1#++
2# NAME
3#         ldap_table 5
4# SUMMARY
5#         Postfix LDAP client configuration
6# SYNOPSIS
7#         \fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/\fIfilename\fR
8#
9#         \fBpostmap -q - ldap:/etc/postfix/\fIfilename\fB <\fIinputfile\fR
10# DESCRIPTION
11#         The Postfix mail system uses optional tables for address
12#         rewriting or mail routing. These tables are usually in
13#         \fBdbm\fR or \fBdb\fR format.
14#
15#         Alternatively, lookup tables can be specified as LDAP databases.
16#
17#         In order to use LDAP lookups, define an LDAP source as a lookup
18#         table in main.cf, for example:
19#
20# .nf
21#             alias_maps = ldap:/etc/postfix/ldap-aliases.cf
22# .fi
23#
24#         The file /etc/postfix/ldap-aliases.cf has the same format as
25#         the Postfix main.cf file, and can specify the parameters
26#         described below. An example is given at the end of this manual.
27#
28#         This configuration method is available with Postfix version
29#         2.1 and later.  See the section "OBSOLETE MAIN.CF PARAMETERS"
30#         below for older Postfix versions.
31#
32#         For details about LDAP SSL and STARTTLS, see the section
33#         on SSL and STARTTLS below.
34# LIST MEMBERSHIP
35# .ad
36# .fi
37#         When using LDAP to store lists such as $mynetworks,
38#         $mydestination, $relay_domains, $local_recipient_maps,
39#         etc., it is important to understand that the table must
40#         store each list member as a separate key. The table lookup
41#         verifies the *existence* of the key. See "Postfix lists
42#         versus tables" in the DATABASE_README document for a
43#         discussion.
44#
45#         Do NOT create tables that return the full list of domains
46#         in $mydestination or $relay_domains etc., or IP addresses
47#         in $mynetworks.
48#
49#         DO create tables with each matching item as a key and with
50#         an arbitrary value. With LDAP databases it is not uncommon to
51#         return the key itself.
52#
53#         For example, NEVER do this in a map defining $mydestination:
54#
55# .nf
56#             query_filter = domain=*
57#             result_attribute = domain
58# .fi
59#
60#         Do this instead:
61#
62# .nf
63#             query_filter = domain=%s
64#             result_attribute = domain
65# .fi
66# GENERAL LDAP PARAMETERS
67# .ad
68# .fi
69#         In the text below, default values are given in parentheses.
70#         Note: don't use quotes in these variables; at least, not until the
71#         Postfix configuration routines understand how to deal with quoted
72#         strings.
73# .IP "\fBserver_host (default: localhost)\fR"
74#         The name of the host running the LDAP server, e.g.
75#
76# .nf
77#             server_host = ldap.example.com
78# .fi
79#
80#         Depending on the LDAP client library you're using, it should
81#         be possible to specify multiple servers here, with the library
82#         trying them in order should the first one fail. It should also
83#         be possible to give each server in the list a different port
84#         (overriding \fBserver_port\fR below), by naming them like
85#
86# .nf
87#             server_host = ldap.example.com:1444
88# .fi
89#
90#         NOTE: this client will reconnect immediately after a single
91#         failure, and will fail a lookup request after a second attempt
92#         also fails.
93#
94#         With OpenLDAP, a (list of) LDAP URLs can be used to specify both
95#         the hostname(s) and the port(s):
96#
97# .nf
98#             server_host = ldap://ldap.example.com:1444
99#                         ldap://ldap2.example.com:1444
100# .fi
101#
102#         All LDAP URLs accepted by the OpenLDAP library are supported,
103#         including connections over UNIX domain sockets, and LDAP SSL
104#         (the last one provided that OpenLDAP was compiled with support
105#         for SSL):
106#
107# .nf
108#             server_host = ldapi://%2Fsome%2Fpath
109#                         ldaps://ldap.example.com:636
110# .fi
111# .IP "\fBserver_port (default: 389)\fR"
112#         The port the LDAP server listens on, e.g.
113#
114# .nf
115#             server_port = 778
116# .fi
117# .IP "\fBtimeout (default: 10 seconds)\fR"
118#         The number of seconds a search can take before timing out, e.g.
119#
120# .fi
121#             timeout = 5
122# .fi
123# .IP "\fBsearch_base (No default; you must configure this)\fR"
124#         The RFC2253 base DN at which to conduct the search, e.g.
