect to LDAP SSL servers and can 546# issue the STARTTLS command. 547# 548# LDAP SSL service can be requested by using a LDAP SSL URL 549# in the server_host parameter: 550# 551# .nf 552# server_host = ldaps://ldap.example.com:636 553# .fi 554# 555# STARTTLS can be turned on with the start_tls parameter: 556# 557# .nf 558# start_tls = yes 559# .fi 560# 561# Both forms require LDAP protocol version 3, which has to be set 562# explicitly with: 563# 564# .nf 565# version = 3 566# .fi 567# 568# If any of the Postfix programs querying the map is configured in 569# master.cf to run chrooted, all the certificates and keys involved 570# have to be copied to the chroot jail. Of course, the private keys 571# should only be readable by the user "postfix". 572# 573# The following parameters are relevant to LDAP SSL and STARTTLS: 574# .IP "\fBstart_tls (default: no)\fR" 575# Whether or not to issue STARTTLS upon connection to the 576# server. Don't set this with LDAP SSL (the SSL session is setup 577# automatically when the TCP connection is opened). 578# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR" 579# Directory containing X509 Certification Authority certificates 580# in PEM format which are to be recognized by the client in 581# SSL/TLS connections. The files each contain one CA certificate. 582# The files are looked up by the CA subject name hash value, 583# which must hence be available. If more than one CA certificate 584# with the same name hash value exist, the extension must be 585# different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is 586# performed in the ordering of the extension number, regardless 587# of other properties of the certificates. Use the c_rehash 588# utility (from the OpenSSL distribution) to create the 589# necessary links. 590# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR" 591# File containing the X509 Certification Authority certificates 592# in PEM format which are to be recognized by the client in 593# SSL/TLS connections. This setting takes precedence over 594# tls_ca_cert_dir. 595# .IP "\fBtls_cert (No default; you must set this)\fR" 596# File containing client's X509 certificate to be used by 597# the client in SSL/ TLS connections. 598# .IP "\fBtls_key (No default; you must set this)\fR" 599# File containing the private key corresponding to the above 600# tls_cert. 601# .IP "\fBtls_require_cert (default: no)\fR" 602# Whether or not to request server's X509 certificate and 603# check its validity when establishing SSL/TLS connections. 604# The supported values are \fBno\fR and \fByes\fR. 605# .sp 606# With \fBno\fR, the server certificate trust chain is not checked, 607# but with OpenLDAP prior to 2.1.13, the name in the server 608# certificate must still match the LDAP server name. With OpenLDAP 609# 2.0.0 to 2.0.11 the server name is not necessarily what you 610# specified, rather it is determined (by reverse lookup) from the 611# IP address of the LDAP server connection. With OpenLDAP prior to 612# 2.0.13, subjectAlternativeName extensions in the LDAP server 613# certificate are ignored: the server name must match the subject 614# CommonName. The \fBno\fR setting corresponds to the \fBnever\fR 615# value of \fBTLS_REQCERT\fR in LDAP client configuration files. 616# .sp 617# Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) 618# if you can avoid it. 619# .sp 620# With \fByes\fR, the server certificate must be issued by a trusted 621# CA, and not be expired. The LDAP server name must match one of the 622# name(s) found in the certificate (see above for OpenLDAP library 623# version dependent behavior). The \fByes\fR setting corresponds to the 624# \fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration 625# files. 626# .sp 627# The "try" and "allow" values of \fBTLS_REQCERT\fR have no equivalents 628# here. They are not available with OpenLDAP 2.0, and in any case have 629# questionable security properties. Either you want TLS verified LDAP 630# connections, or you don't. 631# .sp 632# The \fByes\fR value only works correctly with Postfix 2.5 and later, 633# or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP 634# releases don't work together with this setting. Support for LDAP 635# over TLS was added to Postfix based on the OpenLDAP 2.0 API. 636# .IP "\fBtls_random_file (No default)\fR" 637# Path of a file to obtain random bits from when /dev/[u]random 638# is not available, to be used by the client in SSL/TLS 639# connections. 640# .IP "\fBtls_cipher_suite (No default)\fR" 641# Cipher suite to use in SSL/TLS negotiations. 642# EXAMPLE 643# .ad 644# .fi 645# Here's a basic example for using LDAP to look up local(8) 646# aliases. 647# Assume that in main.cf, you have: 648# 649# .nf 650# alias_maps = hash:/etc/aliases, 651# ldap:/etc/postfix/ldap-aliases.cf 652# .fi 653# 654# and in ldap:/etc/postfix/ldap-aliases.cf you have: 655# 656# .nf 657# server_host = ldap.example.com 658# search_base = dc=example, dc=com 659# .fi 660# 661# Upon receiving mail for a local address "ldapuser" that 662# isn't found in the /etc/aliases database, Postfix will 663# search the LDAP server listening at port 389 on ldap.example.com. 664# It will bind anonymously, search for any directory entries 665# whose mailacceptinggeneralid attribute is "ldapuser", read 666# the "maildrop" attributes of those found, and build a list 667# of their maildrops, which will be treated as RFC822 addresses 668# to which the message will be delivered. 669# OBSOLETE MAIN.CF PARAMETERS 670# .ad 671# .fi 672# For backwards compatibility with Postfix version 2.0 and earlier, 673# LDAP parameters can also be defined in main.cf. Specify 674# as LDAP source a name that doesn't begin with a slash or 675# a dot. The LDAP parameters will then be accessible as the 676# name you've given the source in its definition, an underscore, 677# and the name of the parameter. For example, if the map is 678# specified as "ldap:\fIldapsource\fR", the "server_host" 679# parameter below would be defined in main.cf as 680# "\fIldapsource\fR_server_host". 681# 682# Note: with this form, the passwords for the LDAP sources are 683# written in main.cf, which is normally world-readable. Support 684# for this form will be removed in a future Postfix version. 685# OTHER OBSOLETE FEATURES 686# .ad 687# .fi 688# .IP "\fBresult_filter (No default)\fR" 689# For backwards compatibility with the pre 690# 2.2 LDAP clients, \fBresult_filter\fR can for now be used instead 691# of \fBresult_format\fR, when the latter parameter is not also set. 692# The new name better reflects the function of the parameter. This 693# compatibility interface may be removed in a future release. 694# SEE ALSO 695# postmap(1), Postfix lookup table manager 696# postconf(5), configuration parameters 697# mysql_table(5), MySQL lookup tables 698# pgsql_table(5), PostgreSQL lookup tables 699# README FILES 700# .ad 701# .fi 702# Use "\fBpostconf readme_directory\fR" or 703# "\fBpostconf html_directory\fR" to locate this information. 704# .na 705# .nf 706# DATABASE_README, Postfix lookup table overview 707# LDAP_README, Postfix LDAP client guide 708# LICENSE 709# .ad 710# .fi 711# The Secure Mailer license must be distributed with this software. 712# AUTHOR(S) 713# .ad 714# .fi 715# Carsten Hoeger, 716# Hery Rakotoarisoa, 717# John Hensley, 718# Keith Stevenson, 719# LaMont Jones, 720# Liviu Daia, 721# Manuel Guesdon, 722# Mike Mattice, 723# Prabhat K Singh, 724# Sami Haahtinen, 725# Samuel Tardieu, 726# Victor Duchovni, 727# and many others. 728#-- 729