1#++ 2# NAME 3# ldap_table 5 4# SUMMARY 5# Postfix LDAP client configuration 6# SYNOPSIS 7# \fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/filename\fR 8# 9# \fBpostmap -q - ldap:/etc/postfix/\fIfilename\fR <\fIinputfile\fR 10# DESCRIPTION 11# The Postfix mail system uses optional tables for address 12# rewriting or mail routing. These tables are usually in 13# \fBdbm\fR or \fBdb\fR format. 14# 15# Alternatively, lookup tables can be specified as LDAP databases. 16# 17# In order to use LDAP lookups, define an LDAP source as a lookup 18# table in main.cf, for example: 19# 20# .nf 21# alias_maps = ldap:/etc/postfix/ldap-aliases.cf 22# .fi 23# 24# The file /etc/postfix/ldap-aliases.cf has the same format as 25# the Postfix main.cf file, and can specify the parameters 26# described below. An example is given at the end of this manual. 27# 28# This configuration method is available with Postfix version 29# 2.1 and later. See the section "BACKWARDS COMPATIBILITY" 30# below for older Postfix versions. 31# 32# For details about LDAP SSL and STARTTLS, see the section 33# on SSL and STARTTLS below. 34# BACKWARDS COMPATIBILITY 35# .ad 36# .fi 37# For backwards compatibility with Postfix version 2.0 and earlier, 38# LDAP parameters can also be defined in main.cf. Specify 39# as LDAP source a name that doesn't begin with a slash or 40# a dot. The LDAP parameters will then be accessible as the 41# name you've given the source in its definition, an underscore, 42# and the name of the parameter. For example, if the map is 43# specified as "ldap:\fIldapsource\fR", the "server_host" 44# parameter below would be defined in main.cf as 45# "\fIldapsource\fR_server_host". 46# 47# Note: with this form, the passwords for the LDAP sources are 48# written in main.cf, which is normally world-readable. Support 49# for this form will be removed in a future Postfix version. 50# 51# For backwards compatibility with the pre 52# 2.2 LDAP clients, \fBresult_filter\fR can for now be used instead 53# of \fBresult_format\fR, when the latter parameter is not also set. 54# The new name better reflects the function of the parameter. This 55# compatibility interface may be removed in a future release. 56# LIST MEMBERSHIP 57# .ad 58# .fi 59# When using LDAP to store lists such as $mynetworks, 60# $mydestination, $relay_domains, $local_recipient_maps, 61# etc., it is important to understand that the table must 62# store each list member as a separate key. The table lookup 63# verifies the *existence* of the key. See "Postfix lists 64# versus tables" in the DATABASE_README document for a 65# discussion. 66# 67# Do NOT create tables that return the full list of domains 68# in $mydestination or $relay_domains etc., or IP addresses 69# in $mynetworks. 70# 71# DO create tables with each matching item as a key and with 72# an arbitrary value. With LDAP databases it is not uncommon to 73# return the key itself. 74# 75# For example, NEVER do this in a map defining $mydestination: 76# 77# .nf 78# query_filter = domain=* 79# result_attribute = domain 80# .fi 81# 82# Do this instead: 83# 84# .nf 85# query_filter = domain=%s 86# result_attribute = domain 87# .fi 88# GENERAL LDAP PARAMETERS 89# .ad 90# .fi 91# In the text below, default values are given in parentheses. 92# Note: don't use quotes in these variables; at least, not until the 93# Postfix configuration routines understand how to deal with quoted 94# strings. 95# .IP "\fBserver_host (default: localhost)\fR" 96# The name of the host running the LDAP server, e.g. 97# 98# .nf 99# server_host = ldap.example.com 100# .fi 101# 102# Depending on the LDAP client library you're using, it should 103# be possible to specify multiple servers here, with the library 104# trying them in order should the first one fail. It should also 105# be possible to give each server in the list a different port 106# (overriding \fBserver_port\fR below), by naming them like 107# 108# .nf 109# server_host = ldap.example.com:1444 110# .fi 111# 112# With OpenLDAP, a (list of) LDAP URLs can be used to specify both 113# the hostname(s) and the port(s): 114# 115# .nf 116# server_host = ldap://ldap.example.com:1444 117# ldap://ldap2.example.com:1444 118# .fi 119# 120# All LDAP URLs accepted by the OpenLDAP library are supported, 121# including connections over UNIX domain sockets, and LDAP SSL 122# (the last one provided that