~ubuntu-branches/debian/sid/postfix/sid

$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>,

etc., it is important to understand that the table must

store each list member as a separate key. The table lookup

verifies the *existence* of the key. See "Postfix lists

versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis-

cussion.

Do NOT create tables that return the full list of domains

in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses

in $<a href="postconf.5.html#mynetworks">mynetworks</a>.

DO create tables with each matching item as a key and with

an arbitrary value. With LDAP databases it is not uncommon

to return the key itself.

For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-

<a href="postconf.5.html#mydestination">tion</a>:

When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, $<a href="postconf.5.html#mydestination">mydestination</a>,

$<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under-

stand that the table must store each list member as a separate key. The

table lookup verifies the *existence* of the key. See "Postfix lists

versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion.

Do NOT create tables that return the full list of domains in $<a href="postconf.5.html#mydestination">mydesti</a>-

<a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>.

DO create tables with each matching item as a key and with an arbitrary

value. With LDAP databases it is not uncommon to return the key itself.

For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>:

query_filter = domain=*

result_attribute = domain

GENERAL LDAP PARAMETERS

In the text below, default values are given in parenthe-

ses. Note: don't use quotes in these variables; at least,

not until the Postfix configuration routines understand

how to deal with quoted strings.

In the text below, default values are given in parentheses. Note:

don't use quotes in these variables; at least, not until the Postfix

configuration routines understand how to deal with quoted strings.

server_host (default: localhost)

100

The name of the host running the LDAP server, e.g.

101

102

server_host = ldap.example.com

103

104

Depending on the LDAP client library you're using,

105

it should be possible to specify multiple servers

106

here, with the library trying them in order should

107

the first one fail. It should also be possible to

108

give each server in the list a different port

109

(overriding server_port below), by naming them like

Depending on the LDAP client library you're using, it should be

possible to specify multiple servers here, with the library try-

ing them in order should the first one fail. It should also be

possible to give each server in the list a different port (over-

riding server_port below), by naming them like

110

111

server_host = ldap.example.com:1444

112

113

With OpenLDAP, a (list of) LDAP URLs can be used to

114

specify both the hostname(s) and the port(s):

With OpenLDAP, a (list of) LDAP URLs can be used to specify both

100

the hostname(s) and the port(s):

115

101

116

102

server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444

117

103

<a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444

118

104

119

All LDAP URLs accepted by the OpenLDAP library are

120

supported, including connections over UNIX domain

121

sockets, and LDAP SSL (the last one provided that

122

OpenLDAP was compiled with support for SSL):

105

All LDAP URLs accepted by the OpenLDAP library are supported,

106

including connections over UNIX domain sockets, and LDAP SSL

107

(the last one provided that OpenLDAP was compiled with support

108

for SSL):

123

109

124

110

server_host = ldapi://%2Fsome%2Fpath

125

111

ldaps://ldap.example.com:636

130

116

server_port = 778

131

117

132

118

timeout (default: 10 seconds)

133

The number of seconds a search can take before tim-

134

ing out, e.g.

119

The number of seconds a search can take before timing out, e.g.

135

120

136

121

timeout = 5

137

122

138

123

search_base (No default; you must configure this)

139

The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search,

140

e.g.

124

The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.

141

125

142

126

search_base = dc=your, dc=com

143

127

144

With Postfix 2.2 and later this parameter supports

145

the following '%' expansions:

128

With Postfix 2.2 and later this parameter supports the following

129

'%' expansions:

146

130

147

131

%% This is replaced by a literal '%' character.

148

132

149

%s This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>

150

quoting is used to make sure that the input

151

key does not add unexpected metacharacters.

152

153

%u When the input key is an address of the form

154

user@domain, %u is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>

155

<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.

156

Otherwise, %u is replaced by the entire

157

search string. If the localpart is empty,

158

the search is suppressed and returns no

159

results.

160

161

%d When the input key is an address of the form

162

user@domain, %d is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>

163

<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.

164

Otherwise, the search is suppressed and

165

returns no results.

166

167

%[SUD] For the search_base parameter, the upper-

168

case equivalents of the above expansions

169

behave identically to their lower-case

170

counter-parts. With the result_format param-

171

eter (previously called result_filter see

172

the COMPATIBILITY section and below), they

173

expand to the corresponding components of

174

input key rather than the result value.

175

176

%[1-9] The patterns %1, %2, ... %9 are replaced by

177

the corresponding most significant component

178

of the input key's domain. If the input key

179

is user@mail.example.com, then %1 is com, %2

180

is example and %3 is mail. If the input key

181

is unqualified or does not have enough

182

domain components to satisfy all the speci-

183

fied patterns, the search is suppressed and

184

returns no results.

133

%s This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is

134

used to make sure that the input key does not add unex-

135

pected metacharacters.

136

137

%u When the input key is an address of the form user@domain,

138

%u is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the

139

address. Otherwise, %u is replaced by the entire search

140

string. If the localpart is empty, the search is sup-

141

pressed and returns no results.

142

143

%d When the input key is an address of the form user@domain,

144

%d is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of

145

the address. Otherwise, the search is suppressed and

146

returns no results.

