149
142
search_base = dc=your, dc=com
151
With Postfix 2.2 and later this parameter supports
144
With Postfix 2.2 and later this parameter supports
152
145
the following '%' expansions:
154
147
<b>%%</b> This is replaced by a literal '%' character.
156
149
<b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>
157
quoting is used to make sure that the input
158
key does not add unexpected metacharacters.
150
quoting is used to make sure that the input
151
key does not add unexpected metacharacters.
160
153
<b>%u</b> When the input key is an address of the form
161
user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
162
<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.
163
Otherwise, <b>%u</b> is replaced by the entire
164
search string. If the localpart is empty,
165
the search is suppressed and returns no
154
user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
155
<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.
156
Otherwise, <b>%u</b> is replaced by the entire
157
search string. If the localpart is empty,
158
the search is suppressed and returns no
168
161
<b>%d</b> When the input key is an address of the form
169
user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
170
<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.
162
user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
163
<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.
171
164
Otherwise, the search is suppressed and
172
165
returns no results.
174
<b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-
175
case equivalents of the above expansions
176
behave identically to their lower-case
167
<b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-
168
case equivalents of the above expansions
169
behave identically to their lower-case
177
170
counter-parts. With the <b>result_format</b> param-
178
eter (previously called <b>result_filter</b> see
179
the COMPATIBILITY section and below), they
180
expand to the corresponding components of
171
eter (previously called <b>result_filter</b> see
172
the COMPATIBILITY section and below), they
173
expand to the corresponding components of
181
174
input key rather than the result value.
183
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
176
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
184
177
the corresponding most significant component
185
of the input key's domain. If the input key
178
of the input key's domain. If the input key
186
179
is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
187
is <b>example</b> and %3 is <b>mail</b>. If the input key
180
is <b>example</b> and %3 is <b>mail</b>. If the input key
188
181
is unqualified or does not have enough
189
domain components to satisfy all the speci-
190
fied patterns, the search is suppressed and
182
domain components to satisfy all the speci-
183
fied patterns, the search is suppressed and
191
184
returns no results.
193
186
<b>query_filter (default: mailacceptinggeneralid=%s)</b>
194
The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,
187
The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,
195
188
where <b>%s</b> is a substitute for the address Postfix is
196
189
trying to resolve, e.g.
198
191
query_filter = (&(mail=%s)(paid_up=true))
200
This parameter supports the following '%' expan-
193
This parameter supports the following '%' expan-
203
196
<b>%%</b> This is replaced by a literal '%' character.
204
197
(Postfix 2.2 and later).
206
199
<b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>
207
quoting is used to make sure that the input
208
key does not add unexpected metacharacters.
200
quoting is used to make sure that the input
201
key does not add unexpected metacharacters.
210
203
<b>%u</b> When the input key is an address of the form
211
user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
212
<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.
213
Otherwise, <b>%u</b> is replaced by the entire
214
search string. If the localpart is empty,
215
the search is suppressed and returns no
204
user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
205
<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.
206
Otherwise, <b>%u</b> is replaced by the entire
207
search string. If the localpart is empty,
208
the search is suppressed and returns no
218
211
<b>%d</b> When the input key is an address of the form
219
user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
220
<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.
212
user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
213
<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.
221
214
Otherwise, the search is suppressed and
222
215
returns no results.
225
218
expansions behave in the <b>query_filter</b> param-
226
219
eter identically to their lower-case
227
220
counter-parts. With the <b>result_format</b> param-
228
eter (previously called <b>result_filter</b> see
229
the COMPATIBILITY section and below), they
230
expand to the corresponding components of
221
eter (previously called <b>result_filter</b> see
222
the COMPATIBILITY section and below), they
223
expand to the corresponding components of
231
224
input key rather than the result value.
233
The above %S, %U and %D expansions are
226
The above %S, %U and %D expansions are
234
227
available with Postfix 2.2 and later.
236
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
229
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
237
230
the corresponding most significant component
238
of the input key's domain. If the input key
231
of the input key's domain. If the input key
239
232
is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
240
is <b>example</b> and %3 is <b>mail</b>. If the input key
233
is <b>example</b> and %3 is <b>mail</b>. If the input key
241
234
is unqualified or does not have enough
242
domain components to satisfy all the speci-
243
fied patterns, the search is suppressed and
235
domain components to satisfy all the speci-
236
fied patterns, the search is suppressed and
244
237
returns no results.
