# NAME

#++
# NAME
# ldap_table 5
# SUMMARY
# Postfix LDAP client configuration
# SYNOPSIS
# \fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/\fIfilename\fR
#
# \fBpostmap -q - ldap:/etc/postfix/\fIfilename\fB <\fIinputfile\fR
# DESCRIPTION
# The Postfix mail system uses optional tables for address
# rewriting or mail routing. These tables are usually in
# \fBdbm\fR or \fBdb\fR format.
#
# Alternatively, lookup tables can be specified as LDAP databases.
#
# In order to use LDAP lookups, define an LDAP source as a lookup
# table in main.cf, for example:
#
# .nf
# alias_maps = ldap:/etc/postfix/ldap-aliases.cf
# .fi
#
# The file /etc/postfix/ldap-aliases.cf has the same format as
# the Postfix main.cf file, and can specify the parameters
# described below. An example is given at the end of this manual.
#
# This configuration method is available with Postfix version
# 2.1 and later. See the section "OBSOLETE MAIN.CF PARAMETERS"
# below for older Postfix versions.
#
# For details about LDAP SSL and STARTTLS, see the section
# on SSL and STARTTLS below.
# LIST MEMBERSHIP
# .ad
# .fi
# When using LDAP to store lists such as $mynetworks,
# $mydestination, $relay_domains, $local_recipient_maps,
# etc., it is important to understand that the table must
# store each list member as a separate key. The table lookup
# verifies the *existence* of the key. See "Postfix lists
# versus tables" in the DATABASE_README document for a
# discussion.
#
# Do NOT create tables that return the full list of domains
# in $mydestination or $relay_domains etc., or IP addresses
# in $mynetworks.
#
# DO create tables with each matching item as a key and with
# an arbitrary value. With LDAP databases it is not uncommon to
# return the key itself.
#
# For example, NEVER do this in a map defining $mydestination:
#
# .nf
# query_filter = domain=*
# result_attribute = domain
# .fi
#
# Do this instead:
#
# .nf
# query_filter = domain=%s
# result_attribute = domain
# .fi
# GENERAL LDAP PARAMETERS
# .ad
# .fi
# In the text below, default values are given in parentheses.
# Note: don't use quotes in these variables; at least, not until the
# Postfix configuration routines understand how to deal with quoted
# strings.
# .IP "\fBserver_host (default: localhost)\fR"
# The name of the host running the LDAP server, e.g.
#
# .nf
# server_host = ldap.example.com
# .fi
#
# Depending on the LDAP client library you're using, it should
# be possible to specify multiple servers here, with the library
# trying them in order should the first one fail. It should also
# be possible to give each server in the list a different port
# (overriding \fBserver_port\fR below), by naming them like
#
# .nf
# server_host = ldap.example.com:1444
# .fi
#
# NOTE: this client will reconnect immediately after a single
# failure, and will fail a lookup request after a second attempt
# also fails.