147

148

%[SUD] For the search_base parameter, the upper-case equivalents

149

of the above expansions behave identically to their

150

lower-case counter-parts. With the result_format parame-

151

ter (previously called result_filter see the COMPATIBIL-

152

ITY section and below), they expand to the corresponding

153

components of input key rather than the result value.

154

155

%[1-9] The patterns %1, %2, ... %9 are replaced by the corre-

156

sponding most significant component of the input key's

157

domain. If the input key is user@mail.example.com, then

158

%1 is com, %2 is example and %3 is mail. If the input key

159

is unqualified or does not have enough domain components

160

to satisfy all the specified patterns, the search is sup-

161

pressed and returns no results.

185

162

186

163

query_filter (default: mailacceptinggeneralid=%s)

187

The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,

188

where %s is a substitute for the address Postfix is

189

trying to resolve, e.g.

164

The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where %s is a

165

substitute for the address Postfix is trying to resolve, e.g.

190

166

191

167

query_filter = (&(mail=%s)(paid_up=true))

192

168

193

This parameter supports the following '%' expan-

194

sions:

195

196

%% This is replaced by a literal '%' character.

197

(Postfix 2.2 and later).

198

199

%s This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>

200

quoting is used to make sure that the input

201

key does not add unexpected metacharacters.

202

203

%u When the input key is an address of the form

204

user@domain, %u is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>

205

<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.

206

Otherwise, %u is replaced by the entire

207

search string. If the localpart is empty,

208

the search is suppressed and returns no

209

results.

210

211

%d When the input key is an address of the form

212

user@domain, %d is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>

213

<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.

214

Otherwise, the search is suppressed and

215

returns no results.

216

217

%[SUD] The upper-case equivalents of the above

218

expansions behave in the query_filter param-

219

eter identically to their lower-case

220

counter-parts. With the result_format param-

221

eter (previously called result_filter see

222

the COMPATIBILITY section and below), they

223

expand to the corresponding components of

224

input key rather than the result value.

225

226

The above %S, %U and %D expansions are

227

available with Postfix 2.2 and later.

228

229

%[1-9] The patterns %1, %2, ... %9 are replaced by

230

the corresponding most significant component

231

of the input key's domain. If the input key

232

is user@mail.example.com, then %1 is com, %2

233

is example and %3 is mail. If the input key

234

is unqualified or does not have enough

235

domain components to satisfy all the speci-

236

fied patterns, the search is suppressed and

237

returns no results.

238

239

The above %1, ..., %9 expansions are avail-

240

able with Postfix 2.2 and later.

241

242

The "domain" parameter described below limits the

243

input keys to addresses in matching domains. When

244

the "domain" parameter is non-empty, LDAP queries

245

for unqualified addresses or addresses in non-

246

matching domains are suppressed and return no

247

results.

248

249

NOTE: DO NOT put quotes around the query_filter

250

parameter.

169

This parameter supports the following '%' expansions:

170

171

%% This is replaced by a literal '%' character. (Postfix 2.2

172

and later).

173

174

%s This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is

175

used to make sure that the input key does not add unex-

176

pected metacharacters.

177

178

%u When the input key is an address of the form user@domain,

179

%u is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the

180

address. Otherwise, %u is replaced by the entire search

181

string. If the localpart is empty, the search is sup-

182

pressed and returns no results.

183

184

%d When the input key is an address of the form user@domain,

185

%d is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of

186

the address. Otherwise, the search is suppressed and

187

returns no results.

188

189

%[SUD] The upper-case equivalents of the above expansions behave

190

in the query_filter parameter identically to their lower-

191

case counter-parts. With the result_format parameter

192

(previously called result_filter see the COMPATIBILITY

193

section and below), they expand to the corresponding com-

194

ponents of input key rather than the result value.

195

196

The above %S, %U and %D expansions are available with

197

Postfix 2.2 and later.

198

199

%[1-9] The patterns %1, %2, ... %9 are replaced by the corre-

200

sponding most significant component of the input key's

201

domain. If the input key is user@mail.example.com, then

202

%1 is com, %2 is example and %3 is mail. If the input key

203

is unqualified or does not have enough domain components

204

to satisfy all the specified patterns, the search is sup-

205

pressed and returns no results.

206

207

The above %1, ..., %9 expansions are available with Post-

208

fix 2.2 and later.

209

210

The "domain" parameter described below limits the input keys to

211

addresses in matching domains. When the "domain" parameter is

212

non-empty, LDAP queries for unqualified addresses or addresses

213

in non-matching domains are suppressed and return no results.

214

215

NOTE: DO NOT put quotes around the query_filter parameter.

251

216

252

217

result_format (default: %s)

253

Called result_filter in Postfix releases prior to

254

2.2. Format template applied to result attributes.

255

Most commonly used to append (or prepend) text to

256

the result. This parameter supports the following

257

'%' expansions:

258

259

%% This is replaced by a literal '%' character.

260

(Postfix 2.2 and later).

261

262

%s This is replaced by the value of the result

263

attribute. When result is empty it is

264

skipped.

265

266

%u When the result attribute value is an

267

address of the form user@domain, %u is

268

replaced by the local part of the address.

269

When the result has an empty localpart it is

270

skipped.

271

272

%d When a result attribute value is an address

273

of the form user@domain, %d is replaced by

274

the domain part of the attribute value. When

275

the result is unqualified it is skipped.