125#
126# .nf
127#             search_base = dc=your, dc=com
128# .fi
129# .IP
130#         With Postfix 2.2 and later this parameter supports the
131#         following '%' expansions:
132# .RS
133# .IP "\fB%%\fR"
134#         This is replaced by a literal '%' character.
135# .IP "\fB%s\fR"
136#         This is replaced by the input key.
137#         RFC 2253 quoting is used to make sure that the input key
138#         does not add unexpected metacharacters.
139# .IP "\fB%u\fR"
140#         When the input key is an address of the form user@domain, \fB%u\fR
141#         is replaced by the (RFC 2253) quoted local part of the address.
142#         Otherwise, \fB%u\fR is replaced by the entire search string.
143#         If the localpart is empty, the search is suppressed and returns
144#         no results.
145# .IP "\fB%d\fR"
146#         When the input key is an address of the form user@domain, \fB%d\fR
147#         is replaced by the (RFC 2253) quoted domain part of the address.
148#         Otherwise, the search is suppressed and returns no results.
149# .IP "\fB%[SUD]\fR"
150#         For the \fBsearch_base\fR parameter, the upper-case equivalents
151#         of the above expansions behave identically to their lower-case
152#         counter-parts. With the \fBresult_format\fR parameter (previously
153#         called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
154#         and below), they expand to the corresponding components of input
155#         key rather than the result value.
156# .IP "\fB%[1-9]\fR"
157#         The patterns %1, %2, ... %9 are replaced by the corresponding
158#         most significant component of the input key's domain. If the
159#         input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
160#         %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
161#         unqualified or does not have enough domain components to satisfy
162#         all the specified patterns, the search is suppressed and returns
163#         no results.
164# .RE
165# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR"
166#         The RFC2254 filter used to search the directory, where \fB%s\fR
167#         is a substitute for the address Postfix is trying to resolve,
168#         e.g.
169#
170# .nf
171#             query_filter = (&(mail=%s)(paid_up=true))
172# .fi
173#
174#         This parameter supports the following '%' expansions:
175# .RS
176# .IP "\fB%%\fR"
177#         This is replaced by a literal '%' character. (Postfix 2.2 and later).
178# .IP "\fB%s\fR"
179#         This is replaced by the input key.
180#         RFC 2254 quoting is used to make sure that the input key
181#         does not add unexpected metacharacters.
182# .IP "\fB%u\fR"
183#         When the input key is an address of the form user@domain, \fB%u\fR
184#         is replaced by the (RFC 2254) quoted local part of the address.
185#         Otherwise, \fB%u\fR is replaced by the entire search string.
186#         If the localpart is empty, the search is suppressed and returns
187#         no results.
188# .IP "\fB%d\fR"
189#         When the input key is an address of the form user@domain, \fB%d\fR
190#         is replaced by the (RFC 2254) quoted domain part of the address.
191#         Otherwise, the search is suppressed and returns no results.
192# .IP "\fB%[SUD]\fR"
193#         The upper-case equivalents of the above expansions behave in the
194#         \fBquery_filter\fR parameter identically to their lower-case
195#         counter-parts. With the \fBresult_format\fR parameter (previously
196#         called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
197#         and below), they expand to the corresponding components of input
198#         key rather than the result value.
199# .IP
200#         The above %S, %U and %D expansions are available with Postfix 2.2
201#         and later.
202# .IP "\fB%[1-9]\fR"
203#         The patterns %1, %2, ... %9 are replaced by the corresponding
204#         most significant component of the input key's domain. If the
205#         input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
206#         %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
207#         unqualified or does not have enough domain components to satisfy
208#         all the specified patterns, the search is suppressed and returns
209#         no results.
210# .IP
211#         The above %1, ..., %9 expansions are available with Postfix 2.2
212#         and later.
213# .RE
214# .IP
215#         The "domain" parameter described below limits the input
216#         keys to addresses in matching domains. When the "domain"
217#         parameter is non-empty, LDAP queries for unqualified
218#         addresses or addresses in non-matching domains are suppressed
219#         and return no results.
220#
221#         NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter.
222# .IP "\fBresult_format (default: \fB%s\fR)\fR"
223#         Called \fBresult_filter\fR in Postfix releases prior to 2.2.