#
# With OpenLDAP, a (list of) LDAP URLs can be used to specify both
# the hostname(s) and the port(s):
#
# .nf
# server_host = ldap://ldap.example.com:1444
# ldap://ldap2.example.com:1444
# .fi
#
# All LDAP URLs accepted by the OpenLDAP library are supported,
# including connections over UNIX domain sockets, and LDAP SSL
# (the last one provided that OpenLDAP was compiled with support
# for SSL):
#
# .nf
# server_host = ldapi://%2Fsome%2Fpath
# ldaps://ldap.example.com:636
# .fi
# .IP "\fBserver_port (default: 389)\fR"
# The port the LDAP server listens on, e.g.
#
# .nf
# server_port = 778
# .fi
# .IP "\fBtimeout (default: 10 seconds)\fR"
# The number of seconds a search can take before timing out, e.g.
#
# .fi
# timeout = 5
# .fi
# .IP "\fBsearch_base (No default; you must configure this)\fR"
# The RFC2253 base DN at which to conduct the search, e.g.
#
# .nf
# search_base = dc=your, dc=com
# .fi
# .IP
# With Postfix 2.2 and later this parameter supports the
# following '%' expansions:
# .RS
# .IP "\fB%%\fR"
# This is replaced by a literal '%' character.
# .IP "\fB%s\fR"
# This is replaced by the input key.
# RFC 2253 quoting is used to make sure that the input key
# does not add unexpected metacharacters.
# .IP "\fB%u\fR"
# When the input key is an address of the form user@domain, \fB%u\fR
# is replaced by the (RFC 2253) quoted local part of the address.
# Otherwise, \fB%u\fR is replaced by the entire search string.
# If the localpart is empty, the search is suppressed and returns
# no results.
# .IP "\fB%d\fR"
# When the input key is an address of the form user@domain, \fB%d\fR
# is replaced by the (RFC 2253) quoted domain part of the address.
# Otherwise, the search is suppressed and returns no results.
# .IP "\fB%[SUD]\fR"
# For the \fBsearch_base\fR parameter, the upper-case equivalents
# of the above expansions behave identically to their lower-case
# counter-parts. With the \fBresult_format\fR parameter (previously
# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
# and below), they expand to the corresponding components of input
# key rather than the result value.
# .IP "\fB%[1-9]\fR"
# The patterns %1, %2, ... %9 are replaced by the corresponding
# most significant component of the input key's domain. If the
# input key is \[email protected]\fR, then %1 is \fBcom\fR,
# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
# unqualified or does not have enough domain components to satisfy
# all the specified patterns, the search is suppressed and returns
# no results.
# .RE
# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR"
