~ubuntu-branches/ubuntu/hoary/postfix/hoary-security

$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>,

etc., it is important to understand that the table must

store each list member as a separate key. The table lookup

verifies the *existence* of the key. See "Postfix lists

versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis-

cussion.

Do NOT create tables that return the full list of domains

in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses

in $<a href="postconf.5.html#mynetworks">mynetworks</a>.

DO create tables with each matching item as a key and with

an arbitrary value. With LDAP databases it is not uncommon

to return the key itself.

For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-

<a href="postconf.5.html#mydestination">tion</a>:

query_filter = domain=*

result_attribute = domain

Do this instead:

query_filter = domain=%s

result_attribute = domain

GENERAL LDAP PARAMETERS

In the text below, default values are given in parenthe-

ses. Note: don't use quotes in these variables; at least,

not until the Postfix configuration routines understand

how to deal with quoted strings.

server_host (default: localhost)

The name of the host running the LDAP server, e.g.

server_host = ldap.your.com

Depending on the LDAP client library you're using,

it should be possible to specify multiple servers

here, with the library trying them in order should

the first one fail. It should also be possible to

give each server in the list a different port

(overriding server_port below), by naming them like

server_host = ldap.your.com:1444

100

101

With OpenLDAP, a (list of) LDAP URLs can be used to

102

specify both the hostname(s) and the port(s):

103

server_host = <a href="ldap_table.5.html">ldap</a>://ldap.your.com:1444

104

105

All LDAP URLs accepted by the OpenLDAP library are

106

supported, including connections over UNIX domain

107

sockets, and LDAP SSL (the last one provided that

108

OpenLDAP was compiled with support for SSL):

109

server_host = ldapi://%2Fsome%2Fpath

110

server_host = ldaps://ldap.your.com:636

111

112

server_port (default: 389)

113

The port the LDAP server listens on, e.g.

114

server_port = 778

115

116

search_base (No default; you must configure this)

117

The <a href="http://www.faqs.org/rfcs/rfc2253.html">RFC2253</a> base DN at which to conduct the search,

118

e.g.

119

search_base = dc=your, dc=com

120

121

timeout (default: 10 seconds)

122

The number of seconds a search can take before tim-

123

ing out, e.g.

124

timeout = 5

125

126

query_filter (default: mailacceptinggeneralid=%s)

127

The <a href="http://www.faqs.org/rfcs/rfc2254.html">RFC2254</a> filter used to search the directory,

128

where %s is a substitute for the address Postfix is

129

trying to resolve, e.g.

130

query_filter = (&(mail=%s)(paid_up=true))

131

132

This parameter supports the following '%' expan-

133

sions:

134

135

%s This is replaced by the input key. <a href="http://www.faqs.org/rfcs/rfc2254.html">RFC 2254</a>

136

quoting is used to make sure that the input

137

key does not add unexpected metacharacters.

138

139

%u When the input key is an address of the form

140

user@domain, %u is replaced by the (RFC

141

2254) quoted local part of the address. If

142

no domain is specified, %u is replaced by

143

the entire search string.

144

145

%d When the input key is an address of the form

146

user@domain, %d is replaced by the (RFC

147

2254) quoted domain part of the address.

148

When the input key has no domain qualifier,

149

%d is replaced by the entire search string.

150

151

The "domain" parameter described below limits the

152

input keys to addresses in matching domains. When

153

the "domain" parameter is non-empty, LDAP queries

154

for unqualified addresses or addresses in non-

155

matching domains are suppressed and return no

156

results.

157

158

NOTE: DO NOT put quotes around the query filter.

159

160

result_filter (default: %s)

161

Format template applied to result attributes. Sup-

162

ports the same expansions as the query_filter, and

163

can be easily used to append (or prepend) text.

164

This parameter supports the following '%' expan-

165

sions:

166

167

%s This is replaced by the value of the result

168

attribute.

169

170

%u When the result attribute is an address of

171

the form user@domain, %u is replaced local

172

part of the address, if the result attribute

173

is unqualified, %u is replaced by the entire

174

attribute value.

175

176

%d When a result attribute is an address of the

177

form user@domain, %d is replaced by the

178

domain part of the attribute value. If an

179

attribute value is unqualified %d is

180

replaced by the entire attribute value.

181

182

For example, using "result_filter = <a href="smtp.8.html">smtp</a>:[%s]"

183

allows one to use a mailHost attribute as the basis

184

of a <a href="transport.5.html">transport(5)</a> table. After applying the result

185

filter, multiple values are concatenated as comma

186

separated strings. The expansion_limit and

187

size_limit parameters explained below allow one to

188

restrict the number of values in the result, which

189

is especially useful for maps that should return a

190

single value.