224#         Format template applied to result attributes. Most commonly used
225#         to append (or prepend) text to the result. This parameter supports
226#         the following '%' expansions:
227# .RS
228# .IP "\fB%%\fR"
229#         This is replaced by a literal '%' character. (Postfix 2.2 and later).
230# .IP "\fB%s\fR"
231#         This is replaced by the value of the result attribute. When
232#         result is empty it is skipped.
233# .IP "\fB%u\fR
234#         When the result attribute value is an address of the form
235#         user@domain, \fB%u\fR is replaced by the local part of the
236#         address. When the result has an empty localpart it is skipped.
237# .IP "\fB%d\fR"
238#         When a result attribute value is an address of the form
239#         user@domain, \fB%d\fR is replaced by the domain part of
240#         the attribute value. When the result is unqualified it
241#         is skipped.
242# .IP "\fB%[SUD1-9]\fR"
243#         The upper-case and decimal digit expansions interpolate
244#         the parts of the input key rather than the result. Their
245#         behavior is identical to that described with \fBquery_filter\fR,
246#         and in fact because the input key is known in advance, lookups
247#         whose key does not contain all the information specified in
248#         the result template are suppressed and return no results.
249# .IP
250#         The above %S, %U, %D and %1, ..., %9 expansions are available with
251#         Postfix 2.2 and later.
252# .RE
253# .IP
254#         For example, using "result_format = smtp:[%s]" allows one
255#         to use a mailHost attribute as the basis of a transport(5)
256#         table. After applying the result format, multiple values
257#         are concatenated as comma separated strings. The expansion_limit
258#         and size_limit parameters explained below allow one to
259#         restrict the number of values in the result, which is
260#         especially useful for maps that should return a single
261#         value.
262#
263#         The default value \fB%s\fR specifies that each
264#         attribute value should be used as is.
265#
266#         This parameter was called \fBresult_filter\fR in Postfix
267#         releases prior to 2.2. If no "result_format" is specified,
268#         the value of "result_filter" will be used instead before
269#         resorting to the default value. This provides compatibility
270#         with old configuration files.
271#
272#         NOTE: DO NOT put quotes around the result format!
273# .IP "\fBdomain (default: no domain list)\fR"
274#         This is a list of domain names, paths to files, or
275#         "type:table" databases. When specified, only fully qualified search
276#         keys with a *non-empty* localpart and a matching domain
277#         are eligible for lookup: 'user' lookups, bare domain lookups
278#         and "@domain" lookups are not performed. This can significantly
279#         reduce the query load on the LDAP server.
280#
281# .nf
282#             domain = postfix.org, hash:/etc/postfix/searchdomains
283# .fi
284#
285#         It is best not to use LDAP to store the domains eligible
286#         for LDAP lookups.
287#
288#         NOTE: DO NOT define this parameter for local(8) aliases.
289#
290#         This feature is available in Postfix 1.0 and later.
291# .IP "\fBresult_attribute (default: maildrop)\fR"
292#         The attribute(s) Postfix will read from any directory
293#         entries returned by the lookup, to be resolved to an email
294#         address.
295#
296# .nf
297#             result_attribute = mailbox, maildrop
298# .fi
299#
300#         Don't rely on the default value ("maildrop"). Set the
301#         result_attribute explicitly in all ldap table configuration
302#         files. This is particularly relevant when no result_attribute
303#         is applicable, e.g. cases in which leaf_result_attribute and/or
304#         terminal_result_attribute are used instead. The default value
305#         is harmless if "maildrop" is also listed as a leaf or terminal
306#         result attribute, but it is best to not leave this to chance.
307# .IP "\fBspecial_result_attribute (default: empty)\fR"
308#         The attribute(s) of directory entries that can contain DNs
309#         or RFC 2255 LDAP URLs. If found, a recursive search
310#         is performed to retrieve the entry referenced by the DN, or
311#         the entries matched by the URL query.
312#
313# .nf
314#             special_result_attribute = memberdn
315# .fi
316#
317#         DN recursion retrieves the same result_attributes as the
318#         main query, including the special attributes for further
319#         recursion.
320#
321#         URL processing retrieves only those attributes that are included
322#         in both the URL definition and as result attributes (ordinary,
323#         special, leaf or terminal) in the Postfix table definition.
324#         If the URL lists any of the table's special result attributes,
325#         these are retrieved and used recursively. A URL that does not
326#         specify any attribute selection, is equivalent (RFC 2255) to a
327#         URL that selects all attributes, in which case the selected
328#         attributes will be the full set of result attributes in the
329#         Postfix table.