OpenLDAP was compiled with support 123# for SSL): 124# 125# .nf 126# server_host = ldapi://%2Fsome%2Fpath 127# ldaps://ldap.example.com:636 128# .fi 129# .IP "\fBserver_port (default: 389)\fR" 130# The port the LDAP server listens on, e.g. 131# 132# .nf 133# server_port = 778 134# .fi 135# .IP "\fBtimeout (default: 10 seconds)\fR" 136# The number of seconds a search can take before timing out, e.g. 137# 138# .fi 139# timeout = 5 140# .fi 141# .IP "\fBsearch_base (No default; you must configure this)\fR" 142# The RFC2253 base DN at which to conduct the search, e.g. 143# 144# .nf 145# search_base = dc=your, dc=com 146# .fi 147# .IP 148# With Postfix 2.2 and later this parameter supports the 149# following '%' expansions: 150# .RS 151# .IP "\fB\fB%%\fR\fR" 152# This is replaced by a literal '%' character. 153# .IP "\fB\fB%s\fR\fR" 154# This is replaced by the input key. 155# RFC 2253 quoting is used to make sure that the input key 156# does not add unexpected metacharacters. 157# .IP "\fB\fB%u\fR\fR" 158# When the input key is an address of the form user@domain, \fB%u\fR 159# is replaced by the (RFC 2253) quoted local part of the address. 160# Otherwise, \fB%u\fR is replaced by the entire search string. 161# If the localpart is empty, the search is suppressed and returns 162# no results. 163# .IP "\fB\fB%d\fR\fR" 164# When the input key is an address of the form user@domain, \fB%d\fR 165# is replaced by the (RFC 2253) quoted domain part of the address. 166# Otherwise, the search is suppressed and returns no results. 167# .IP "\fB\fB%[SUD]\fR\fR" 168# For the \fBsearch_base\fR parameter, the upper-case equivalents 169# of the above expansions behave identically to their lower-case 170# counter-parts. With the \fBresult_format\fR parameter (previously 171# called \fBresult_filter\fR see the COMPATIBILITY section and below), 172# they expand to the corresponding components of input key rather 173# than the result value. 174# .IP "\fB\fB%[1-9]\fR\fR" 175# The patterns %1, %2, ... %9 are replaced by the corresponding 176# most significant component of the input key's domain. If the 177# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR, 178# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is 179# unqualified or does not have enough domain components to satisfy 180# all the specified patterns, the search is suppressed and returns 181# no results. 182# .RE 183# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR" 184# The RFC2254 filter used to search the directory, where \fB%s\fR 185# is a substitute for the address Postfix is trying to resolve, 186# e.g. 187# 188# .nf 189# query_filter = (&(mail=%s)(paid_up=true)) 190# .fi 191# 192# This parameter supports the following '%' expansions: 193# .RS 194# .IP "\fB\fB%%\fR\fR" 195# This is replaced by a literal '%' character. (Postfix 2.2 and later). 196# .IP "\fB\fB%s\fR\fR" 197# This is replaced by the input key. 198# RFC 2254 quoting is used to make sure that the input key 199# does not add unexpected metacharacters. 200# .IP "\fB\fB%u\fR\fR" 201# When the input key is an address of the form user@domain, \fB%u\fR 202# is replaced by the (RFC 2254) quoted local part of the address. 203# Otherwise, \fB%u\fR is replaced by the entire search string. 204# If the localpart is empty, the search is suppressed and returns 205# no results. 206# .IP "\fB\fB%d\fR\fR" 207# When the input key is an address of the form user@domain, \fB%d\fR 208# is replaced by the (RFC 2254) quoted domain part of the address. 209# Otherwise, the search is suppressed and returns no results. 210# .IP "\fB\fB%[SUD]\fR\fR" 211# The upper-case equivalents of the above expansions behave in the 212# \fBquery_filter\fR parameter identically to their lower-case 213# counter-parts. With the \fBresult_format\fR parameter (previously 214# called \fBresult_filter\fR see the COMPATIBILITY section and below), 215# they expand to the corresponding components of input key rather 216# than the result value. 217# .IP 218# The above %S, %U and %D expansions are available with Postfix 2.2 219# and later. 220# .IP "\fB\fB%[1-9]\fR\fR" 221# The patterns %1, %2, ... %9 are replaced by the corresponding 222# most significant component of the input key's domain. If the 223# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR, 224# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is 225# unqualified or does not have enough domain components to satisfy 226# all the specified patterns, the search is suppressed and returns 227# no results. 