1#++
2# NAME
3#	ldap_table 5
4# SUMMARY
5#	Postfix LDAP client configuration
6# SYNOPSIS
7#	\fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/filename\fR
8#
9#	\fBpostmap -q - ldap:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
10# DESCRIPTION
11#	The Postfix mail system uses optional tables for address
12#	rewriting or mail routing. These tables are usually in
13#	\fBdbm\fR or \fBdb\fR format.
14#
15#	Alternatively, lookup tables can be specified as LDAP databases.
16#
17#	In order to use LDAP lookups, define an LDAP source as a lookup
18#	table in main.cf, for example:
19#
20# .nf
21#	    alias_maps = ldap:/etc/postfix/ldap-aliases.cf
22# .fi
23#
24#	The file /etc/postfix/ldap-aliases.cf has the same format as
25#	the Postfix main.cf file, and can specify the parameters
26#	described below. An example is given at the end of this manual.
27#
28#	This configuration method is available with Postfix version
29#	2.1 and later.  See the section "BACKWARDS COMPATIBILITY"
30#	below for older Postfix versions.
31#
32#	For details about LDAP SSL and STARTTLS, see the section
33#	on SSL and STARTTLS below.
34# BACKWARDS COMPATIBILITY
35# .ad
36# .fi
37#	For backwards compatibility with Postfix version 2.0 and earlier,
38#	LDAP parameters can also be defined in main.cf.  Specify
39#	as LDAP source a name that doesn't begin with a slash or
40#	a dot.  The LDAP parameters will then be accessible as the
41#	name you've given the source in its definition, an underscore,
42#	and the name of the parameter.  For example, if the map is
43#	specified as "ldap:\fIldapsource\fR", the "server_host"
44#	parameter below would be defined in main.cf as
45#	"\fIldapsource\fR_server_host".
46#
47#	Note: with this form, the passwords for the LDAP sources are
48#	written in main.cf, which is normally world-readable.  Support
49#	for this form will be removed in a future Postfix version.
50#
51#	For backwards compatibility with the pre
52#	2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
53#	of \fBresult_format\fR, when the latter parameter is not also set.
54#	The new name better reflects the function of the parameter. This
55#	compatibility interface may be removed in a future release.
56# LIST MEMBERSHIP
57# .ad
58# .fi
59#	When using LDAP to store lists such as $mynetworks,
60#	$mydestination, $relay_domains, $local_recipient_maps,
61#	etc., it is important to understand that the table must
62#	store each list member as a separate key. The table lookup
63#	verifies the *existence* of the key. See "Postfix lists
64#	versus tables" in the DATABASE_README document for a
65#	discussion.
66#
67#	Do NOT create tables that return the full list of domains
68#	in $mydestination or $relay_domains etc., or IP addresses
69#	in $mynetworks.
70#
71#	DO create tables with each matching item as a key and with
72#	an arbitrary value. With LDAP databases it is not uncommon to
73#	return the key itself.
74#
75#	For example, NEVER do this in a map defining $mydestination:
76#
77# .nf
78#	    query_filter = domain=* 
79#	    result_attribute = domain
80# .fi
81#
82#	Do this instead:
83#
84# .nf
85#	    query_filter = domain=%s 
86#	    result_attribute = domain
87# .fi
88# GENERAL LDAP PARAMETERS
89# .ad
90# .fi
91#	In the text below, default values are given in parentheses.
92#	Note: don't use quotes in these variables; at least, not until the
93#	Postfix configuration routines understand how to deal with quoted
94#	strings.
95# .IP "\fBserver_host (default: localhost)\fR"
96#	The name of the host running the LDAP server, e.g.
97#
98# .nf
99#	    server_host = ldap.example.com
100# .fi
101#
102#	Depending on the LDAP client library you're using, it should
103#	be possible to specify multiple servers here, with the library
104#	trying them in order should the first one fail. It should also
105#	be possible to give each server in the list a different port
106#	(overriding \fBserver_port\fR below), by naming them like
107#
108# .nf
109#	    server_host = ldap.example.com:1444
110# .fi
111#
112#	With OpenLDAP, a (list of) LDAP URLs can be used to specify both
113#	the hostname(s) and the port(s):
114#
115# .nf
116#	    server_host = ldap://ldap.example.com:1444
117#	                ldap://ldap2.example.com:1444
118# .fi
119#
120#	All LDAP URLs accepted by the OpenLDAP library are supported,
121#	including connections over UNIX domain sockets, and LDAP SSL
122#	(the last one provided that OpenLDAP was compiled with support
123#	for SSL):
124#
125# .nf
126#	    server_host = ldapi://%2Fsome%2Fpath
127#	                ldaps://ldap.example.com:636
128# .fi
129# .IP "\fBserver_port (default: 389)\fR"
130#	The port the LDAP server listens on, e.g.