330#
331#         If an LDAP URL attribute-descriptor or the corresponding Postfix
332#         LDAP table result attribute (but not both) uses RFC 2255 sub-type
333#         options ("attr;option"), the attribute requested from the LDAP server
334#         will include the sub-type option. In all other cases, the URL
335#         attribute and the table attribute must match exactly. Attributes
336#         with options in both the URL and the Postfix table are requested
337#         only when the options are identical. LDAP attribute-descriptor
338#         options are very rarely used, most LDAP users will not
339#         need to concern themselves with this level of nuanced detail.
340# .IP "\fBterminal_result_attribute (default: empty)\fR"
341#         When one or more terminal result attributes are found in an LDAP
342#         entry, all other result attributes are ignored and only the terminal
343#         result attributes are returned. This is useful for delegating expansion
344#         of group members to a particular host, by using an optional "maildrop"
345#         attribute on selected groups to route the group to a specific host,
346#         where the group is expanded, possibly via mailing-list manager or
347#         other special processing.
348#
349# .nf
350#             result_attribute =
351#             terminal_result_attribute = maildrop
352# .fi
353#
354#         When using terminal and/or leaf result attributes, the
355#         result_attribute is best set to an empty value when it is not
356#         used, or else explicitly set to the desired value, even if it is
357#         the default value "maildrop".
358#
359#         This feature is available with Postfix 2.4 or later.
360# .IP "\fBleaf_result_attribute (default: empty)\fR"
361#         When one or more special result attributes are found in a non-terminal
362#         (see above) LDAP entry, leaf result attributes are excluded from the
363#         expansion of that entry. This is useful when expanding groups and the
364#         desired mail address attribute(s) of the member objects obtained via
365#         DN or URI recursion are also present in the group object. To only
366#         return the attribute values from the leaf objects and not the
367#         containing group, add the attribute to the leaf_result_attribute list,
368#         and not the result_attribute list, which is always expanded. Note,
369#         the default value of "result_attribute" is not empty, you may want to
370#         set it explicitly empty when using "leaf_result_attribute" to expand
371#         the group to a list of member DN addresses. If groups have both
372#         member DN references AND attributes that hold multiple string valued
373#         rfc822 addresses, then the string attributes go in "result_attribute".
374#         The attributes that represent the email addresses of objects
375#         referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
376#
377# .nf
378#             result_attribute = memberaddr
379#             special_result_attribute = memberdn
380#             terminal_result_attribute = maildrop
381#             leaf_result_attribute = mail
382# .fi
383#
384#         When using terminal and/or leaf result attributes, the
385#         result_attribute is best set to an empty value when it is not
386#         used, or else explicitly set to the desired value, even if it is
387#         the default value "maildrop".
388#
389#         This feature is available with Postfix 2.4 or later.
390# .IP "\fBscope (default: sub)\fR"
391#         The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
392#         These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
393#         and LDAP_SCOPE_ONELEVEL.
394# .IP "\fBbind (default: yes)\fR"
395#         Whether or how to bind to the LDAP server. Newer LDAP
396#         implementations don't require clients to bind, which saves
397#         time. Example:
398#
399# .nf
400#             # Don't bind
401#             bind = no
402#             # Use SIMPLE bind
403#             bind = yes
404#             # Use SASL bind
405#             bind = sasl
406# .fi
407#
408#         Postfix versions prior to 2.8 only support "bind = no" which
409#         means don't bind, and "bind = yes" which means do a SIMPLE bind.
410#         Postfix 2.8 and later also supports "bind = SASL" when compiled
411#         with LDAP SASL support as described in LDAP_README, it also adds
412#         the synonyms "bind = none" and "bind = simple" for "bind = no"
413#         and "bind = yes" respectively. See the SASL section below for
414#         additional parameters available with "bind = sasl".
415#
416#         If you do need to bind, you might consider configuring
417#         Postfix to connect to the local machine on a port that's
418#         an SSL tunnel to your LDAP server. If your LDAP server
419#         doesn't natively support SSL, put a tunnel (wrapper, proxy,
420#         whatever you want to call it) on that system too. This
421#         should prevent the password from traversing the network in
422#         the clear.