218

Called result_filter in Postfix releases prior to 2.2. Format

219

template applied to result attributes. Most commonly used to

220

append (or prepend) text to the result. This parameter supports

221

the following '%' expansions:

222

223

%% This is replaced by a literal '%' character. (Postfix 2.2

224

and later).

225

226

%s This is replaced by the value of the result attribute.

227

When result is empty it is skipped.

228

229

%u When the result attribute value is an address of the form

230

user@domain, %u is replaced by the local part of the

231

address. When the result has an empty localpart it is

232

skipped.

233

234

%d When a result attribute value is an address of the form

235

user@domain, %d is replaced by the domain part of the

236

attribute value. When the result is unqualified it is

237

skipped.

276

238

277

239

%[SUD1-9]

278

The upper-case and decimal digit expansions

279

interpolate the parts of the input key

280

rather than the result. Their behavior is

281

identical to that described with query_fil-

282

ter, and in fact because the input key is

283

known in advance, lookups whose key does not

284

contain all the information specified in the

285

result template are suppressed and return no

286

results.

287

288

The above %S, %U, %D and %1, ..., %9 expan-

289

sions are available with Postfix 2.2 and

290

later.

291

292

For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]"

293

allows one to use a mailHost attribute as the basis

294

of a <a href="transport.5.html">transport(5)</a> table. After applying the result

295

format, multiple values are concatenated as comma

296

separated strings. The expansion_limit and

297

size_limit parameters explained below allow one to

298

restrict the number of values in the result, which

299

is especially useful for maps that should return a

300

single value.

301

302

The default value %s specifies that each attribute

303

value should be used as is.

304

305

This parameter was called result_filter in Postfix

306

releases prior to 2.2. If no "result_format" is

307

specified, the value of "result_filter" will be

308

used instead before resorting to the default value.

309

This provides compatibility with old configuration

310

files.

240

The upper-case and decimal digit expansions interpolate

241

the parts of the input key rather than the result. Their

242

behavior is identical to that described with query_fil-

243

ter, and in fact because the input key is known in

244

advance, lookups whose key does not contain all the

245

information specified in the result template are sup-

246

pressed and return no results.

247

248

The above %S, %U, %D and %1, ..., %9 expansions are

249

available with Postfix 2.2 and later.

250

251

For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use

252

a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After

253

applying the result format, multiple values are concatenated as

254

comma separated strings. The expansion_limit and size_limit

255

parameters explained below allow one to restrict the number of

256

values in the result, which is especially useful for maps that

257

should return a single value.

258

259

The default value %s specifies that each attribute value should

260

be used as is.

261

262

This parameter was called result_filter in Postfix releases

263

prior to 2.2. If no "result_format" is specified, the value of

264

"result_filter" will be used instead before resorting to the

265

default value. This provides compatibility with old configura-

266

tion files.

311

267

312

268

NOTE: DO NOT put quotes around the result format!

313

269

314

270

domain (default: no domain list)

315

This is a list of domain names, paths to files, or

316

dictionaries. When specified, only fully qualified

317

search keys with a *non-empty* localpart and a

318

matching domain are eligible for lookup: 'user'

319

lookups, bare domain lookups and "@domain" lookups

320

are not performed. This can significantly reduce

321

the query load on the LDAP server.

322

323

domain = postfix.org, hash:/etc/postfix/searchdomains

324

325

It is best not to use LDAP to store the domains

326

eligible for LDAP lookups.

327

328

NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>

329

aliases.

271

This is a list of domain names, paths to files, or dictionaries.

272

When specified, only fully qualified search keys with a *non-

273

empty* localpart and a matching domain are eligible for lookup:

274

'user' lookups, bare domain lookups and "@domain" lookups are

275

not performed. This can significantly reduce the query load on

276

the LDAP server.

277

278

domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains

279

280

It is best not to use LDAP to store the domains eligible for

281

LDAP lookups.

282

283

NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases.

330

284

331

285

This feature is available in Postfix 1.0 and later.

332

286

333

287

result_attribute (default: maildrop)

334

The attribute(s) Postfix will read from any direc-

335

tory entries returned by the lookup, to be resolved

336

to an email address.

288

The attribute(s) Postfix will read from any directory entries

289

returned by the lookup, to be resolved to an email address.

337

290

338

291

result_attribute = mailbox, maildrop

339

292

340

Don't rely on the default value ("maildrop"). Set

341

the result_attribute explicitly in all ldap table

342

configuration files. This is particularly relevant

343

when no result_attribute is applicable, e.g. cases

344

in which leaf_result_attribute and/or termi-

345

nal_result_attribute are used instead. The default

346

value is harmless if "maildrop" is also listed as a

347

leaf or terminal result attribute, but it is best

348

to not leave this to chance.

293

Don't rely on the default value ("maildrop"). Set the

294

result_attribute explicitly in all ldap table configuration

295

files. This is particularly relevant when no result_attribute is

296

applicable, e.g. cases in which leaf_result_attribute and/or

297

terminal_result_attribute are used instead. The default value is

298

harmless if "maildrop" is also listed as a leaf or terminal

299

result attribute, but it is best to not leave this to chance.