# The RFC2254 filter used to search the directory, where \fB%s\fR
# is a substitute for the address Postfix is trying to resolve,
# e.g.
#
# .nf
# query_filter = (&(mail=%s)(paid_up=true))
# .fi
#
# This parameter supports the following '%' expansions:
# .RS
# .IP "\fB%%\fR"
# This is replaced by a literal '%' character. (Postfix 2.2 and later).
# .IP "\fB%s\fR"
# This is replaced by the input key.
# RFC 2254 quoting is used to make sure that the input key
# does not add unexpected metacharacters.
# .IP "\fB%u\fR"
# When the input key is an address of the form user@domain, \fB%u\fR
# is replaced by the (RFC 2254) quoted local part of the address.
# Otherwise, \fB%u\fR is replaced by the entire search string.
# If the localpart is empty, the search is suppressed and returns
# no results.
# .IP "\fB%d\fR"
# When the input key is an address of the form user@domain, \fB%d\fR
# is replaced by the (RFC 2254) quoted domain part of the address.
# Otherwise, the search is suppressed and returns no results.
# .IP "\fB%[SUD]\fR"
# The upper-case equivalents of the above expansions behave in the
# \fBquery_filter\fR parameter identically to their lower-case
# counter-parts. With the \fBresult_format\fR parameter (previously
# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
# and below), they expand to the corresponding components of input
# key rather than the result value.
# .IP
# The above %S, %U and %D expansions are available with Postfix 2.2
# and later.
# .IP "\fB%[1-9]\fR"
# The patterns %1, %2, ... %9 are replaced by the corresponding
# most significant component of the input key's domain. If the
# input key is \[email protected]\fR, then %1 is \fBcom\fR,
# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
# unqualified or does not have enough domain components to satisfy
# all the specified patterns, the search is suppressed and returns
# no results.
# .IP
# The above %1, ..., %9 expansions are available with Postfix 2.2
# and later.
# .RE
# .IP
# The "domain" parameter described below limits the input
# keys to addresses in matching domains. When the "domain"
# parameter is non-empty, LDAP queries for unqualified
# addresses or addresses in non-matching domains are suppressed
# and return no results.
#
# NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter.
# .IP "\fBresult_format (default: \fB%s\fR)\fR"
# Called \fBresult_filter\fR in Postfix releases prior to 2.2.
# Format template applied to result attributes. Most commonly used
# to append (or prepend) text to the result. This parameter supports
# the following '%' expansions:
# .RS
# .IP "\fB%%\fR"
# This is replaced by a literal '%' character. (Postfix 2.2 and later).
# .IP "\fB%s\fR"
# This is replaced by the value of the result attribute. When
# result is empty it is skipped.
# .IP "\fB%u\fR
# When the result attribute value is an address of the form
# user@domain, \fB%u\fR is replaced by the local part of the
# address. When the result has an empty localpart it is skipped.
# .IP "\fB%d\fR"
# When a result attribute value is an address of the form
# user@domain, \fB%d\fR is replaced by the domain part of
# the attribute value. When the result is unqualified it
# is skipped.
# .IP "\fB%[SUD1-9]\fR"
# The upper-case and decimal digit expansions interpolate
# the parts of the input key rather than the result. Their
# behavior is identical to that described with \fBquery_filter\fR,
# and in fact because the input key is known in advance, lookups
# whose key does not contain all the information specified in
# the result template are suppressed and return no results.
# .IP
# The above %S, %U, %D and %1, ..., %9 expansions are available with
# Postfix 2.2 and later.
# .RE
# .IP
# For example, using "result_format = smtp:[%s]" allows one
# to use a mailHost attribute as the basis of a transport(5)
# table. After applying the result format, multiple values
# are concatenated as comma separated strings. The expansion_limit
# and size_limit parameters explained below allow one to
# restrict the number of values in the result, which is
# especially useful for maps that should return a single
# value.
#
# The default value \fB%s\fR specifies that each
# attribute value should be used as is.
#
# This parameter was called \fBresult_filter\fR in Postfix
# releases prior to 2.2. If no "result_format" is specified,
# the value of "result_filter" will be used instead before
# resorting to the default value. This provides compatibility
# with old configuration files.