423# .IP "\fBbind_dn (default: empty)\fR"
424#         If you do have to bind, do it with this distinguished name. Example:
425#
426# .nf
427#             bind_dn = uid=postfix, dc=your, dc=com
428# .fi
429#         With "bind = sasl" (see above) the DN may be optional for some SASL
430#         mechanisms, don't specify a DN if not needed.
431# .IP "\fBbind_pw (default: empty)\fR"
432#         The password for the distinguished name above. If you have
433#         to use this, you probably want to make the map configuration
434#         file readable only by the Postfix user. When using the
435#         obsolete ldap:ldapsource syntax, with map parameters in
436#         main.cf, it is not possible to securely store the bind
437#         password. This is because main.cf needs to be world readable
438#         to allow local accounts to submit mail via the sendmail
439#         command. Example:
440#
441# .nf
442#             bind_pw = postfixpw
443# .fi
444#         With "bind = sasl" (see above) the password may be optional
445#         for some SASL mechanisms, don't specify a password if not needed.
446# .IP "\fBcache (IGNORED with a warning)\fR"
447# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
448# .IP "\fBcache_size (IGNORED with a warning)\fR"
449#         The above parameters are NO LONGER SUPPORTED by Postfix.
450#         Cache support has been dropped from OpenLDAP as of release
451#         2.1.13.
452# .IP "\fBrecursion_limit (default: 1000)\fR"
453#         A limit on the nesting depth of DN and URL special result
454#         attribute evaluation. The limit must be a non-zero positive
455#         number.
456# .IP "\fBexpansion_limit (default: 0)\fR"
457#         A limit on the total number of result elements returned
458#         (as a comma separated list) by a lookup against the map.
459#         A setting of zero disables the limit. Lookups fail with a
460#         temporary error if the limit is exceeded.  Setting the
461#         limit to 1 ensures that lookups do not return multiple
462#         values.
463# .IP "\fBsize_limit (default: $expansion_limit)\fR"
464#         A limit on the number of LDAP entries returned by any single
465#         LDAP search performed as part of the lookup. A setting of
466#         0 disables the limit.  Expansion of DN and URL references
467#         involves nested LDAP queries, each of which is separately
468#         subjected to this limit.
469#
470#         Note: even a single LDAP entry can generate multiple lookup
471#         results, via multiple result attributes and/or multi-valued
472#         result attributes. This limit caps the per search resource
473#         utilization on the LDAP server, not the final multiplicity
474#         of the lookup result. It is analogous to the "-z" option
475#         of "ldapsearch".
476# .IP "\fBdereference (default: 0)\fR"
477#         When to dereference LDAP aliases. (Note that this has
478#         nothing do with Postfix aliases.) The permitted values are
479#         those legal for the OpenLDAP/UM LDAP implementations:
480# .RS
481# .IP 0
482#         never
483# .IP 1
484#         when searching
485# .IP 2
486#         when locating the base object for the search
487# .IP 3
488#         always
489# .RE
490# .IP
491#         See ldap.h or the ldap_open(3) or ldapsearch(1) man pages
492#         for more information. And if you're using an LDAP package
493#         that has other possible values, please bring it to the
494#         attention of the postfix-users@postfix.org mailing list.
495# .IP "\fBchase_referrals (default: 0)\fR"
496#         Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
497#         3 support).
498# .IP "\fBversion (default: 2)\fR"
499#         Specifies the LDAP protocol version to use.
500# .IP "\fBdebuglevel (default: 0)\fR"
501#         What level to set for debugging in the OpenLDAP libraries.
502# LDAP SASL PARAMETERS
503# .ad
504# .fi
505#         If you're using the OpenLDAP libraries compiled with SASL
506#         support, Postfix 2.8 and later built with LDAP SASL support
507#         as described in LDAP_README can authenticate to LDAP servers
508#         via SASL.
509#
510#         This enables authentication to the LDAP server via mechanisms
511#         other than a simple password. The added flexibility has a cost:
512#         it is no longer practical to set an explicit timeout on the duration
513#         of an LDAP bind operation. Under adverse conditions, whether a SASL
514#         bind times out, or if it does, the duration of the timeout is
515#         determined by the LDAP and SASL libraries.
516#
517#         It is best to use tables that use SASL binds via proxymap(8), this
518#         way the requesting process can time-out the proxymap request. This
519#         also lets you tailer the process environment by overriding the
520#         proxymap(8) import_environment setting in master.cf(5). Special
521#         environment settings may be needed to configure GSSAPI credential
522#         caches or other SASL mechanism specific options. The GSSAPI
523#         credentials used for LDAP lookups may need to be different than
524#         say those used for the Postfix SMTP client to authenticate to remote
525#         servers.