349

300

350

301

special_result_attribute (default: empty)

351

The attribute(s) of directory entries that can con-

352

tain DNs or <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recur-

353

sive search is performed to retrieve the entry ref-

354

erenced by the DN, or the entries matched by the

355

URL query.

302

The attribute(s) of directory entries that can contain DNs or

303

<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to

304

retrieve the entry referenced by the DN, or the entries matched

305

by the URL query.

356

306

357

307

special_result_attribute = memberdn

358

308

359

DN recursion retrieves the same result_attributes

360

as the main query, including the special attributes

361

for further recursion.

309

DN recursion retrieves the same result_attributes as the main

310

query, including the special attributes for further recursion.

362

311

363

URL processing retrieves only those attributes that

364

are included in both the URL definition and as

365

result attributes (ordinary, special, leaf or ter-

366

minal) in the Postfix table definition. If the URL

367

lists any of the table's special result attributes,

368

these are retrieved and used recursively. A URL

369

that does not specify any attribute selection, is

370

equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a URL that selects all

371

attributes, in which case the selected attributes

372

will be the full set of result attributes in the

312

URL processing retrieves only those attributes that are included

313

in both the URL definition and as result attributes (ordinary,

314

special, leaf or terminal) in the Postfix table definition. If

315

the URL lists any of the table's special result attributes,

316

these are retrieved and used recursively. A URL that does not

317

specify any attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a

318

URL that selects all attributes, in which case the selected

319

attributes will be the full set of result attributes in the

373

320

Postfix table.

374

321

375

If an LDAP URL attribute-descriptor or the corre-

376

sponding Postfix LDAP table result attribute (but

377

not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> sub-type options

378

("attr;option"), the attribute requested from the

379

LDAP server will include the sub-type option. In

380

all other cases, the URL attribute and the table

381

attribute must match exactly. Attributes with

382

options in both the URL and the Postfix table are

383

requested only when the options are identical. LDAP

384

attribute-descriptor options are very rarely used,

385

most LDAP users will not need to concern themselves

386

with this level of nuanced detail.

322

If an LDAP URL attribute-descriptor or the corresponding Postfix

323

LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> sub-

324

type options ("attr;option"), the attribute requested from the

325

LDAP server will include the sub-type option. In all other

326

cases, the URL attribute and the table attribute must match

327

exactly. Attributes with options in both the URL and the Postfix

328

table are requested only when the options are identical. LDAP

329

attribute-descriptor options are very rarely used, most LDAP

330

users will not need to concern themselves with this level of

331

nuanced detail.

387

332

388

333

terminal_result_attribute (default: empty)

389

When one or more terminal result attributes are

390

found in an LDAP entry, all other result attributes

391

are ignored and only the terminal result attributes

392

are returned. This is useful for delegating expan-

393

sion of group members to a particular host, by

394

using an optional "maildrop" attribute on selected

395

groups to route the group to a specific host, where

396

the group is expanded, possibly via mailing-list

397

manager or other special processing.

334

When one or more terminal result attributes are found in an LDAP

335

entry, all other result attributes are ignored and only the ter-

336

minal result attributes are returned. This is useful for dele-

337

gating expansion of group members to a particular host, by using

338

an optional "maildrop" attribute on selected groups to route the

339

group to a specific host, where the group is expanded, possibly

340

via mailing-list manager or other special processing.

398

341

399

342

result_attribute =

400

343

terminal_result_attribute = maildrop

401

344

402

When using terminal and/or leaf result attributes,

403

the result_attribute is best set to an empty value

404

when it is not used, or else explicitly set to the

405

desired value, even if it is the default value

406

"maildrop".

345

When using terminal and/or leaf result attributes, the

346

result_attribute is best set to an empty value when it is not

347

used, or else explicitly set to the desired value, even if it is

348

the default value "maildrop".

407

349

408

This feature is available with Postfix 2.4 or

409

later.

350

This feature is available with Postfix 2.4 or later.

410

351

411

352

leaf_result_attribute (default: empty)

412

When one or more special result attributes are

413

found in a non-terminal (see above) LDAP entry,

414

leaf result attributes are excluded from the expan-

415

sion of that entry. This is useful when expanding

416

groups and the desired mail address attribute(s) of

417

the member objects obtained via DN or URI recursion

418

are also present in the group object. To only

419

return the attribute values from the leaf objects

420

and not the containing group, add the attribute to

421

the leaf_result_attribute list, and not the

422

result_attribute list, which is always expanded.

423

Note, the default value of "result_attribute" is

424

not empty, you may want to set it explicitly empty

425

when using "leaf_result_attribute" to expand the

426

group to a list of member DN addresses. If groups

427

have both member DN references AND attributes that

428

hold multiple string valued rfc822 addresses, then

429

the string attributes go in "result_attribute".