131#
132# .nf
133#	    server_port = 778
134# .fi
135# .IP "\fBtimeout (default: 10 seconds)\fR"
136#	The number of seconds a search can take before timing out, e.g.
137#
138# .fi
139#	    timeout = 5
140# .fi
141# .IP "\fBsearch_base (No default; you must configure this)\fR"
142#	The RFC2253 base DN at which to conduct the search, e.g.
143#
144# .nf
145#	    search_base = dc=your, dc=com
146# .fi
147# .IP
148#	With Postfix 2.2 and later this parameter supports the
149#	following '%' expansions:
150# .RS
151# .IP "\fB\fB%%\fR\fR"
152#	This is replaced by a literal '%' character.
153# .IP "\fB\fB%s\fR\fR"
154#	This is replaced by the input key.
155#	RFC 2253 quoting is used to make sure that the input key
156#	does not add unexpected metacharacters.
157# .IP "\fB\fB%u\fR\fR"
158#	When the input key is an address of the form user@domain, \fB%u\fR
159#	is replaced by the (RFC 2253) quoted local part of the address.
160#	Otherwise, \fB%u\fR is replaced by the entire search string.
161#	If the localpart is empty, the search is suppressed and returns
162#	no results.
163# .IP "\fB\fB%d\fR\fR"
164#	When the input key is an address of the form user@domain, \fB%d\fR
165#	is replaced by the (RFC 2253) quoted domain part of the address.
166#	Otherwise, the search is suppressed and returns no results.
167# .IP "\fB\fB%[SUD]\fR\fR"
168#	For the \fBsearch_base\fR parameter, the upper-case equivalents
169#	of the above expansions behave identically to their lower-case
170#	counter-parts. With the \fBresult_format\fR parameter (previously
171#	called \fBresult_filter\fR see the COMPATIBILITY section and below),
172#	they expand to the corresponding components of input key rather
173#	than the result value.
174# .IP "\fB\fB%[1-9]\fR\fR"
175#	The patterns %1, %2, ... %9 are replaced by the corresponding
176#	most significant component of the input key's domain. If the
177#	input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
178#	%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
179#	unqualified or does not have enough domain components to satisfy
180#	all the specified patterns, the search is suppressed and returns
181#	no results.
182# .RE
183# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR"
184#	The RFC2254 filter used to search the directory, where \fB%s\fR
185#	is a substitute for the address Postfix is trying to resolve,
186#	e.g.
187#
188# .nf
189#	    query_filter = (&(mail=%s)(paid_up=true))
190# .fi
191#
192#	This parameter supports the following '%' expansions:
193# .RS
194# .IP "\fB\fB%%\fR\fR"
195#	This is replaced by a literal '%' character. (Postfix 2.2 and later).
196# .IP "\fB\fB%s\fR\fR"
197#	This is replaced by the input key.
198#	RFC 2254 quoting is used to make sure that the input key
199#	does not add unexpected metacharacters.
200# .IP "\fB\fB%u\fR\fR"
201#	When the input key is an address of the form user@domain, \fB%u\fR
202#	is replaced by the (RFC 2254) quoted local part of the address.
203#	Otherwise, \fB%u\fR is replaced by the entire search string.
204#	If the localpart is empty, the search is suppressed and returns
205#	no results.
206# .IP "\fB\fB%d\fR\fR"
207#	When the input key is an address of the form user@domain, \fB%d\fR
208#	is replaced by the (RFC 2254) quoted domain part of the address.
209#	Otherwise, the search is suppressed and returns no results.
210# .IP "\fB\fB%[SUD]\fR\fR"
211#	The upper-case equivalents of the above expansions behave in the
212#	\fBquery_filter\fR parameter identically to their lower-case
213#	counter-parts. With the \fBresult_format\fR parameter (previously
214#	called \fBresult_filter\fR see the COMPATIBILITY section and below),
215#	they expand to the corresponding components of input key rather
216#	than the result value.