246
The above %1, ..., %9 expansions are avail-
239
The above %1, ..., %9 expansions are avail-
247
240
able with Postfix 2.2 and later.
249
The "domain" parameter described below limits the
250
input keys to addresses in matching domains. When
251
the "domain" parameter is non-empty, LDAP queries
252
for unqualified addresses or addresses in non-
242
The "domain" parameter described below limits the
243
input keys to addresses in matching domains. When
244
the "domain" parameter is non-empty, LDAP queries
245
for unqualified addresses or addresses in non-
253
246
matching domains are suppressed and return no
256
NOTE: DO NOT put quotes around the <b>query_filter</b>
249
NOTE: DO NOT put quotes around the <b>query_filter</b>
259
252
<b>result_format (default: %s</b>)
260
Called <b>result_filter</b> in Postfix releases prior to
253
Called <b>result_filter</b> in Postfix releases prior to
261
254
2.2. Format template applied to result attributes.
262
Most commonly used to append (or prepend) text to
263
the result. This parameter supports the following
255
Most commonly used to append (or prepend) text to
256
the result. This parameter supports the following
266
259
<b>%%</b> This is replaced by a literal '%' character.
267
260
(Postfix 2.2 and later).
269
<b>%s</b> This is replaced by the value of the result
270
attribute. When result is empty it is
262
<b>%s</b> This is replaced by the value of the result
263
attribute. When result is empty it is
273
<b>%u</b> When the result attribute value is an
266
<b>%u</b> When the result attribute value is an
274
267
address of the form user@domain, <b>%u</b> is
275
replaced by the local part of the address.
268
replaced by the local part of the address.
276
269
When the result has an empty localpart it is
279
<b>%d</b> When a result attribute value is an address
280
of the form user@domain, <b>%d</b> is replaced by
272
<b>%d</b> When a result attribute value is an address
273
of the form user@domain, <b>%d</b> is replaced by
281
274
the domain part of the attribute value. When
282
275
the result is unqualified it is skipped.
285
The upper-case and decimal digit expansions
278
The upper-case and decimal digit expansions
286
279
interpolate the parts of the input key
287
rather than the result. Their behavior is
288
identical to that described with <b>query_fil-</b>
289
<b>ter</b>, and in fact because the input key is
280
rather than the result. Their behavior is
281
identical to that described with <b>query_fil-</b>
282
<b>ter</b>, and in fact because the input key is
290
283
known in advance, lookups whose key does not
291
284
contain all the information specified in the
292
285
result template are suppressed and return no
295
The above %S, %U, %D and %1, ..., %9 expan-
296
sions are available with Postfix 2.2 and
288
The above %S, %U, %D and %1, ..., %9 expan-
289
sions are available with Postfix 2.2 and
299
292
For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]"
300
293
allows one to use a mailHost attribute as the basis
301
of a <a href="transport.5.html">transport(5)</a> table. After applying the result
302
format, multiple values are concatenated as comma
303
separated strings. The expansion_limit and
304
size_limit parameters explained below allow one to
305
restrict the number of values in the result, which
306
is especially useful for maps that should return a
294
of a <a href="transport.5.html">transport(5)</a> table. After applying the result
295
format, multiple values are concatenated as comma
296
separated strings. The expansion_limit and
297
size_limit parameters explained below allow one to
298
restrict the number of values in the result, which
299
is especially useful for maps that should return a
309
The default value <b>%s</b> specifies that each attribute
302
The default value <b>%s</b> specifies that each attribute
310
303
value should be used as is.
312
This parameter was called <b>result_filter</b> in Postfix
313
releases prior to 2.2. If no "result_format" is
314
specified, the value of "result_filter" will be
305
This parameter was called <b>result_filter</b> in Postfix
306
releases prior to 2.2. If no "result_format" is
307
specified, the value of "result_filter" will be
315
308
used instead before resorting to the default value.
316
This provides compatibility with old configuration
309
This provides compatibility with old configuration
319
312
NOTE: DO NOT put quotes around the result format!