430

The attributes that represent the email addresses

431

of objects referenced via a DN (or LDAP URI) go in

353

When one or more special result attributes are found in a non-

354

terminal (see above) LDAP entry, leaf result attributes are

355

excluded from the expansion of that entry. This is useful when

356

expanding groups and the desired mail address attribute(s) of

357

the member objects obtained via DN or URI recursion are also

358

present in the group object. To only return the attribute values

359

from the leaf objects and not the containing group, add the

360

attribute to the leaf_result_attribute list, and not the

361

result_attribute list, which is always expanded. Note, the

362

default value of "result_attribute" is not empty, you may want

363

to set it explicitly empty when using "leaf_result_attribute" to

364

expand the group to a list of member DN addresses. If groups

365

have both member DN references AND attributes that hold multiple

366

string valued rfc822 addresses, then the string attributes go in

367

"result_attribute". The attributes that represent the email

368

addresses of objects referenced via a DN (or LDAP URI) go in

432

369

"leaf_result_attribute".

433

370

434

371

result_attribute = memberaddr

436

373

terminal_result_attribute = maildrop

437

374

leaf_result_attribute = mail

438

375

439

When using terminal and/or leaf result attributes,

440

the result_attribute is best set to an empty value

441

when it is not used, or else explicitly set to the

442

desired value, even if it is the default value

443

"maildrop".

376

When using terminal and/or leaf result attributes, the

377

result_attribute is best set to an empty value when it is not

378

used, or else explicitly set to the desired value, even if it is

379

the default value "maildrop".

444

380

445

This feature is available with Postfix 2.4 or

446

later.

381

This feature is available with Postfix 2.4 or later.

447

382

448

383

scope (default: sub)

449

The LDAP search scope: sub, base, or one. These

450

translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,

451

and LDAP_SCOPE_ONELEVEL.

384

The LDAP search scope: sub, base, or one. These translate into

385

LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.

452

386

453

387

bind (default: yes)

454

Whether or how to bind to the LDAP server. Newer

455

LDAP implementations don't require clients to bind,

456

which saves time. Example:

388

Whether or how to bind to the LDAP server. Newer LDAP implemen-

389

tations don't require clients to bind, which saves time. Exam-

390

ple:

457

391

458

392

# Don't bind

459

393

bind = no

462

396

# Use SASL bind

463

397

bind = sasl

464

398

465

Postfix versions prior to 2.8 only support "bind =

466

no" which means don't bind, and "bind = yes" which

467

means do a SIMPLE bind. Postfix 2.8 and later also

468

supports "bind = SASL" when compiled with LDAP SASL

469

support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds

470

the synonyms "bind = none" and "bind = simple" for

471

"bind = no" and "bind = yes" respectively. See the

472

SASL section below for additional parameters avail-

473

able with "bind = sasl".

399

Postfix versions prior to 2.8 only support "bind = no" which

400

means don't bind, and "bind = yes" which means do a SIMPLE bind.

401

Postfix 2.8 and later also supports "bind = SASL" when compiled

402

with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds

403

the synonyms "bind = none" and "bind = simple" for "bind = no"

404

and "bind = yes" respectively. See the SASL section below for

405

additional parameters available with "bind = sasl".

474

406

475

If you do need to bind, you might consider config-

476

uring Postfix to connect to the local machine on a

477

port that's an SSL tunnel to your LDAP server. If

478

your LDAP server doesn't natively support SSL, put

479

a tunnel (wrapper, proxy, whatever you want to call

480

it) on that system too. This should prevent the

481

password from traversing the network in the clear.

407

If you do need to bind, you might consider configuring Postfix

408

to connect to the local machine on a port that's an SSL tunnel

409

to your LDAP server. If your LDAP server doesn't natively sup-

410

port SSL, put a tunnel (wrapper, proxy, whatever you want to

411

call it) on that system too. This should prevent the password

412

from traversing the network in the clear.

482

413

483

414

bind_dn (default: empty)

484

If you do have to bind, do it with this distin-

485

guished name. Example:

415

If you do have to bind, do it with this distinguished name.

416

Example:

486

417

487

418

bind_dn = uid=postfix, dc=your, dc=com

488

With "bind = sasl" (see above) the DN may be

489

optional for some SASL mechanisms, don't specify a

490

DN if not needed.

419

With "bind = sasl" (see above) the DN may be optional for some

420

SASL mechanisms, don't specify a DN if not needed.

491

421

492

422

bind_pw (default: empty)

493

The password for the distinguished name above. If

494

you have to use this, you probably want to make the

495

map configuration file readable only by the Postfix

496

user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-

497

tax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is not pos-

498

sible to securely store the bind password. This is

499

because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow

500

local accounts to submit mail via the sendmail com-

501

mand. Example:

423

The password for the distinguished name above. If you have to

424

use this, you probably want to make the map configuration file

425

readable only by the Postfix user. When using the obsolete

426

<a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is

427

not possible to securely store the bind password. This is

428

because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow local

429

accounts to submit mail via the sendmail command. Example:

502

430

503

431

bind_pw = postfixpw

504

With "bind = sasl" (see above) the password may be

505

optional for some SASL mechanisms, don't specify a

506

password if not needed.

432

With "bind = sasl" (see above) the password may be optional for

433

some SASL mechanisms, don't specify a password if not needed.

507

434

508

435

cache (IGNORED with a warning)

509

436

510

437

cache_expiry (IGNORED with a warning)

511

438

512

439

cache_size (IGNORED with a warning)

513

The above parameters are NO LONGER SUPPORTED by

514

Postfix. Cache support has been dropped from

515

OpenLDAP as of release 2.1.13.