217# .IP
218#	The above %S, %U and %D expansions are available with Postfix 2.2
219#	and later.
220# .IP "\fB\fB%[1-9]\fR\fR"
221#	The patterns %1, %2, ... %9 are replaced by the corresponding
222#	most significant component of the input key's domain. If the
223#	input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
224#	%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
225#	unqualified or does not have enough domain components to satisfy
226#	all the specified patterns, the search is suppressed and returns
227#	no results.
228# .IP
229#	The above %1, ..., %9 expansions are available with Postfix 2.2
230#	and later.
231# .RE
232# .IP
233#	The "domain" parameter described below limits the input
234#	keys to addresses in matching domains. When the "domain"
235#	parameter is non-empty, LDAP queries for unqualified
236#	addresses or addresses in non-matching domains are suppressed
237#	and return no results.
238#
239#	NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter.
240# .IP "\fBresult_format (default: \fB%s\fR)\fR"
241#	Called \fBresult_filter\fR in Postfix releases prior to 2.2.
242#	Format template applied to result attributes. Most commonly used
243#	to append (or prepend) text to the result. This parameter supports
244#	the following '%' expansions:
245# .RS
246# .IP "\fB\fB%%\fR\fR"
247#	This is replaced by a literal '%' character. (Postfix 2.2 and later).
248# .IP "\fB\fB%s\fR\fR"
249#	This is replaced by the value of the result attribute. When
250#	result is empty it is skipped.
251# .IP "\fB%u\fR
252#	When the result attribute value is an address of the form
253#	user@domain, \fB%u\fR is replaced by the local part of the
254#	address. When the result has an empty localpart it is skipped.
255# .IP "\fB\fB%d\fR\fR"
256#	When a result attribute value is an address of the form
257#	user@domain, \fB%d\fR is replaced by the domain part of
258#	the attribute value. When the result is unqualified it
259#	is skipped.
260# .IP "\fB\fB%[SUD1-9]\fR\fB"
261#	The upper-case and decimal digit expansions interpolate
262#	the parts of the input key rather than the result. Their
263#	behavior is identical to that described with \fBquery_filter\fR,
264#	and in fact because the input key is known in advance, lookups
265#	whose key does not contain all the information specified in
266#	the result template are suppressed and return no results.
267# .IP
268#	The above %S, %U, %D and %1, ..., %9 expansions are available with
269#	Postfix 2.2 and later.
270# .RE
271# .IP
272#	For example, using "result_format = smtp:[%s]" allows one
273#	to use a mailHost attribute as the basis of a transport(5)
274#	table. After applying the result format, multiple values
275#	are concatenated as comma separated strings. The expansion_limit
276#	and size_limit parameters explained below allow one to
277#	restrict the number of values in the result, which is
278#	especially useful for maps that should return a single
279#	value.
280#
281#	The default value \fB%s\fR specifies that each
282#	attribute value should be used as is.
283#
284#	This parameter was called \fBresult_filter\fR in Postfix
285#	releases prior to 2.2. If no "result_format" is specified,
286#	the value of "result_filter" will be used instead before
287#	resorting to the default value. This provides compatibility
288#	with old configuration files.
289#
290#	NOTE: DO NOT put quotes around the result format!
291# .IP "\fBdomain (default: no domain list)\fR"
292#	This is a list of domain names, paths to files, or
293#	dictionaries. When specified, only fully qualified search
294#	keys with a *non-empty* localpart and a matching domain
295#	are eligible for lookup: 'user' lookups, bare domain lookups
296#	and "@domain" lookups are not performed. This can significantly
297#	reduce the query load on the LDAP server.
298#
299# .nf
300#	    domain = postfix.org, hash:/etc/postfix/searchdomains
301# .fi
302#
303#	It is best not to use LDAP to store the domains eligible
304#	for LDAP lookups.
305#
306#	NOTE: DO NOT define this parameter for local(8) aliases.
307#
308#	This feature is available in Postfix 1.0 and later.
309# .IP "\fBresult_attribute (default: maildrop)\fR"
310#	The attribute(s) Postfix will read from any directory
311#	entries returned by the lookup, to be resolved to an email
312#	address.
313#
314# .nf
315#	    result_attribute = mailbox, maildrop
316# .fi
317#
318#	Don't rely on the default value ("maildrop"). Set the
319#	result_attribute explicitly in all ldap table configuration
320#	files. This is particularly relevant when no result_attribute
321#	is applicable, e.g. cases in which leaf_result_attribute and/or
322#	terminal_result_attribute are used instead. The default value
323#	is harmless if "maildrop" is also listed as a leaf or terminal
324#	result attribute, but it is best to not leave this to chance.