228# .IP 229# The above %1, ..., %9 expansions are available with Postfix 2.2 230# and later. 231# .RE 232# .IP 233# The "domain" parameter described below limits the input 234# keys to addresses in matching domains. When the "domain" 235# parameter is non-empty, LDAP queries for unqualified 236# addresses or addresses in non-matching domains are suppressed 237# and return no results. 238# 239# NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter. 240# .IP "\fBresult_format (default: \fB%s\fR)\fR" 241# Called \fBresult_filter\fR in Postfix releases prior to 2.2. 242# Format template applied to result attributes. Most commonly used 243# to append (or prepend) text to the result. This parameter supports 244# the following '%' expansions: 245# .RS 246# .IP "\fB\fB%%\fR\fR" 247# This is replaced by a literal '%' character. (Postfix 2.2 and later). 248# .IP "\fB\fB%s\fR\fR" 249# This is replaced by the value of the result attribute. When 250# result is empty it is skipped. 251# .IP "\fB%u\fR 252# When the result attribute value is an address of the form 253# user@domain, \fB%u\fR is replaced by the local part of the 254# address. When the result has an empty localpart it is skipped. 255# .IP "\fB\fB%d\fR\fR" 256# When a result attribute value is an address of the form 257# user@domain, \fB%d\fR is replaced by the domain part of 258# the attribute value. When the result is unqualified it 259# is skipped. 260# .IP "\fB\fB%[SUD1-9]\fR\fB" 261# The upper-case and decimal digit expansions interpolate 262# the parts of the input key rather than the result. Their 263# behavior is identical to that described with \fBquery_filter\fR, 264# and in fact because the input key is known in advance, lookups 265# whose key does not contain all the information specified in 266# the result template are suppressed and return no results. 267# .IP 268# The above %S, %U, %D and %1, ..., %9 expansions are available with 269# Postfix 2.2 and later. 270# .RE 271# .IP 272# For example, using "result_format = smtp:[%s]" allows one 273# to use a mailHost attribute as the basis of a transport(5) 274# table. After applying the result format, multiple values 275# are concatenated as comma separated strings. The expansion_limit 276# and size_limit parameters explained below allow one to 277# restrict the number of values in the result, which is 278# especially useful for maps that should return a single 279# value. 280# 281# The default value \fB%s\fR specifies that each 282# attribute value should be used as is. 283# 284# This parameter was called \fBresult_filter\fR in Postfix 285# releases prior to 2.2. If no "result_format" is specified, 286# the value of "result_filter" will be used instead before 287# resorting to the default value. This provides compatibility 288# with old configuration files. 289# 290# NOTE: DO NOT put quotes around the result format! 291# .IP "\fBdomain (default: no domain list)\fR" 292# This is a list of domain names, paths to files, or 293# dictionaries. When specified, only fully qualified search 294# keys with a *non-empty* localpart and a matching domain 295# are eligible for lookup: 'user' lookups, bare domain lookups 296# and "@domain" lookups are not performed. This can significantly 297# reduce the query load on the LDAP server. 298# 299# .nf 300# domain = postfix.org, hash:/etc/postfix/searchdomains 301# .fi 302# 303# It is best not to use LDAP to store the domains eligible 304# for LDAP lookups. 305# 306# NOTE: DO NOT define this parameter for local(8) aliases. 307# 308# This feature is available in Postfix 1.0 and later. 309# .IP "\fBresult_attribute (default: maildrop)\fR" 310# The attribute(s) Postfix will read from any directory 311# entries returned by the lookup, to be resolved to an email 312# address. 313# 314# .nf 315# result_attribute = mailbox, maildrop 316# .fi 317# 318# Don't rely on the default value ("maildrop"). Set the 319# result_attribute explicitly in all ldap table configuration 320# files. This is particularly relevant when no result_attribute 321# is applicable, e.g. cases in which leaf_result_attribute and/or 322# terminal_result_attribute are used instead. The default value 323# is harmless if "maildrop" is also listed as a leaf or terminal 324# result attribute, but it is best to not leave this to chance. 