440

The above parameters are NO LONGER SUPPORTED by Postfix. Cache

441

support has been dropped from OpenLDAP as of release 2.1.13.

516

442

517

443

recursion_limit (default: 1000)

518

A limit on the nesting depth of DN and URL special

519

result attribute evaluation. The limit must be a

520

non-zero positive number.

444

A limit on the nesting depth of DN and URL special result

445

attribute evaluation. The limit must be a non-zero positive num-

446

ber.

521

447

522

448

expansion_limit (default: 0)

523

A limit on the total number of result elements

524

returned (as a comma separated list) by a lookup

525

against the map. A setting of zero disables the

526

limit. Lookups fail with a temporary error if the

527

limit is exceeded. Setting the limit to 1 ensures

528

that lookups do not return multiple values.

449

A limit on the total number of result elements returned (as a

450

comma separated list) by a lookup against the map. A setting of

451

zero disables the limit. Lookups fail with a temporary error if

452

the limit is exceeded. Setting the limit to 1 ensures that

453

lookups do not return multiple values.

529

454

530

455

size_limit (default: $expansion_limit)

531

A limit on the number of LDAP entries returned by

532

any single LDAP search performed as part of the

533

lookup. A setting of 0 disables the limit. Expan-

534

sion of DN and URL references involves nested LDAP

535

queries, each of which is separately subjected to

456

A limit on the number of LDAP entries returned by any single

457

LDAP search performed as part of the lookup. A setting of 0 dis-

458

ables the limit. Expansion of DN and URL references involves

459

nested LDAP queries, each of which is separately subjected to

536

460

this limit.

537

461

538

Note: even a single LDAP entry can generate multi-

539

ple lookup results, via multiple result attributes

540

and/or multi-valued result attributes. This limit

541

caps the per search resource utilization on the

542

LDAP server, not the final multiplicity of the

543

lookup result. It is analogous to the "-z" option

544

of "ldapsearch".

462

Note: even a single LDAP entry can generate multiple lookup

463

results, via multiple result attributes and/or multi-valued

464

result attributes. This limit caps the per search resource uti-

465

lization on the LDAP server, not the final multiplicity of the

466

lookup result. It is analogous to the "-z" option of

467

"ldapsearch".

545

468

546

469

dereference (default: 0)

547

When to dereference LDAP aliases. (Note that this

548

has nothing do with Postfix aliases.) The permitted

549

values are those legal for the OpenLDAP/UM LDAP

550

implementations:

470

When to dereference LDAP aliases. (Note that this has nothing do

471

with Postfix aliases.) The permitted values are those legal for

472

the OpenLDAP/UM LDAP implementations:

551

473

552

474

0 never

553

475

557

479

558

480

3 always

559

481

560

See ldap.h or the ldap_open(3) or ldapsearch(1) man

561

pages for more information. And if you're using an

562

LDAP package that has other possible values, please

563

bring it to the attention of the postfix-

564

users@postfix.org mailing list.

482

See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for

483

more information. And if you're using an LDAP package that has

484

other possible values, please bring it to the attention of the

485

postfix-users@postfix.org mailing list.

565

486

566

487

chase_referrals (default: 0)

567

Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP

568

version 3 support).

488

Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3

489

support).

569

490

570

491

version (default: 2)

571

492

Specifies the LDAP protocol version to use.

572

493

573

494

debuglevel (default: 0)

574

What level to set for debugging in the OpenLDAP

575

libraries.

495

What level to set for debugging in the OpenLDAP libraries.

576

496

577

497

LDAP SASL PARAMETERS

578

If you're using the OpenLDAP libraries compiled with SASL

579

support, Postfix 2.8 and later built with LDAP SASL sup-

580

port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP

581

servers via SASL.

498

If you're using the OpenLDAP libraries compiled with SASL support,

499

Postfix 2.8 and later built with LDAP SASL support as described in

500

<a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL.

582

501

583

This enables authentication to the LDAP server via mecha-

584

nisms other than a simple password. The added flexibility

585

has a cost: it is no longer practical to set an explicit

586

timeout on the duration of an LDAP bind operation. Under

587

adverse conditions, whether a SASL bind times out, or if

588

it does, the duration of the timeout is determined by the

502

This enables authentication to the LDAP server via mechanisms other

503

than a simple password. The added flexibility has a cost: it is no

504

longer practical to set an explicit timeout on the duration of an LDAP

505

bind operation. Under adverse conditions, whether a SASL bind times

506

out, or if it does, the duration of the timeout is determined by the

589

507

LDAP and SASL libraries.

590

508

591

It is best to use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>

592

<a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out the

593

proxymap request. This also lets you tailer the process

594

environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> import_environ-

595

ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings

596

may be needed to configure GSSAPI credential caches or

597

other SASL mechanism specific options. The GSSAPI creden-

598

tials used for LDAP lookups may need to be different than

599

say those used for the Postfix SMTP client to authenticate

600

to remote servers.

601

602

Using SASL mechanisms requires LDAP protocol version 3,

603

the default protocol version is 2 for backwards compati-

604

bility. You must set "version = 3" in addition to "bind =

605

sasl".