325# .IP "\fBspecial_result_attribute (default: empty)\fR"
326#	The attribute(s) of directory entries that can contain DNs
327#	or RFC 2255 LDAP URLs. If found, a recursive search
328#	is performed to retrieve the entry referenced by the DN, or
329#	the entries matched by the URL query.
330#
331# .nf
332#	    special_result_attribute = memberdn
333# .fi
334#
335#	DN recursion retrieves the same result_attributes as the
336#	main query, including the special attributes for further
337#	recursion.
338#
339#	URL processing retrieves only those attributes that are included
340#	in both the URL definition and as result attributes (ordinary,
341#	special, leaf or terminal) in the Postfix table definition.
342#	If the URL lists any of the table's special result attributes,
343#	these are retrieved and used recursively. A URL that does not
344#	specify any attribute selection, is equivalent (RFC 2255) to a
345#	URL that selects all attributes, in which case the selected
346#	attributes will be the full set of result attributes in the
347#	Postfix table.
348#
349#	If an LDAP URL attribute-descriptor or the corresponding Postfix
350#	LDAP table result attribute (but not both) uses RFC 2255 sub-type
351#	options ("attr;option"), the attribute requested from the LDAP server
352#	will include the sub-type option. In all other cases, the URL
353#	attribute and the table attribute must match exactly. Attributes
354#	with options in both the URL and the Postfix table are requested
355#	only when the options are identical. LDAP attribute-descriptor
356#	options are very rarely used, most LDAP users will not
357#	need to concern themselves with this level of nuanced detail.
358# .IP "\fBterminal_result_attribute (default: empty)\fR"
359#	When one or more terminal result attributes are found in an LDAP
360#	entry, all other result attributes are ignored and only the terminal
361#	result attributes are returned. This is useful for delegating expansion
362#	of group members to a particular host, by using an optional "maildrop"
363#	attribute on selected groups to route the group to a specific host,
364#	where the group is expanded, possibly via mailing-list manager or
365#	other special processing.
366#
367# .nf
368#	    result_attribute =
369#	    terminal_result_attribute = maildrop
370# .fi
371#
372#	When using terminal and/or leaf result attributes, the
373#	result_attribute is best set to an empty value when it is not
374#	used, or else explicitly set to the desired value, even if it is
375#	the default value "maildrop".
376#
377#	This feature is available with Postfix 2.4 or later.
378# .IP "\fBleaf_result_attribute (default: empty)\fR"
379#	When one or more special result attributes are found in a non-terminal
380#	(see above) LDAP entry, leaf result attributes are excluded from the
381#	expansion of that entry. This is useful when expanding groups and the
382#	desired mail address attribute(s) of the member objects obtained via
383#	DN or URI recursion are also present in the group object. To only
384#	return the attribute values from the leaf objects and not the
385#	containing group, add the attribute to the leaf_result_attribute list,
386#	and not the result_attribute list, which is always expanded. Note,
387#	the default value of "result_attribute" is not empty, you may want to
388#	set it explicitly empty when using "leaf_result_attribute" to expand
389#	the group to a list of member DN addresses. If groups have both
390#	member DN references AND attributes that hold multiple string valued
391#	rfc822 addresses, then the string attributes go in "result_attribute".
392#	The attributes that represent the email addresses of objects
393#	referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
394#
395# .nf
396#	    result_attribute = memberaddr
397#	    special_result_attribute = memberdn
398#	    terminal_result_attribute = maildrop
399#	    leaf_result_attribute = mail
400# .fi
401#
402#	When using terminal and/or leaf result attributes, the
403#	result_attribute is best set to an empty value when it is not
404#	used, or else explicitly set to the desired value, even if it is
405#	the default value "maildrop".
406#
407#	This feature is available with Postfix 2.4 or later.
408# .IP "\fBscope (default: sub)\fR"
409#	The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
410#	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
411#	and LDAP_SCOPE_ONELEVEL.