321
314
<b>domain (default: no domain list)</b>
322
This is a list of domain names, paths to files, or
323
dictionaries. When specified, only fully qualified
324
search keys with a *non-empty* localpart and a
325
matching domain are eligible for lookup: 'user'
326
lookups, bare domain lookups and "@domain" lookups
327
are not performed. This can significantly reduce
315
This is a list of domain names, paths to files, or
316
dictionaries. When specified, only fully qualified
317
search keys with a *non-empty* localpart and a
318
matching domain are eligible for lookup: 'user'
319
lookups, bare domain lookups and "@domain" lookups
320
are not performed. This can significantly reduce
328
321
the query load on the LDAP server.
330
323
domain = postfix.org, hash:/etc/postfix/searchdomains
332
It is best not to use LDAP to store the domains
325
It is best not to use LDAP to store the domains
333
326
eligible for LDAP lookups.
335
NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>
328
NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>
338
331
This feature is available in Postfix 1.0 and later.
340
333
<b>result_attribute (default: maildrop)</b>
341
The attribute(s) Postfix will read from any direc-
334
The attribute(s) Postfix will read from any direc-
342
335
tory entries returned by the lookup, to be resolved
343
336
to an email address.
345
338
result_attribute = mailbox, maildrop
340
Don't rely on the default value ("maildrop"). Set
341
the result_attribute explicitly in all ldap table
342
configuration files. This is particularly relevant
343
when no result_attribute is applicable, e.g. cases
344
in which leaf_result_attribute and/or termi-
345
nal_result_attribute are used instead. The default
346
value is harmless if "maildrop" is also listed as a
347
leaf or terminal result attribute, but it is best
348
to not leave this to chance.
347
350
<b>special_result_attribute (default: empty)</b>
348
351
The attribute(s) of directory entries that can con-
349
tain DNs or URLs. If found, a recursive subsequent
350
search is done using their values.
352
tain DNs or <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recur-
353
sive search is performed to retrieve the entry ref-
354
erenced by the DN, or the entries matched by the
352
357
special_result_attribute = memberdn
354
DN recursion retrieves the same result_attributes
359
DN recursion retrieves the same result_attributes
355
360
as the main query, including the special attributes
356
for further recursion. URI processing retrieves
357
only those attributes that are included in the URI
358
definition and are *also* listed in
359
"result_attribute". If the URI lists any of the
360
map's special result attributes, these are also
361
retrieved and used recursively.
361
for further recursion.
363
URL processing retrieves only those attributes that
364
are included in both the URL definition and as
365
result attributes (ordinary, special, leaf or ter-
366
minal) in the Postfix table definition. If the URL
367
lists any of the table's special result attributes,
368
these are retrieved and used recursively. A URL
369
that does not specify any attribute selection, is
370
equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a URL that selects all
371
attributes, in which case the selected attributes
372
will be the full set of result attributes in the
375
If an LDAP URL attribute-descriptor or the corre-
376
sponding Postfix LDAP table result attribute (but
377
not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> sub-type options
378
("attr;option"), the attribute requested from the
379
LDAP server will include the sub-type option. In
380
all other cases, the URL attribute and the table
381
attribute must match exactly. Attributes with
382
options in both the URL and the Postfix table are
383
requested only when the options are identical. LDAP
384
attribute-descriptor options are very rarely used,
385
most LDAP users will not need to concern themselves
386
with this level of nuanced detail.
363
388
<b>terminal_result_attribute (default: empty)</b>
364
When one or more terminal result attributes are
389
When one or more terminal result attributes are
365
390
found in an LDAP entry, all other result attributes
366
391
are ignored and only the terminal result attributes
367
are returned. This is useful for delegating expan-
368
sion of group members to a particular host, by
369
using an optional "maildrop" attribute on selected
392
are returned. This is useful for delegating expan-
393
sion of group members to a particular host, by
394
using an optional "maildrop" attribute on selected
370
395
groups to route the group to a specific host, where
371
the group is expanded, possibly via mailing-list
396
the group is expanded, possibly via mailing-list
372
397
manager or other special processing.