#
# NOTE: DO NOT put quotes around the result format!
# .IP "\fBdomain (default: no domain list)\fR"
# This is a list of domain names, paths to files, or
# "type:table" databases. When specified, only fully qualified search
# keys with a *non-empty* localpart and a matching domain
# are eligible for lookup: 'user' lookups, bare domain lookups
# and "@domain" lookups are not performed. This can significantly
# reduce the query load on the LDAP server.
#
# .nf
# domain = postfix.org, hash:/etc/postfix/searchdomains
# .fi
#
# It is best not to use LDAP to store the domains eligible
# for LDAP lookups.
#
# NOTE: DO NOT define this parameter for local(8) aliases.
#
# This feature is available in Postfix 1.0 and later.
# .IP "\fBresult_attribute (default: maildrop)\fR"
# The attribute(s) Postfix will read from any directory
# entries returned by the lookup, to be resolved to an email
# address.
#
# .nf
# result_attribute = mailbox, maildrop
# .fi
#
# Don't rely on the default value ("maildrop"). Set the
# result_attribute explicitly in all ldap table configuration
# files. This is particularly relevant when no result_attribute
# is applicable, e.g. cases in which leaf_result_attribute and/or
# terminal_result_attribute are used instead. The default value
# is harmless if "maildrop" is also listed as a leaf or terminal
# result attribute, but it is best to not leave this to chance.
# .IP "\fBspecial_result_attribute (default: empty)\fR"
# The attribute(s) of directory entries that can contain DNs
# or RFC 2255 LDAP URLs. If found, a recursive search
# is performed to retrieve the entry referenced by the DN, or
# the entries matched by the URL query.
#
# .nf
# special_result_attribute = memberdn
# .fi
#
# DN recursion retrieves the same result_attributes as the
# main query, including the special attributes for further
# recursion.
#
# URL processing retrieves only those attributes that are included
# in both the URL definition and as result attributes (ordinary,
# special, leaf or terminal) in the Postfix table definition.
# If the URL lists any of the table's special result attributes,
# these are retrieved and used recursively. A URL that does not
# specify any attribute selection, is equivalent (RFC 2255) to a
# URL that selects all attributes, in which case the selected
# attributes will be the full set of result attributes in the
# Postfix table.
#
# If an LDAP URL attribute-descriptor or the corresponding Postfix
# LDAP table result attribute (but not both) uses RFC 2255 sub-type
# options ("attr;option"), the attribute requested from the LDAP server
# will include the sub-type option. In all other cases, the URL
# attribute and the table attribute must match exactly. Attributes
# with options in both the URL and the Postfix table are requested
# only when the options are identical. LDAP attribute-descriptor
# options are very rarely used, most LDAP users will not
# need to concern themselves with this level of nuanced detail.
# .IP "\fBterminal_result_attribute (default: empty)\fR"
# When one or more terminal result attributes are found in an LDAP
# entry, all other result attributes are ignored and only the terminal
# result attributes are returned. This is useful for delegating expansion
# of group members to a particular host, by using an optional "maildrop"
# attribute on selected groups to route the group to a specific host,
# where the group is expanded, possibly via mailing-list manager or
# other special processing.
#
# .nf
# result_attribute =
# terminal_result_attribute = maildrop
# .fi
#
# When using terminal and/or leaf result attributes, the
# result_attribute is best set to an empty value when it is not
# used, or else explicitly set to the desired value, even if it is
# the default value "maildrop".
#
# This feature is available with Postfix 2.4 or later.
# .IP "\fBleaf_result_attribute (default: empty)\fR"
# When one or more special result attributes are found in a non-terminal
# (see above) LDAP entry, leaf result attributes are excluded from the
# expansion of that entry. This is useful when expanding groups and the
# desired mail address attribute(s) of the member objects obtained via
# DN or URI recursion are also present in the group object. To only
# return the attribute values from the leaf objects and not the
# containing group, add the attribute to the leaf_result_attribute list,
# and not the result_attribute list, which is always expanded. Note,
# the default value of "result_attribute" is not empty, you may want to
# set it explicitly empty when using "leaf_result_attribute" to expand
# the group to a list of member DN addresses. If groups have both
# member DN references AND attributes that hold multiple string valued
# rfc822 addresses, then the string attributes go in "result_attribute".