412# .IP "\fBbind (default: yes)\fR"
413#	Whether or how to bind to the LDAP server. Newer LDAP
414#	implementations don't require clients to bind, which saves
415#	time. Example:
416#
417# .nf
418#	    # Don't bind
419#	    bind = no
420#	    # Use SIMPLE bind
421#	    bind = yes
422#	    # Use SASL bind
423#	    bind = sasl
424# .fi
425#
426#	Postfix versions prior to 2.8 only support "bind = no" which
427#	means don't bind, and "bind = yes" which means do a SIMPLE bind.
428#	Postfix 2.8 and later also supports "bind = SASL" when compiled
429#	with LDAP SASL support as described in LDAP_README, it also adds
430#	the synonyms "bind = none" and "bind = simple" for "bind = no"
431#	and "bind = yes" respectively. See the SASL section below for
432#	additional parameters available with "bind = sasl".
433#
434#	If you do need to bind, you might consider configuring
435#	Postfix to connect to the local machine on a port that's
436#	an SSL tunnel to your LDAP server. If your LDAP server
437#	doesn't natively support SSL, put a tunnel (wrapper, proxy,
438#	whatever you want to call it) on that system too. This
439#	should prevent the password from traversing the network in
440#	the clear.
441# .IP "\fBbind_dn (default: empty)\fR"
442#	If you do have to bind, do it with this distinguished name. Example:
443#
444# .nf
445#	    bind_dn = uid=postfix, dc=your, dc=com
446# .fi
447#	With "bind = sasl" (see above) the DN may be optional for some SASL
448#	mechanisms, don't specify a DN if not needed.
449# .IP "\fBbind_pw (default: empty)\fR"
450#	The password for the distinguished name above. If you have
451#	to use this, you probably want to make the map configuration
452#	file readable only by the Postfix user. When using the
453#	obsolete ldap:ldapsource syntax, with map parameters in
454#	main.cf, it is not possible to securely store the bind
455#	password. This is because main.cf needs to be world readable
456#	to allow local accounts to submit mail via the sendmail
457#	command. Example:
458#
459# .nf
460#	    bind_pw = postfixpw
461# .fi
462#	With "bind = sasl" (see above) the password may be optional
463#	for some SASL mechanisms, don't specify a password if not needed.
464# .IP "\fBcache (IGNORED with a warning)\fR"
465# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
466# .IP "\fBcache_size (IGNORED with a warning)\fR"
467#	The above parameters are NO LONGER SUPPORTED by Postfix.
468#	Cache support has been dropped from OpenLDAP as of release
469#	2.1.13.
470# .IP "\fBrecursion_limit (default: 1000)\fR"
471#	A limit on the nesting depth of DN and URL special result
472#	attribute evaluation. The limit must be a non-zero positive
473#	number.
474# .IP "\fBexpansion_limit (default: 0)\fR"
475#	A limit on the total number of result elements returned
476#	(as a comma separated list) by a lookup against the map.
477#	A setting of zero disables the limit. Lookups fail with a
478#	temporary error if the limit is exceeded.  Setting the
479#	limit to 1 ensures that lookups do not return multiple
480#	values.
481# .IP "\fBsize_limit (default: $expansion_limit)\fR"
482#	A limit on the number of LDAP entries returned by any single
483#	LDAP search performed as part of the lookup. A setting of
484#	0 disables the limit.  Expansion of DN and URL references
485#	involves nested LDAP queries, each of which is separately
486#	subjected to this limit.
487#
488#	Note: even a single LDAP entry can generate multiple lookup
489#	results, via multiple result attributes and/or multi-valued
490#	result attributes. This limit caps the per search resource
491#	utilization on the LDAP server, not the final multiplicity
492#	of the lookup result. It is analogous to the "-z" option
493#	of "ldapsearch".
494# .IP "\fBdereference (default: 0)\fR"
495#	When to dereference LDAP aliases. (Note that this has
496#	nothing do with Postfix aliases.) The permitted values are
497#	those legal for the OpenLDAP/UM LDAP implementations:
498# .RS
499# .IP 0 
500#	never
501# .IP 1 
502#	when searching
503# .IP 2 
504#	when locating the base object for the search
505# .IP 3 
506#	always
507# .RE
508# .IP
509#	See ldap.h or the ldap_open(3) or ldapsearch(1) man pages
510#	for more information. And if you're using an LDAP package
511#	that has other possible values, please bring it to the
512#	attention of the postfix-users@postfix.org mailing list.
513# .IP "\fBchase_referrals (default: 0)\fR"
514#	Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
515#	3 support).
516# .IP "\fBversion (default: 2)\fR"
517#	Specifies the LDAP protocol version to use.