526#
527#         Using SASL mechanisms requires LDAP protocol version 3, the default
528#         protocol version is 2 for backwards compatibility. You must set
529#         "version = 3" in addition to "bind = sasl".
530#
531#         The following parameters are relevant to using LDAP with SASL
532# .IP "\fBsasl_mechs (default: empty)\fR"
533#         Space separated list of SASL mechanism(s) to try.
534# .IP "\fBsasl_realm (default: empty)\fR"
535#         SASL Realm to use, if applicable.
536# .IP "\fBsasl_authz_id (default: empty)\fR"
537#         The SASL authorization identity to assert, if applicable.
538# .IP "\fBsasl_minssf (default: 0)\fR"
539#         The minimum required sasl security factor required to establish a
540#         connection.
541# LDAP SSL AND STARTTLS PARAMETERS
542# .ad
543# .fi
544#         If you're using the OpenLDAP libraries compiled with SSL
545#         support, Postfix can connect to LDAP SSL servers and can
546#         issue the STARTTLS command.
547#
548#         LDAP SSL service can be requested by using a LDAP SSL URL
549#         in the server_host parameter:
550#
551# .nf
552#             server_host = ldaps://ldap.example.com:636
553# .fi
554#
555#         STARTTLS can be turned on with the start_tls parameter:
556#
557# .nf
558#             start_tls = yes
559# .fi
560#
561#         Both forms require LDAP protocol version 3, which has to be set
562#         explicitly with:
563#
564# .nf
565#             version = 3
566# .fi
567#
568#         If any of the Postfix programs querying the map is configured in
569#         master.cf to run chrooted, all the certificates and keys involved
570#         have to be copied to the chroot jail. Of course, the private keys
571#         should only be readable by the user "postfix".
572#
573#         The following parameters are relevant to LDAP SSL and STARTTLS:
574# .IP "\fBstart_tls (default: no)\fR"
575#         Whether or not to issue STARTTLS upon connection to the
576#         server.  Don't set this with LDAP SSL (the SSL session is setup
577#         automatically when the TCP connection is opened).
578# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR"
579#         Directory containing X509 Certification Authority certificates
580#         in PEM format which are to be recognized by the client in
581#         SSL/TLS connections. The files each contain one CA certificate.
582#         The files are looked up by the CA subject name hash value,
583#         which must hence be available. If more than one CA certificate
584#         with the same name hash value exist, the extension must be
585#         different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is
586#         performed in the ordering of the extension number, regardless
587#         of other properties of the certificates. Use the c_rehash
588#         utility (from the OpenSSL distribution) to create the
589#         necessary links.
590# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR"
591#         File containing the X509 Certification Authority certificates
592#         in PEM format which are to be recognized by the client in
593#         SSL/TLS connections. This setting takes precedence over
594#         tls_ca_cert_dir.
595# .IP "\fBtls_cert (No default; you must set this)\fR"
596#         File containing client's X509 certificate to be used by
597#         the client in SSL/ TLS connections.
598# .IP "\fBtls_key (No default; you must set this)\fR"
599#         File containing the private key corresponding to the above
600#         tls_cert.
601# .IP "\fBtls_require_cert (default: no)\fR"
602#         Whether or not to request server's X509 certificate and
603#         check its validity when establishing SSL/TLS connections.
604#         The supported values are \fBno\fR and \fByes\fR.
605# .sp
606#         With \fBno\fR, the server certificate trust chain is not checked,
607#         but with OpenLDAP prior to 2.1.13, the name in the server
608#         certificate must still match the LDAP server name. With OpenLDAP
609#         2.0.0 to 2.0.11 the server name is not necessarily what you
610#         specified, rather it is determined (by reverse lookup) from the
611#         IP address of the LDAP server connection. With OpenLDAP prior to
612#         2.0.13, subjectAlternativeName extensions in the LDAP server
613#         certificate are ignored: the server name must match the subject
614#         CommonName. The \fBno\fR setting corresponds to the \fBnever\fR
615#         value of \fBTLS_REQCERT\fR in LDAP client configuration files.
616# .sp
617#         Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
618#         if you can avoid it.