191

192

The default value %s specifies that each attribute

193

value should be used as is.

194

195

NOTE: DO NOT put quotes around the result filter!

196

197

domain (default: no domain list)

198

This is a list of domain names, paths to files, or

199

dictionaries. When specified, only fully qualified

200

search keys with a *non-empty* localpart and a

201

matching domain are eligible for lookup: 'user'

202

lookups, bare domain lookups and "@domain" lookups

203

are not performed. This can significantly reduce

204

the query load on the LDAP server.

205

domain = postfix.org, hash:/etc/postfix/search-

206

domains

207

208

It is best not to use LDAP to store the domains

209

eligible for LDAP lookups.

210

211

NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>

212

aliases.

213

214

result_attribute (default: maildrop)

215

The attribute(s) Postfix will read from any direc-

216

tory entries returned by the lookup, to be resolved

217

to an email address.

218

result_attribute = mailbox,maildrop

219

220

special_result_attribute (No default)

221

The attribute(s) of directory entries that can con-

222

tain DNs or URLs. If found, a recursive subsequent

223

search is done using their values.

224

special_result_attribute = member

225

226

DN recursion retrieves the same result_attributes

227

as the main query, including the special attributes

228

for further recursion. URI processing retrieves

229

only those attributes that are included in the URI

230

definition and are *also* listed in

231

"result_attribute". If the URI lists any of the

232

map's special result attributes, these are also

233

retrieved and used recursively.

234

235

scope (default: sub)

236

The LDAP search scope: sub, base, or one. These

237

translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,

238

and LDAP_SCOPE_ONELEVEL.

239

240

bind (default: yes)

241

Whether or not to bind to the LDAP server. Newer

242

LDAP implementations don't require clients to bind,

243

which saves time. Example:

244

bind = no

245

246

If you do need to bind, you might consider config-

247

uring Postfix to connect to the local machine on a

248

port that's an SSL tunnel to your LDAP server. If

249

your LDAP server doesn't natively support SSL, put

250

a tunnel (wrapper, proxy, whatever you want to call

251

it) on that system too. This should prevent the

252

password from traversing the network in the clear.

253

254

bind_dn (default: empty)

255

If you do have to bind, do it with this distin-

256

guished name. Example:

257

bind_dn = uid=postfix, dc=your, dc=com

258

259

bind_pw (default: empty)

260

The password for the distinguished name above. If

261

you have to use this, you probably want to make the

262

map configuration file readable only by the Postfix

263

user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-

264

tax, with map parameters in main.cf, it is not pos-

265

sible to securely store the bind password. This is

266

because main.cf needs to be world readable to allow

267

local accounts to submit mail via the sendmail com-

268

mand. Example:

269

bind_pw = postfixpw

270

271

cache (IGNORED with a warning)

272

273

cache_expiry (IGNORED with a warning)

274

275

cache_size (IGNORED with a warning)

276

The above parameters are NO LONGER SUPPORTED by

277

Postfix. Cache support has been dropped from

278

OpenLDAP as of release 2.1.13.

279

280

recursion_limit (default: 1000)

281

A limit on the nesting depth of DN and URL special

282

result attribute evaluation. The limit must be a

283

non-zero positive number.

284

285

expansion_limit (default: 0)

286

A limit on the total number of result elements

287

returned (as a comma separated list) by a lookup

288

against the map. A setting of zero disables the

289

limit. Lookups fail with a temporary error if the

290

limit is exceeded. Setting the limit to 1 ensures

291

that lookups do not return multiple values.

292

293

size_limit (default: $expansion_limit)

294

A limit on the number of LDAP entries returned by

295

any single LDAP query performed as part of the

296

lookup. A setting of 0 disables the limit. Expan-

297

sion of DN and URL references involves nested LDAP

298

queries, each of which is separately subjected to

299

this limit.

300

301

Note: even a single LDAP entry can generate multi-

302

ple lookup results, via multiple result attributes

303

and/or multi-valued result attributes. This limit

304

caps the per query resource utilization on the LDAP

305

server, not the final multiplicity of the lookup

306

result. It is analogous to the "-z" option of

307

"ldapsearch".