518# .IP "\fBdebuglevel (default: 0)\fR"
519#	What level to set for debugging in the OpenLDAP libraries.
520# LDAP SASL PARAMETERS
521# .ad
522# .fi
523#	If you're using the OpenLDAP libraries compiled with SASL
524#	support, Postfix 2.8 and later built with LDAP SASL support
525#	as described in LDAP_README can authenticate to LDAP servers
526#	via SASL.
527#
528#	This enables authentication to the LDAP server via mechanisms
529#	other than a simple password. The added flexibility has a cost:
530#	it is no longer practical to set an explicit timeout on the duration
531#	of an LDAP bind operation. Under adverse conditions, whether a SASL
532#	bind times out, or if it does, the duration of the timeout is
533#	determined by the LDAP and SASL libraries.
534#
535# 	It is best to use tables that use SASL binds via proxymap(8), this
536#	way the requesting process can time-out the proxymap request. This
537#	also lets you tailer the process environment by overriding the
538#	proxymap(8) import_environment setting in master.cf(5). Special
539#	environment settings may be needed to configure GSSAPI credential
540#	caches or other SASL mechanism specific options. The GSSAPI
541#	credentials used for LDAP lookups may need to be different than
542#	say those used for the Postfix SMTP client to authenticate to remote
543#	servers.
544#
545#	Using SASL mechanisms requires LDAP protocol version 3, the default
546#	protocol version is 2 for backwards compatibility. You must set
547#	"version = 3" in addition to "bind = sasl".
548#
549#	The following parameters are relevant to using LDAP with SASL
550# .IP "\fBsasl_mechs (default: empty)\fR"
551#	Space separated list of SASL mechanism(s) to try. 
552# .IP "\fBsasl_realm (default: empty)\fR"
553#	SASL Realm to use, if applicable.
554# .IP "\fBsasl_authz_id (default: empty)\fR"
555#	The SASL authorization identity to assert, if applicable.
556# .IP "\fBsasl_minssf (default: 0)\fR"
557#	The minimum required sasl security factor required to establish a
558#	connection.
559# LDAP SSL AND STARTTLS PARAMETERS
560# .ad
561# .fi
562#	If you're using the OpenLDAP libraries compiled with SSL
563#	support, Postfix can connect to LDAP SSL servers and can
564#	issue the STARTTLS command. 
565#
566#	LDAP SSL service can be requested by using a LDAP SSL URL
567#	in the server_host parameter:
568#
569# .nf
570#	    server_host = ldaps://ldap.example.com:636
571# .fi
572#
573#	STARTTLS can be turned on with the start_tls parameter:
574#
575# .nf
576#	    start_tls = yes
577# .fi
578#
579#	Both forms require LDAP protocol version 3, which has to be set
580#	explicitly with:
581#
582# .nf
583#	    version = 3
584# .fi
585#
586#	If any of the Postfix programs querying the map is configured in
587#	master.cf to run chrooted, all the certificates and keys involved
588#	have to be copied to the chroot jail. Of course, the private keys
589#	should only be readable by the user "postfix".
590#
591#	The following parameters are relevant to LDAP SSL and STARTTLS:
592# .IP "\fBstart_tls (default: no)\fR"
593#	Whether or not to issue STARTTLS upon connection to the
594#	server.  Don't set this with LDAP SSL (the SSL session is setup
595#	automatically when the TCP connection is opened).
596# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR"
597#	Directory containing X509 Certificate Authority certificates
598#	in PEM format which are to be recognized by the client in
599#	SSL/TLS connections. The files each contain one CA certificate.
600#	The files are looked up by the CA subject name hash value,
601#	which must hence be available. If more than one CA certificate
602#	with the same name hash value exist, the extension must be
603#	different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is
604#	performed in the ordering of the extension number, regardless
605#	of other properties of the certificates. Use the c_rehash
606#	utility (from the OpenSSL distribution) to create the
607#	necessary links.
608# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR"
609#	File containing the X509 Certificate Authority certificates
610#	in PEM format which are to be recognized by the client in
611#	SSL/TLS connections. This setting takes precedence over
612#	tls_ca_cert_dir.
613# .IP "\fBtls_cert (No default; you must set this)\fR"
614#	File containing client's X509 certificate to be used by
615#	the client in SSL/ TLS connections.