325# .IP "\fBspecial_result_attribute (default: empty)\fR" 326# The attribute(s) of directory entries that can contain DNs 327# or RFC 2255 LDAP URLs. If found, a recursive search 328# is performed to retrieve the entry referenced by the DN, or 329# the entries matched by the URL query. 330# 331# .nf 332# special_result_attribute = memberdn 333# .fi 334# 335# DN recursion retrieves the same result_attributes as the 336# main query, including the special attributes for further 337# recursion. 338# 339# URL processing retrieves only those attributes that are included 340# in both the URL definition and as result attributes (ordinary, 341# special, leaf or terminal) in the Postfix table definition. 342# If the URL lists any of the table's special result attributes, 343# these are retrieved and used recursively. A URL that does not 344# specify any attribute selection, is equivalent (RFC 2255) to a 345# URL that selects all attributes, in which case the selected 346# attributes will be the full set of result attributes in the 347# Postfix table. 348# 349# If an LDAP URL attribute-descriptor or the corresponding Postfix 350# LDAP table result attribute (but not both) uses RFC 2255 sub-type 351# options ("attr;option"), the attribute requested from the LDAP server 352# will include the sub-type option. In all other cases, the URL 353# attribute and the table attribute must match exactly. Attributes 354# with options in both the URL and the Postfix table are requested 355# only when the options are identical. LDAP attribute-descriptor 356# options are very rarely used, most LDAP users will not 357# need to concern themselves with this level of nuanced detail. 358# .IP "\fBterminal_result_attribute (default: empty)\fR" 359# When one or more terminal result attributes are found in an LDAP 360# entry, all other result attributes are ignored and only the terminal 361# result attributes are returned. This is useful for delegating expansion 362# of group members to a particular host, by using an optional "maildrop" 363# attribute on selected groups to route the group to a specific host, 364# where the group is expanded, possibly via mailing-list manager or 365# other special processing. 366# 367# .nf 368# result_attribute = 369# terminal_result_attribute = maildrop 370# .fi 371# 372# When using terminal and/or leaf result attributes, the 373# result_attribute is best set to an empty value when it is not 374# used, or else explicitly set to the desired value, even if it is 375# the default value "maildrop". 376# 377# This feature is available with Postfix 2.4 or later. 378# .IP "\fBleaf_result_attribute (default: empty)\fR" 379# When one or more special result attributes are found in a non-terminal 380# (see above) LDAP entry, leaf result attributes are excluded from the 381# expansion of that entry. This is useful when expanding groups and the 382# desired mail address attribute(s) of the member objects obtained via 383# DN or URI recursion are also present in the group object. To only 384# return the attribute values from the leaf objects and not the 385# containing group, add the attribute to the leaf_result_attribute list, 386# and not the result_attribute list, which is always expanded. Note, 387# the default value of "result_attribute" is not empty, you may want to 388# set it explicitly empty when using "leaf_result_attribute" to expand 389# the group to a list of member DN addresses. If groups have both 390# member DN references AND attributes that hold multiple string valued 391# rfc822 addresses, then the string attributes go in "result_attribute". 392# The attributes that represent the email addresses of objects 393# referenced via a DN (or LDAP URI) go in "leaf_result_attribute". 394# 395# .nf 396# result_attribute = memberaddr 397# special_result_attribute = memberdn 398# terminal_result_attribute = maildrop 399# leaf_result_attribute = mail 400# .fi 401# 402# When using terminal and/or leaf result attributes, the 403# result_attribute is best set to an empty value when it is not 404# used, or else explicitly set to the desired value, even if it is 405# the default value "maildrop". 406# 407# This feature is available with Postfix 2.4 or later. 408# .IP "\fBscope (default: sub)\fR" 409# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR. 410# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, 411# and LDAP_SCOPE_ONELEVEL. 