606

607

The following parameters are relevant to using LDAP with

608

SASL

509

It is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way

510

the requesting process can time-out the proxymap request. This also

511

lets you tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a>

512

<a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5). Special environment set-

513

tings may be needed to configure GSSAPI credential caches or other SASL

514

mechanism specific options. The GSSAPI credentials used for LDAP

515

lookups may need to be different than say those used for the Postfix

516

SMTP client to authenticate to remote servers.

517

518

Using SASL mechanisms requires LDAP protocol version 3, the default

519

protocol version is 2 for backwards compatibility. You must set "ver-

520

sion = 3" in addition to "bind = sasl".

521

522

The following parameters are relevant to using LDAP with SASL

609

523

610

524

sasl_mechs (default: empty)

611

525

Space separated list of SASL mechanism(s) to try.

614

528

SASL Realm to use, if applicable.

615

529

616

530

sasl_authz_id (default: empty)

617

The SASL authorization identity to assert, if

618

applicable.

531

The SASL authorization identity to assert, if applicable.

619

532

620

533

sasl_minssf (default: 0)

621

The minimum required sasl security factor required

622

to establish a connection.

534

The minimum required sasl security factor required to establish

535

a connection.

623

536

624

537

LDAP SSL AND STARTTLS PARAMETERS

625

If you're using the OpenLDAP libraries compiled with SSL

626

support, Postfix can connect to LDAP SSL servers and can

627

issue the STARTTLS command.

538

If you're using the OpenLDAP libraries compiled with SSL support, Post-

539

fix can connect to LDAP SSL servers and can issue the STARTTLS command.

628

540

629

LDAP SSL service can be requested by using a LDAP SSL URL

630

in the server_host parameter:

541

LDAP SSL service can be requested by using a LDAP SSL URL in the

542

server_host parameter:

631

543

632

544

server_host = ldaps://ldap.example.com:636

633

545

635

547

636

548

start_tls = yes

637

549

638

Both forms require LDAP protocol version 3, which has to

639

be set explicitly with:

550

Both forms require LDAP protocol version 3, which has to be set explic-

551

itly with:

640

552

641

553

version = 3

642

554

643

If any of the Postfix programs querying the map is config-

644

ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates

645

and keys involved have to be copied to the chroot jail. Of

646

course, the private keys should only be readable by the

647

user "postfix".

555

If any of the Postfix programs querying the map is configured in <a href="master.5.html">mas-

556

ter.cf</a> to run chrooted, all the certificates and keys involved have to

557

be copied to the chroot jail. Of course, the private keys should only

558

be readable by the user "postfix".

648

559

649

The following parameters are relevant to LDAP SSL and

650

STARTTLS:

560

The following parameters are relevant to LDAP SSL and STARTTLS:

651

561

652

562

start_tls (default: no)

653

Whether or not to issue STARTTLS upon connection to

654

the server. Don't set this with LDAP SSL (the SSL

655

session is setup automatically when the TCP connec-

656

tion is opened).

657

658

tls_ca_cert_dir (No default; set either this or

659

tls_ca_cert_file)

660

Directory containing X509 Certificate Authority

661

certificates in PEM format which are to be recog-

662

nized by the client in SSL/TLS connections. The

663

files each contain one CA certificate. The files

664

are looked up by the CA subject name hash value,

665

which must hence be available. If more than one CA

666

certificate with the same name hash value exist,

667

the extension must be different (e.g. 9d66eef0.0,

668

9d66eef0.1 etc). The search is performed in the

669

ordering of the extension number, regardless of

670

other properties of the certificates. Use the

671

c_rehash utility (from the OpenSSL distribution) to

672

create the necessary links.

673

674

tls_ca_cert_file (No default; set either this or

675

tls_ca_cert_dir)

676

File containing the X509 Certificate Authority cer-

677

tificates in PEM format which are to be recognized

678

by the client in SSL/TLS connections. This setting

679

takes precedence over tls_ca_cert_dir.

563

Whether or not to issue STARTTLS upon connection to the server.

564

Don't set this with LDAP SSL (the SSL session is setup automati-

565

cally when the TCP connection is opened).

566

567

tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)

568

Directory containing X509 Certificate Authority certificates in

569

PEM format which are to be recognized by the client in SSL/TLS

570

connections. The files each contain one CA certificate. The

571

files are looked up by the CA subject name hash value, which

572

must hence be available. If more than one CA certificate with

573

the same name hash value exist, the extension must be different

574

(e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in

575

the ordering of the extension number, regardless of other prop-

576

erties of the certificates. Use the c_rehash utility (from the

577

OpenSSL distribution) to create the necessary links.

578

579

tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)

580

File containing the X509 Certificate Authority certificates in

581

PEM format which are to be recognized by the client in SSL/TLS

582

connections. This setting takes precedence over tls_ca_cert_dir.

680

583

681

584

tls_cert (No default; you must set this)

682

File containing client's X509 certificate to be

683

used by the client in SSL/ TLS connections.

585

File containing client's X509 certificate to be used by the

586

client in SSL/ TLS connections.

684

587

685

588

tls_key (No default; you must set this)

686

File containing the private key corresponding to

687

the above tls_cert.

589

File containing the private key corresponding to the above

590

tls_cert.

688

591

689

592

tls_require_cert (default: no)

690

Whether or not to request server's X509 certificate

691

and check its validity when establishing SSL/TLS

692

connections. The supported values are no and yes.