619# .sp
620#         With \fByes\fR, the server certificate must be issued by a trusted
621#         CA, and not be expired. The LDAP server name must match one of the
622#         name(s) found in the certificate (see above for OpenLDAP library
623#         version dependent behavior). The \fByes\fR setting corresponds to the
624#         \fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration
625#         files.
626# .sp
627#         The "try" and "allow" values of \fBTLS_REQCERT\fR have no equivalents
628#         here. They are not available with OpenLDAP 2.0, and in any case have
629#         questionable security properties. Either you want TLS verified LDAP
630#         connections, or you don't.
631# .sp
632#         The \fByes\fR value only works correctly with Postfix 2.5 and later,
633#         or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
634#         releases don't work together with this setting. Support for LDAP
635#         over TLS was added to Postfix based on the OpenLDAP 2.0 API.
636# .IP "\fBtls_random_file (No default)\fR"
637#         Path of a file to obtain random bits from when /dev/[u]random
638#         is not available, to be used by the client in SSL/TLS
639#         connections.
640# .IP "\fBtls_cipher_suite (No default)\fR"
641#         Cipher suite to use in SSL/TLS negotiations.
642# EXAMPLE
643# .ad
644# .fi
645#         Here's a basic example for using LDAP to look up local(8)
646#         aliases.
647#         Assume that in main.cf, you have:
648#
649# .nf
650#             alias_maps = hash:/etc/aliases,
651#                     ldap:/etc/postfix/ldap-aliases.cf
652# .fi
653#
654#         and in ldap:/etc/postfix/ldap-aliases.cf you have:
655#
656# .nf
657#             server_host = ldap.example.com
658#             search_base = dc=example, dc=com
659# .fi
660#
661#         Upon receiving mail for a local address "ldapuser" that
662#         isn't found in the /etc/aliases database, Postfix will
663#         search the LDAP server listening at port 389 on ldap.example.com.
664#         It will bind anonymously, search for any directory entries
665#         whose mailacceptinggeneralid attribute is "ldapuser", read
666#         the "maildrop" attributes of those found, and build a list
667#         of their maildrops, which will be treated as RFC822 addresses
668#         to which the message will be delivered.
669# OBSOLETE MAIN.CF PARAMETERS
670# .ad
671# .fi
672#         For backwards compatibility with Postfix version 2.0 and earlier,
673#         LDAP parameters can also be defined in main.cf.  Specify
674#         as LDAP source a name that doesn't begin with a slash or
675#         a dot.  The LDAP parameters will then be accessible as the
676#         name you've given the source in its definition, an underscore,
677#         and the name of the parameter.  For example, if the map is
678#         specified as "ldap:\fIldapsource\fR", the "server_host"
679#         parameter below would be defined in main.cf as
680#         "\fIldapsource\fR_server_host".
681#
682#         Note: with this form, the passwords for the LDAP sources are
683#         written in main.cf, which is normally world-readable.  Support
684#         for this form will be removed in a future Postfix version.
685# OTHER OBSOLETE FEATURES
686# .ad
687# .fi
688# .IP "\fBresult_filter (No default)\fR"
689#         For backwards compatibility with the pre
690#         2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
691#         of \fBresult_format\fR, when the latter parameter is not also set.
692#         The new name better reflects the function of the parameter. This
693#         compatibility interface may be removed in a future release.
694# SEE ALSO
695#         postmap(1), Postfix lookup table manager
696#         postconf(5), configuration parameters
697#         mysql_table(5), MySQL lookup tables
698#         pgsql_table(5), PostgreSQL lookup tables
699# README FILES
700# .ad
701# .fi
702#         Use "\fBpostconf readme_directory\fR" or
703#         "\fBpostconf html_directory\fR" to locate this information.
704# .na
705# .nf
706#         DATABASE_README, Postfix lookup table overview
707#         LDAP_README, Postfix LDAP client guide
708# LICENSE
709# .ad
710# .fi
711#         The Secure Mailer license must be distributed with this software.
712# AUTHOR(S)
713# .ad
714# .fi
715#         Carsten Hoeger,
716#         Hery Rakotoarisoa,
717#         John Hensley,
718#         Keith Stevenson,
719#         LaMont Jones,
720#         Liviu Daia,
721#         Manuel Guesdon,
722#         Mike Mattice,
723#         Prabhat K Singh,
724#         Sami Haahtinen,
725#         Samuel Tardieu,
726#         Victor Duchovni,
727#         and many others.
728#--
729