412# .IP "\fBbind (default: yes)\fR" 413# Whether or how to bind to the LDAP server. Newer LDAP 414# implementations don't require clients to bind, which saves 415# time. Example: 416# 417# .nf 418# # Don't bind 419# bind = no 420# # Use SIMPLE bind 421# bind = yes 422# # Use SASL bind 423# bind = sasl 424# .fi 425# 426# Postfix versions prior to 2.8 only support "bind = no" which 427# means don't bind, and "bind = yes" which means do a SIMPLE bind. 428# Postfix 2.8 and later also supports "bind = SASL" when compiled 429# with LDAP SASL support as described in LDAP_README, it also adds 430# the synonyms "bind = none" and "bind = simple" for "bind = no" 431# and "bind = yes" respectively. See the SASL section below for 432# additional parameters available with "bind = sasl". 433# 434# If you do need to bind, you might consider configuring 435# Postfix to connect to the local machine on a port that's 436# an SSL tunnel to your LDAP server. If your LDAP server 437# doesn't natively support SSL, put a tunnel (wrapper, proxy, 438# whatever you want to call it) on that system too. This 439# should prevent the password from traversing the network in 440# the clear. 441# .IP "\fBbind_dn (default: empty)\fR" 442# If you do have to bind, do it with this distinguished name. Example: 443# 444# .nf 445# bind_dn = uid=postfix, dc=your, dc=com 446# .fi 447# With "bind = sasl" (see above) the DN may be optional for some SASL 448# mechanisms, don't specify a DN if not needed. 449# .IP "\fBbind_pw (default: empty)\fR" 450# The password for the distinguished name above. If you have 451# to use this, you probably want to make the map configuration 452# file readable only by the Postfix user. When using the 453# obsolete ldap:ldapsource syntax, with map parameters in 454# main.cf, it is not possible to securely store the bind 455# password. This is because main.cf needs to be world readable 456# to allow local accounts to submit mail via the sendmail 457# command. Example: 458# 459# .nf 460# bind_pw = postfixpw 461# .fi 462# With "bind = sasl" (see above) the password may be optional 463# for some SASL mechanisms, don't specify a password if not needed. 464# .IP "\fBcache (IGNORED with a warning)\fR" 465# .IP "\fBcache_expiry (IGNORED with a warning)\fR" 466# .IP "\fBcache_size (IGNORED with a warning)\fR" 467# The above parameters are NO LONGER SUPPORTED by Postfix. 468# Cache support has been dropped from OpenLDAP as of release 469# 2.1.13. 470# .IP "\fBrecursion_limit (default: 1000)\fR" 471# A limit on the nesting depth of DN and URL special result 472# attribute evaluation. The limit must be a non-zero positive 473# number. 474# .IP "\fBexpansion_limit (default: 0)\fR" 475# A limit on the total number of result elements returned 476# (as a comma separated list) by a lookup against the map. 477# A setting of zero disables the limit. Lookups fail with a 478# temporary error if the limit is exceeded. Setting the 479# limit to 1 ensures that lookups do not return multiple 480# values. 481# .IP "\fBsize_limit (default: $expansion_limit)\fR" 482# A limit on the number of LDAP entries returned by any single 483# LDAP search performed as part of the lookup. A setting of 484# 0 disables the limit. Expansion of DN and URL references 485# involves nested LDAP queries, each of which is separately 486# subjected to this limit. 487# 488# Note: even a single LDAP entry can generate multiple lookup 489# results, via multiple result attributes and/or multi-valued 490# result attributes. This limit caps the per search resource 491# utilization on the LDAP server, not the final multiplicity 492# of the lookup result. It is analogous to the "-z" option 493# of "ldapsearch". 494# .IP "\fBdereference (default: 0)\fR" 495# When to dereference LDAP aliases. (Note that this has 496# nothing do with Postfix aliases.) The permitted values are 497# those legal for the OpenLDAP/UM LDAP implementations: 498# .RS 499# .IP 0 500# never 501# .IP 1 502# when searching 503# .IP 2 504# when locating the base object for the search 505# .IP 3 506# always 507# .RE 508# .IP 509# See ldap.h or the ldap_open(3) or ldapsearch(1) man pages 510# for more information. And if you're using an LDAP package 511# that has other possible values, please bring it to the 512# attention of the postfix-users@postfix.org mailing list. 513# .IP "\fBchase_referrals (default: 0)\fR" 514# Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 515# 3 support). 