# The attributes that represent the email addresses of objects
# referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
#
# .nf
# result_attribute = memberaddr
# special_result_attribute = memberdn
# terminal_result_attribute = maildrop
# leaf_result_attribute = mail
# .fi
#
# When using terminal and/or leaf result attributes, the
# result_attribute is best set to an empty value when it is not
# used, or else explicitly set to the desired value, even if it is
# the default value "maildrop".
#
# This feature is available with Postfix 2.4 or later.
# .IP "\fBscope (default: sub)\fR"
# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
# and LDAP_SCOPE_ONELEVEL.
# .IP "\fBbind (default: yes)\fR"
# Whether or how to bind to the LDAP server. Newer LDAP
# implementations don't require clients to bind, which saves
# time. Example:
#
# .nf
# # Don't bind
# bind = no
# # Use SIMPLE bind
# bind = yes
# # Use SASL bind
# bind = sasl
# .fi
#
# Postfix versions prior to 2.8 only support "bind = no" which
# means don't bind, and "bind = yes" which means do a SIMPLE bind.
# Postfix 2.8 and later also supports "bind = SASL" when compiled
# with LDAP SASL support as described in LDAP_README, it also adds
# the synonyms "bind = none" and "bind = simple" for "bind = no"
# and "bind = yes" respectively. See the SASL section below for
# additional parameters available with "bind = sasl".
#
# If you do need to bind, you might consider configuring
# Postfix to connect to the local machine on a port that's
# an SSL tunnel to your LDAP server. If your LDAP server
# doesn't natively support SSL, put a tunnel (wrapper, proxy,
# whatever you want to call it) on that system too. This
# should prevent the password from traversing the network in
# the clear.
# .IP "\fBbind_dn (default: empty)\fR"
# If you do have to bind, do it with this distinguished name. Example:
#
# .nf
# bind_dn = uid=postfix, dc=your, dc=com
# .fi
# With "bind = sasl" (see above) the DN may be optional for some SASL
# mechanisms, don't specify a DN if not needed.
# .IP "\fBbind_pw (default: empty)\fR"
# The password for the distinguished name above. If you have
# to use this, you probably want to make the map configuration
# file readable only by the Postfix user. When using the
# obsolete ldap:ldapsource syntax, with map parameters in
# main.cf, it is not possible to securely store the bind
# password. This is because main.cf needs to be world readable
# to allow local accounts to submit mail via the sendmail
# command. Example:
#
# .nf
# bind_pw = postfixpw
# .fi
# With "bind = sasl" (see above) the password may be optional
# for some SASL mechanisms, don't specify a password if not needed.
# .IP "\fBcache (IGNORED with a warning)\fR"
# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
# .IP "\fBcache_size (IGNORED with a warning)\fR"
# The above parameters are NO LONGER SUPPORTED by Postfix.
# Cache support has been dropped from OpenLDAP as of release
# 2.1.13.
# .IP "\fBrecursion_limit (default: 1000)\fR"
# A limit on the nesting depth of DN and URL special result
# attribute evaluation. The limit must be a non-zero positive
# number.
# .IP "\fBexpansion_limit (default: 0)\fR"
# A limit on the total number of result elements returned
# (as a comma separated list) by a lookup against the map.
# A setting of zero disables the limit. Lookups fail with a
# temporary error if the limit is exceeded. Setting the
# limit to 1 ensures that lookups do not return multiple
# values.
# .IP "\fBsize_limit (default: $expansion_limit)\fR"
# A limit on the number of LDAP entries returned by any single
# LDAP search performed as part of the lookup. A setting of
# 0 disables the limit. Expansion of DN and URL references
# involves nested LDAP queries, each of which is separately
# subjected to this limit.
#
# Note: even a single LDAP entry can generate multiple lookup
# results, via multiple result attributes and/or multi-valued
# result attributes. This limit caps the per search resource
# utilization on the LDAP server, not the final multiplicity
# of the lookup result. It is analogous to the "-z" option
# of "ldapsearch".
# .IP "\fBdereference (default: 0)\fR"
# When to dereference LDAP aliases. (Note that this has
# nothing do with Postfix aliases.) The permitted values are
# those legal for the OpenLDAP/UM LDAP implementations:
# .RS
# .IP 0
# never
# .IP 1
# when searching
# .IP 2
# when locating the base object for the search
# .IP 3
# always
# .RE
# .IP
# See ldap.h or the ldap_open(3) or ldapsearch(1) man pages
# for more information. And if you're using an LDAP package
# that has other possible values, please bring it to the
# attention of the [email protected] mailing list.
# .IP "\fBchase_referrals (default: 0)\fR"
# Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