616# .IP "\fBtls_key (No default; you must set this)\fR"
617#	File containing the private key corresponding to the above
618#	tls_cert.
619# .IP "\fBtls_require_cert (default: no)\fR"
620#	Whether or not to request server's X509 certificate and
621#	check its validity when establishing SSL/TLS connections.
622#	The supported values are \fBno\fR and \fByes\fR.
623# .sp
624#	With \fBno\fR, the server certificate trust chain is not checked,
625#	but with OpenLDAP prior to 2.1.13, the name in the server
626#	certificate must still match the LDAP server name. With OpenLDAP
627#	2.0.0 to 2.0.11 the server name is not necessarily what you
628#	specified, rather it is determined (by reverse lookup) from the
629#	IP address of the LDAP server connection. With OpenLDAP prior to
630#	2.0.13, subjectAlternativeName extensions in the LDAP server
631#	certificate are ignored: the server name must match the subject
632#	CommonName. The \fBno\fR setting corresponds to the \fBnever\fR
633#	value of \fBTLS_REQCERT\fR in LDAP client configuration files.
634# .sp
635#	Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
636#	if you can avoid it.
637# .sp
638#	With \fByes\fR, the server certificate must be issued by a trusted
639#	CA, and not be expired. The LDAP server name must match one of the
640#	name(s) found in the certificate (see above for OpenLDAP library
641#	version dependent behavior). The \fByes\fR setting corresponds to the
642#	\fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration
643#	files.
644# .sp
645#	The "try" and "never" values of \fBTLS_REQCERT\fR have no equivalents
646#	here. They are not available with OpenLDAP 2.0, and in any case have
647#	questionable security properties. Either you want TLS verified LDAP
648#	connections, or you don't.
649# .sp
650#	The \fByes\fR value only works correctly with Postfix 2.5 and later,
651#	or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
652#	releases don't work together with this setting. Support for LDAP
653#	over TLS was added to Postfix based on the OpenLDAP 2.0 API.
654# .IP "\fBtls_random_file (No default)\fR"
655#	Path of a file to obtain random bits from when /dev/[u]random
656#	is not available, to be used by the client in SSL/TLS
657#	connections.
658# .IP "\fBtls_cipher_suite (No default)\fR"
659#	Cipher suite to use in SSL/TLS negotiations.
660# EXAMPLE
661# .ad
662# .fi
663#	Here's a basic example for using LDAP to look up local(8)
664#	aliases.
665#	Assume that in main.cf, you have:
666#
667# .nf
668#	    alias_maps = hash:/etc/aliases,
669#	            ldap:/etc/postfix/ldap-aliases.cf
670# .fi
671#
672#	and in ldap:/etc/postfix/ldap-aliases.cf you have:
673#
674# .nf
675#	    server_host = ldap.example.com
676#	    search_base = dc=example, dc=com
677# .fi
678#
679#	Upon receiving mail for a local address "ldapuser" that
680#	isn't found in the /etc/aliases database, Postfix will
681#	search the LDAP server listening at port 389 on ldap.example.com.
682#	It will bind anonymously, search for any directory entries
683#	whose mailacceptinggeneralid attribute is "ldapuser", read
684#	the "maildrop" attributes of those found, and build a list
685#	of their maildrops, which will be treated as RFC822 addresses
686#	to which the message will be delivered.
687# SEE ALSO
688#	postmap(1), Postfix lookup table manager
689#	postconf(5), configuration parameters
690#	mysql_table(5), MySQL lookup tables
691#	pgsql_table(5), PostgreSQL lookup tables
692# README FILES
693# .ad
694# .fi
695#	Use "\fBpostconf readme_directory\fR" or
696#	"\fBpostconf html_directory\fR" to locate this information.
697# .na
698# .nf
699#	DATABASE_README, Postfix lookup table overview
700#	LDAP_README, Postfix LDAP client guide
701# LICENSE
702# .ad
703# .fi
704#	The Secure Mailer license must be distributed with this software.
705# AUTHOR(S)
706# .ad
707# .fi
708#	Carsten Hoeger,
709#	Hery Rakotoarisoa,
710#	John Hensley, 
711#	Keith Stevenson,
712#	LaMont Jones,
713#	Liviu Daia,
714#	Manuel Guesdon, 
715#	Mike Mattice,
716#	Prabhat K Singh,
717#	Sami Haahtinen,
718#	Samuel Tardieu,
719#	Victor Duchovni,
720#	and many others.
721#--
722