516# .IP "\fBversion (default: 2)\fR" 517# Specifies the LDAP protocol version to use. 518# .IP "\fBdebuglevel (default: 0)\fR" 519# What level to set for debugging in the OpenLDAP libraries. 520# LDAP SASL PARAMETERS 521# .ad 522# .fi 523# If you're using the OpenLDAP libraries compiled with SASL 524# support, Postfix 2.8 and later built with LDAP SASL support 525# as described in LDAP_README can authenticate to LDAP servers 526# via SASL. 527# 528# This enables authentication to the LDAP server via mechanisms 529# other than a simple password. The added flexibility has a cost: 530# it is no longer practical to set an explicit timeout on the duration 531# of an LDAP bind operation. Under adverse conditions, whether a SASL 532# bind times out, or if it does, the duration of the timeout is 533# determined by the LDAP and SASL libraries. 534# 535# It is best to use tables that use SASL binds via proxymap(8), this 536# way the requesting process can time-out the proxymap request. This 537# also lets you tailer the process environment by overriding the 538# proxymap(8) import_environment setting in master.cf(5). Special 539# environment settings may be needed to configure GSSAPI credential 540# caches or other SASL mechanism specific options. The GSSAPI 541# credentials used for LDAP lookups may need to be different than 542# say those used for the Postfix SMTP client to authenticate to remote 543# servers. 544# 545# Using SASL mechanisms requires LDAP protocol version 3, the default 546# protocol version is 2 for backwards compatibility. You must set 547# "version = 3" in addition to "bind = sasl". 548# 549# The following parameters are relevant to using LDAP with SASL 550# .IP "\fBsasl_mechs (default: empty)\fR" 551# Space separated list of SASL mechanism(s) to try. 552# .IP "\fBsasl_realm (default: empty)\fR" 553# SASL Realm to use, if applicable. 554# .IP "\fBsasl_authz_id (default: empty)\fR" 555# The SASL authorization identity to assert, if applicable. 556# .IP "\fBsasl_minssf (default: 0)\fR" 557# The minimum required sasl security factor required to establish a 558# connection. 559# LDAP SSL AND STARTTLS PARAMETERS 560# .ad 561# .fi 562# If you're using the OpenLDAP libraries compiled with SSL 563# support, Postfix can connect to LDAP SSL servers and can 564# issue the STARTTLS command. 565# 566# LDAP SSL service can be requested by using a LDAP SSL URL 567# in the server_host parameter: 568# 569# .nf 570# server_host = ldaps://ldap.example.com:636 571# .fi 572# 573# STARTTLS can be turned on with the start_tls parameter: 574# 575# .nf 576# start_tls = yes 577# .fi 578# 579# Both forms require LDAP protocol version 3, which has to be set 580# explicitly with: 581# 582# .nf 583# version = 3 584# .fi 585# 586# If any of the Postfix programs querying the map is configured in 587# master.cf to run chrooted, all the certificates and keys involved 588# have to be copied to the chroot jail. Of course, the private keys 589# should only be readable by the user "postfix". 590# 591# The following parameters are relevant to LDAP SSL and STARTTLS: 592# .IP "\fBstart_tls (default: no)\fR" 593# Whether or not to issue STARTTLS upon connection to the 594# server. Don't set this with LDAP SSL (the SSL session is setup 595# automatically when the TCP connection is opened). 596# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR" 597# Directory containing X509 Certificate Authority certificates 598# in PEM format which are to be recognized by the client in 599# SSL/TLS connections. The files each contain one CA certificate. 600# The files are looked up by the CA subject name hash value, 601# which must hence be available. If more than one CA certificate 602# with the same name hash value exist, the extension must be 603# different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is 604# performed in the ordering of the extension number, regardless 605# of other properties of the certificates. Use the c_rehash 606# utility (from the OpenSSL distribution) to create the 607# necessary links. 608# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR" 609# File containing the X509 Certificate Authority certificates 610# in PEM format which are to be recognized by the client in 611# SSL/TLS connections. This setting takes precedence over 612# tls_ca_cert_dir. 613# .IP "\fBtls_cert (No default; you must set this)\fR" 614# File containing client's X509 certificate to be used by 615# the client in SSL/ TLS connections. 616# .IP "\fBtls_key (No default; you must set this)\fR" 617# File containing the private key corresponding to the above 618# tls_cert. 619# .IP "\fBtls_require_cert (default: no)\fR" 620# Whether or not to request server's X509 certificate and 621# check its validity when establishing SSL/TLS connections. 622# The supported values are \fBno\fR and \fByes\fR. 623# .sp 624# With \fBno\fR, the server certificate trust chain is not checked, 625# but with OpenLDAP prior to 2.1.13, the name in the server 626# certificate must still match the LDAP server name. With OpenLDAP 627# 2.0.0 to 2.0.11 the server name is not necessarily what you 628# specified, rather it is determined (by reverse lookup) from the 629# IP address of the LDAP server connection. With OpenLDAP prior to 630# 2.0.13, subjectAlternativeName extensions in the LDAP server 631# certificate are ignored: the server name must match the subject 632# CommonName. The \fBno\fR setting corresponds to the \fBnever\fR 633# value of \fBTLS_REQCERT\fR in LDAP client configuration files. 634# .sp 635# Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) 636# if you can avoid it. 637# .sp 638# With \fByes\fR, the server certificate must be issued by a trusted 639# CA, and not be expired. The LDAP server name must match one of the 640# name(s) found in the certificate (see above for OpenLDAP library 641# version dependent behavior). The \fByes\fR setting corresponds to the 642# \fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration 643# files. 644# .sp 645# The "try" and "never" values of \fBTLS_REQCERT\fR have no equivalents 646# here. They are not available with OpenLDAP 2.0, and in any case have 647# questionable security properties. Either you want TLS verified LDAP 648# connections, or you don't. 649# .sp 650# The \fByes\fR value only works correctly with Postfix 2.5 and later, 651# or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP 652# releases don't work together with this setting. Support for LDAP 653# over TLS was added to Postfix based on the OpenLDAP 2.0 API. 654# .IP "\fBtls_random_file (No default)\fR" 655# Path of a file to obtain random bits from when /dev/[u]random 656# is not available, to be used by the client in SSL/TLS 657# connections. 658# .IP "\fBtls_cipher_suite (No default)\fR" 659# Cipher suite to use in SSL/TLS negotiations. 660# EXAMPLE 661# .ad 662# .fi 663# Here's a basic example for using LDAP to look up local(8) 664# aliases. 665# Assume that in main.cf, you have: 666# 667# .nf 668# alias_maps = hash:/etc/aliases, 669# ldap:/etc/postfix/ldap-aliases.cf 670# .fi 671# 672# and in ldap:/etc/postfix/ldap-aliases.cf you have: 673# 674# .nf 675# server_host = ldap.example.com 676# search_base = dc=example, dc=com 677# .fi 678# 679# Upon receiving mail for a local address "ldapuser" that 680# isn't found in the /etc/aliases database, Postfix will 681# search the LDAP server listening at port 389 on ldap.example.com. 682# It will bind anonymously, search for any directory entries 683# whose mailacceptinggeneralid attribute is "ldapuser", read 684# the "maildrop" attributes of those found, and build a list 685# of their maildrops, which will be treated as RFC822 addresses 686# to which the message will be delivered. 687# SEE ALSO 688# postmap(1), Postfix lookup table manager 689# postconf(5), configuration parameters 690# mysql_table(5), MySQL lookup tables 691# pgsql_table(5), PostgreSQL lookup tables 692# README FILES 693# .ad 694# .fi 695# Use "\fBpostconf readme_directory\fR" or 696# "\fBpostconf html_directory\fR" to locate this information. 697# .na 698# .nf 699# DATABASE_README, Postfix lookup table overview 700# LDAP_README, Postfix LDAP client guide 701# LICENSE 702# .ad 703# .fi 704# The Secure Mailer license must be distributed with this software. 705# AUTHOR(S) 706# .ad 707# .fi 708# Carsten Hoeger, 709# Hery Rakotoarisoa, 710# John Hensley, 711# Keith Stevenson, 712# LaMont Jones, 713# Liviu Daia, 714# Manuel Guesdon, 715# Mike Mattice, 716# Prabhat K Singh, 717# Sami Haahtinen, 718# Samuel Tardieu, 719# Victor Duchovni, 720# and many others. 721#-- 722