693

694

With no, the server certificate trust chain is not

695

checked, but with OpenLDAP prior to 2.1.13, the

696

name in the server certificate must still match the

697

LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the

698

server name is not necessarily what you specified,

699

rather it is determined (by reverse lookup) from

700

the IP address of the LDAP server connection. With

701

OpenLDAP prior to 2.0.13, subjectAlternativeName

702

extensions in the LDAP server certificate are

703

ignored: the server name must match the subject

704

CommonName. The no setting corresponds to the never

705

value of TLS_REQCERT in LDAP client configuration

706

files.

707

708

Don't use TLS with OpenLDAP 2.0.x (and especially

709

with x <= 11) if you can avoid it.

710

711

With yes, the server certificate must be issued by

712

a trusted CA, and not be expired. The LDAP server

713

name must match one of the name(s) found in the

714

certificate (see above for OpenLDAP library version

715

dependent behavior). The yes setting corresponds to

716

the demand value of TLS_REQCERT in LDAP client con-

717

figuration files.

718

719

The "try" and "never" values of TLS_REQCERT have no

720

equivalents here. They are not available with

721

OpenLDAP 2.0, and in any case have questionable

722

security properties. Either you want TLS verified

723

LDAP connections, or you don't.

724

725

The yes value only works correctly with Postfix 2.5

726

and later, or with OpenLDAP 2.0. Earlier Postfix

727

releases or later OpenLDAP releases don't work

728

together with this setting. Support for LDAP over

729

TLS was added to Postfix based on the OpenLDAP 2.0

730

API.

593

Whether or not to request server's X509 certificate and check

594

its validity when establishing SSL/TLS connections. The sup-

595

ported values are no and yes.

596

597

With no, the server certificate trust chain is not checked, but

598

with OpenLDAP prior to 2.1.13, the name in the server certifi-

599

cate must still match the LDAP server name. With OpenLDAP 2.0.0

600

to 2.0.11 the server name is not necessarily what you specified,

601

rather it is determined (by reverse lookup) from the IP address

602

of the LDAP server connection. With OpenLDAP prior to 2.0.13,

603

subjectAlternativeName extensions in the LDAP server certificate

604

are ignored: the server name must match the subject CommonName.

605

The no setting corresponds to the never value of TLS_REQCERT in

606

LDAP client configuration files.

607

608

Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)

609

if you can avoid it.

610

611

With yes, the server certificate must be issued by a trusted CA,

612

and not be expired. The LDAP server name must match one of the

613

name(s) found in the certificate (see above for OpenLDAP library

614

version dependent behavior). The yes setting corresponds to the

615

demand value of TLS_REQCERT in LDAP client configuration files.

616

617

The "try" and "allow" values of TLS_REQCERT have no equivalents

618

here. They are not available with OpenLDAP 2.0, and in any case

619

have questionable security properties. Either you want TLS veri-

620

fied LDAP connections, or you don't.

621

622

The yes value only works correctly with Postfix 2.5 and later,

623

or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP

624

releases don't work together with this setting. Support for LDAP

625

over TLS was added to Postfix based on the OpenLDAP 2.0 API.

731

626

732

627

tls_random_file (No default)

733

Path of a file to obtain random bits from when

734

/dev/[u]random is not available, to be used by the

735

client in SSL/TLS connections.

628

Path of a file to obtain random bits from when /dev/[u]random is

629

not available, to be used by the client in SSL/TLS connections.

736

630

737

631

tls_cipher_suite (No default)

738

632

Cipher suite to use in SSL/TLS negotiations.

739

633

740

634

EXAMPLE

741

Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>

742

aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:

635

Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> aliases.

636

Assume that in <a href="postconf.5.html">main.cf</a>, you have:

743

637

744

<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,

638

<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases,

745

639

<a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf

746

640

747

641

and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:

749

643

server_host = ldap.example.com

750

644

search_base = dc=example, dc=com

751

645

752

Upon receiving mail for a local address "ldapuser" that

753

isn't found in the /etc/aliases database, Postfix will

754

search the LDAP server listening at port 389 on ldap.exam-

755

ple.com. It will bind anonymously, search for any direc-

756

tory entries whose mailacceptinggeneralid attribute is

757

"ldapuser", read the "maildrop" attributes of those found,

758

and build a list of their maildrops, which will be treated

759

as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-

760

ered.

646

Upon receiving mail for a local address "ldapuser" that isn't found in

647

the /etc/aliases database, Postfix will search the LDAP server listen-

648

ing at port 389 on ldap.example.com. It will bind anonymously, search

649

for any directory entries whose mailacceptinggeneralid attribute is

650

"ldapuser", read the "maildrop" attributes of those found, and build a

651

list of their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to

652

which the message will be delivered.

761

653

762

654

SEE ALSO

763

655

<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager

770

662

<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide

771

663

772

664

LICENSE

773

The Secure Mailer license must be distributed with this

774

software.

665

The Secure Mailer license must be distributed with this software.

775

666

776

667

AUTHOR(S)

777

Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith

778

Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike

779

Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,

780

Victor Duchovni, and many others.

668

Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-

669

ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh,

670

Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.

781

671

782

672

LDAP_TABLE(5)

783

673

</pre> </body> </html>

Older »