# 3 support).
# .IP "\fBversion (default: 2)\fR"
# Specifies the LDAP protocol version to use.
# .IP "\fBdebuglevel (default: 0)\fR"
# What level to set for debugging in the OpenLDAP libraries.
# LDAP SASL PARAMETERS
# .ad
# .fi
# If you're using the OpenLDAP libraries compiled with SASL
# support, Postfix 2.8 and later built with LDAP SASL support
# as described in LDAP_README can authenticate to LDAP servers
# via SASL.
#
# This enables authentication to the LDAP server via mechanisms
# other than a simple password. The added flexibility has a cost:
# it is no longer practical to set an explicit timeout on the duration
# of an LDAP bind operation. Under adverse conditions, whether a SASL
# bind times out, or if it does, the duration of the timeout is
# determined by the LDAP and SASL libraries.
#
# It is best to use tables that use SASL binds via proxymap(8), this
# way the requesting process can time-out the proxymap request. This
# also lets you tailer the process environment by overriding the
# proxymap(8) import_environment setting in master.cf(5). Special
# environment settings may be needed to configure GSSAPI credential
# caches or other SASL mechanism specific options. The GSSAPI
# credentials used for LDAP lookups may need to be different than
# say those used for the Postfix SMTP client to authenticate to remote
# servers.
#
# Using SASL mechanisms requires LDAP protocol version 3, the default
# protocol version is 2 for backwards compatibility. You must set
# "version = 3" in addition to "bind = sasl".
#
# The following parameters are relevant to using LDAP with SASL
# .IP "\fBsasl_mechs (default: empty)\fR"
# Space separated list of SASL mechanism(s) to try.
# .IP "\fBsasl_realm (default: empty)\fR"
# SASL Realm to use, if applicable.
# .IP "\fBsasl_authz_id (default: empty)\fR"
# The SASL authorization identity to assert, if applicable.
# .IP "\fBsasl_minssf (default: 0)\fR"
# The minimum required sasl security factor required to establish a
# connection.
# LDAP SSL AND STARTTLS PARAMETERS
# .ad
# .fi
# If you're using the OpenLDAP libraries compiled with SSL
# support, Postfix can connect to LDAP SSL servers and can
# issue the STARTTLS command.
#
# LDAP SSL service can be requested by using a LDAP SSL URL
# in the server_host parameter:
#
# .nf
# server_host = ldaps://ldap.example.com:636
# .fi
#
# STARTTLS can be turned on with the start_tls parameter:
#
# .nf
# start_tls = yes
# .fi
#
# Both forms require LDAP protocol version 3, which has to be set
# explicitly with:
#
# .nf
# version = 3
# .fi
#
# If any of the Postfix programs querying the map is configured in
# master.cf to run chrooted, all the certificates and keys involved
# have to be copied to the chroot jail. Of course, the private keys
# should only be readable by the user "postfix".
#
# The following parameters are relevant to LDAP SSL and STARTTLS:
# .IP "\fBstart_tls (default: no)\fR"
# Whether or not to issue STARTTLS upon connection to the
# server. Don't set this with LDAP SSL (the SSL session is setup
# automatically when the TCP connection is opened).
# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR"
# Directory containing X509 Certification Authority certificates
# in PEM format which are to be recognized by the client in
# SSL/TLS connections. The files each contain one CA certificate.
# The files are looked up by the CA subject name hash value,
# which must hence be available. If more than one CA certificate
# with the same name hash value exist, the extension must be
# different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is
# performed in the ordering of the extension number, regardless
# of other properties of the certificates. Use the c_rehash
# utility (from the OpenSSL distribution) to create the
# necessary links.
# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR"