308

309

dereference (default: 0)

310

When to dereference LDAP aliases. (Note that this

311

has nothing do with Postfix aliases.) The permitted

312

values are those legal for the OpenLDAP/UM LDAP

313

implementations:

314

315

0 never

316

317

1 when searching

318

319

2 when locating the base object for the search

320

321

3 always

322

323

See ldap.h or the ldap_open(3) or ldapsearch(1) man

324

pages for more information. And if you're using an

325

LDAP package that has other possible values, please

326

bring it to the attention of the postfix-

327

users@postfix.org mailing list.

328

329

chase_referrals (default: 0)

330

Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP

331

version 3 support).

332

333

version (default: 2)

334

Specifies the LDAP protocol version to use.

335

336

debuglevel (default: 0)

337

What level to set for debugging in the OpenLDAP

338

libraries.

339

340

LDAP SSL AND STARTTLS PARAMETERS

341

If you're using the OpenLDAP libraries compiled with SSL

342

support, Postfix can connect to LDAP SSL servers and can

343

issue the STARTTLS command.

344

345

LDAP SSL service can be requested by using a LDAP SSL URL

346

in the server_host parameter:

347

server_host = ldaps://ldap.your.com:636

348

349

STARTTLS can be turned on with the start_tls parameter:

350

start_tls = yes

351

352

Both forms require LDAP protocol version 3, which has to

353

be set explicitly with:

354

version = 3

355

356

If any of the Postfix programs querying the map is config-

357

ured in master.cf to run chrooted, all the certificates

358

and keys involved have to be copied to the chroot jail. Of

359

course, the private keys should only be readable by the

360

user "postfix".

361

362

The following parameters are relevant to LDAP SSL and

363

STARTTLS:

364

365

start_tls (default: no)

366

Whether or not to issue STARTTLS upon connection to

367

the server. Don't set this with LDAP SSL (the SSL

368

session is setup automatically when the TCP connec-

369

tion is opened).

370

371

tls_ca_cert_dir (No default; set either this or

372

tls_ca_cert_file)

373

Directory containing X509 Certificate Authority

374

certificates in PEM format which are to be recog-

375

nized by the client in SSL/TLS connections. The

376

files each contain one CA certificate. The files

377

are looked up by the CA subject name hash value,

378

which must hence be available. If more than one CA

379

certificate with the same name hash value exist,

380

the extension must be different (e.g. 9d66eef0.0,

381

9d66eef0.1 etc). The search is performed in the

382

ordering of the extension number, regardless of

383

other properties of the certificates. Use the

384

c_rehash utility (from the OpenSSL distribution) to

385

create the necessary links.

386

387

tls_ca_cert_file (No default; set either this or

388

tls_ca_cert_dir)

389

File containing the X509 Certificate Authority cer-

390

tificates in PEM format which are to be recognized

391

by the client in SSL/TLS connections. This setting

392

takes precedence over tls_ca_cert_dir.

393

394

tls_cert (No default; you must set this)

395

File containing client's X509 certificate to be

396

used by the client in SSL/ TLS connections.

397

398

tls_key (No default; you must set this)

399

File containing the private key corresponding to

400

the above tls_cert.

401

402

tls_require_cert (default: no)

403

Whether or not to request server's X509 certificate

404

and check its validity when establishing SSL/TLS

405

connections.

406

407

tls_random_file (No default)

408

Path of a file to obtain random bits from when

409

/dev/[u]random is not available, to be used by the

410

client in SSL/TLS connections.

411

412

tls_cipher_suite (No default)

413

Cipher suite to use in SSL/TLS negotiations.

414

415

EXAMPLE

416

Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>

417

aliases. Assume that in main.cf, you have:

418

<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,

419

<a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf

420

421

and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:

422

server_host = ldap.my.com

423

search_base = dc=my, dc=com

424

425

Upon receiving mail for a local address "ldapuser" that

426

isn't found in the /etc/aliases database, Postfix will

427

search the LDAP server listening at port 389 on

428

ldap.my.com. It will bind anonymously, search for any

429

directory entries whose mailacceptinggeneralid attribute

430

is "ldapuser", read the "maildrop" attributes of those

431

found, and build a list of their maildrops, which will be

432

treated as <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a> addresses to which the message will be

433

delivered.

434

435

SEE ALSO

436

<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager

437

<a href="postconf.5.html">postconf(5)</a>, configuration parameters

438

<a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables

439

<a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables

440

441

README FILES

442

<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview

443

<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide

444

445

LICENSE

446

The Secure Mailer license must be distributed with this

447

software.

448

449

AUTHOR(S)

450

Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith

451

Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike

452

Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,

453

Victor Duchovni, and many others.

454

455

LDAP_TABLE(5)

456

</pre> </body> </html>

Older »