# File containing the X509 Certification Authority certificates
# in PEM format which are to be recognized by the client in
# SSL/TLS connections. This setting takes precedence over
# tls_ca_cert_dir.
# .IP "\fBtls_cert (No default; you must set this)\fR"
# File containing client's X509 certificate to be used by
# the client in SSL/ TLS connections.
# .IP "\fBtls_key (No default; you must set this)\fR"
# File containing the private key corresponding to the above
# tls_cert.
# .IP "\fBtls_require_cert (default: no)\fR"
# Whether or not to request server's X509 certificate and
# check its validity when establishing SSL/TLS connections.
# The supported values are \fBno\fR and \fByes\fR.
# .sp
# With \fBno\fR, the server certificate trust chain is not checked,
# but with OpenLDAP prior to 2.1.13, the name in the server
# certificate must still match the LDAP server name. With OpenLDAP
# 2.0.0 to 2.0.11 the server name is not necessarily what you
# specified, rather it is determined (by reverse lookup) from the
# IP address of the LDAP server connection. With OpenLDAP prior to
# 2.0.13, subjectAlternativeName extensions in the LDAP server
# certificate are ignored: the server name must match the subject
# CommonName. The \fBno\fR setting corresponds to the \fBnever\fR
# value of \fBTLS_REQCERT\fR in LDAP client configuration files.
# .sp
# Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
# if you can avoid it.
# .sp
# With \fByes\fR, the server certificate must be issued by a trusted
# CA, and not be expired. The LDAP server name must match one of the
# name(s) found in the certificate (see above for OpenLDAP library
# version dependent behavior). The \fByes\fR setting corresponds to the
# \fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration
# files.
# .sp
# The "try" and "allow" values of \fBTLS_REQCERT\fR have no equivalents
# here. They are not available with OpenLDAP 2.0, and in any case have
# questionable security properties. Either you want TLS verified LDAP
# connections, or you don't.
# .sp
# The \fByes\fR value only works correctly with Postfix 2.5 and later,
# or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
# releases don't work together with this setting. Support for LDAP
# over TLS was added to Postfix based on the OpenLDAP 2.0 API.
# .IP "\fBtls_random_file (No default)\fR"
# Path of a file to obtain random bits from when /dev/[u]random
# is not available, to be used by the client in SSL/TLS
# connections.
# .IP "\fBtls_cipher_suite (No default)\fR"
# Cipher suite to use in SSL/TLS negotiations.
# EXAMPLE
# .ad
# .fi
# Here's a basic example for using LDAP to look up local(8)
# aliases.
# Assume that in main.cf, you have:
#
# .nf
# alias_maps = hash:/etc/aliases,
# ldap:/etc/postfix/ldap-aliases.cf
# .fi
#
# and in ldap:/etc/postfix/ldap-aliases.cf you have:
#
# .nf
# server_host = ldap.example.com
# search_base = dc=example, dc=com
# .fi
#
# Upon receiving mail for a local address "ldapuser" that
# isn't found in the /etc/aliases database, Postfix will
# search the LDAP server listening at port 389 on ldap.example.com.
# It will bind anonymously, search for any directory entries
# whose mailacceptinggeneralid attribute is "ldapuser", read
# the "maildrop" attributes of those found, and build a list
# of their maildrops, which will be treated as RFC822 addresses
# to which the message will be delivered.
# OBSOLETE MAIN.CF PARAMETERS
# .ad
# .fi
# For backwards compatibility with Postfix version 2.0 and earlier,
# LDAP parameters can also be defined in main.cf. Specify
# as LDAP source a name that doesn't begin with a slash or
# a dot. The LDAP parameters will then be accessible as the
# name you've given the source in its definition, an underscore,
# and the name of the parameter. For example, if the map is
# specified as "ldap:\fIldapsource\fR", the "server_host"
# parameter below would be defined in main.cf as
# "\fIldapsource\fR_server_host".
#
# Note: with this form, the passwords for the LDAP sources are
# written in main.cf, which is normally world-readable. Support
# for this form will be removed in a future Postfix version.
# OTHER OBSOLETE FEATURES
# .ad
# .fi
# .IP "\fBresult_filter (No default)\fR"
# For backwards compatibility with the pre
# 2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
# of \fBresult_format\fR, when the latter parameter is not also set.
# The new name better reflects the function of the parameter. This
# compatibility interface may be removed in a future release.
# SEE ALSO
# postmap(1), Postfix lookup table manager
# postconf(5), configuration parameters
# mysql_table(5), MySQL lookup tables
# pgsql_table(5), PostgreSQL lookup tables
# README FILES
# .ad
# .fi
# Use "\fBpostconf readme_directory\fR" or
# "\fBpostconf html_directory\fR" to locate this information.
# .na
# .nf
# DATABASE_README, Postfix lookup table overview
# LDAP_README, Postfix LDAP client guide
# LICENSE
# .ad
# .fi
# The Secure Mailer license must be distributed with this software.
# AUTHOR(S)
# .ad
# .fi
# Carsten Hoeger,
# Hery Rakotoarisoa,
# John Hensley,
# Keith Stevenson,
# LaMont Jones,
# Liviu Daia,
# Manuel Guesdon,
# Mike Mattice,
# Prabhat K Singh,
# Sami Haahtinen,
# Samuel Tardieu,
# Victor Duchovni,
# and many others.
#--