374
400
terminal_result_attribute = maildrop
376
This feature is available with Postfix 2.4 or
402
When using terminal and/or leaf result attributes,
403
the result_attribute is best set to an empty value
404
when it is not used, or else explicitly set to the
405
desired value, even if it is the default value
408
This feature is available with Postfix 2.4 or
379
411
<b>leaf_result_attribute (default: empty)</b>
380
When one or more special result attributes are
381
found in a non-terminal (see above) LDAP entry,
412
When one or more special result attributes are
413
found in a non-terminal (see above) LDAP entry,
382
414
leaf result attributes are excluded from the expan-
383
sion of that entry. This is useful when expanding
415
sion of that entry. This is useful when expanding
384
416
groups and the desired mail address attribute(s) of
385
417
the member objects obtained via DN or URI recursion
386
are also present in the group object. To only
387
return the attribute values from the leaf objects
388
and not the containing group, add the attribute to
389
the leaf_result_attribute list, and not the
390
result_attribute list, which is always expanded.
391
Note, the default value of "result_attribute" is
392
not empty, you may want to set it explicitly empty
393
when using "leaf_result_attribute" to expand the
394
group to a list of member DN addresses. If groups
395
have both member DN references AND attributes that
396
hold multiple string valued rfc822 addresses, then
397
the string attributes go in "result_attribute".
398
The attributes that represent the email addresses
399
of objects referenced via a DN (or LDAP URI) go in
418
are also present in the group object. To only
419
return the attribute values from the leaf objects
420
and not the containing group, add the attribute to
421
the leaf_result_attribute list, and not the
422
result_attribute list, which is always expanded.
423
Note, the default value of "result_attribute" is
424
not empty, you may want to set it explicitly empty
425
when using "leaf_result_attribute" to expand the
426
group to a list of member DN addresses. If groups
427
have both member DN references AND attributes that
428
hold multiple string valued rfc822 addresses, then
429
the string attributes go in "result_attribute".
430
The attributes that represent the email addresses
431
of objects referenced via a DN (or LDAP URI) go in
400
432
"leaf_result_attribute".
402
434
result_attribute = memberaddr
404
436
terminal_result_attribute = maildrop
405
437
leaf_result_attribute = mail
407
This feature is available with Postfix 2.4 or
439
When using terminal and/or leaf result attributes,
440
the result_attribute is best set to an empty value
441
when it is not used, or else explicitly set to the
442
desired value, even if it is the default value
445
This feature is available with Postfix 2.4 or
410
448
<b>scope (default: sub)</b>
411
The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These
449
The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These
412
450
translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
413
451
and LDAP_SCOPE_ONELEVEL.
415
453
<b>bind (default: yes)</b>
416
Whether or not to bind to the LDAP server. Newer
454
Whether or how to bind to the LDAP server. Newer
417
455
LDAP implementations don't require clients to bind,
418
456
which saves time. Example:
422
If you do need to bind, you might consider config-
423
uring Postfix to connect to the local machine on a
424
port that's an SSL tunnel to your LDAP server. If
425
your LDAP server doesn't natively support SSL, put
465
Postfix versions prior to 2.8 only support "bind =
466
no" which means don't bind, and "bind = yes" which
467
means do a SIMPLE bind. Postfix 2.8 and later also
468
supports "bind = SASL" when compiled with LDAP SASL
469
support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds
470
the synonyms "bind = none" and "bind = simple" for
471
"bind = no" and "bind = yes" respectively. See the
472
SASL section below for additional parameters avail-
473
able with "bind = sasl".
475
If you do need to bind, you might consider config-
476
uring Postfix to connect to the local machine on a
477
port that's an SSL tunnel to your LDAP server. If
478
your LDAP server doesn't natively support SSL, put
426
479
a tunnel (wrapper, proxy, whatever you want to call
427
it) on that system too. This should prevent the
428
password from traversing the network in the clear.
480
it) on that system too. This should prevent the
481
password from traversing the network in the clear.
430
483
<b>bind_dn (default: empty)</b>
431
If you do have to bind, do it with this distin-
484
If you do have to bind, do it with this distin-
432
485
guished name. Example:
434
487
bind_dn = uid=postfix, dc=your, dc=com
488
With "bind = sasl" (see above) the DN may be
489
optional for some SASL mechanisms, don't specify a
436
492
<b>bind_pw (default: empty)</b>
437
The password for the distinguished name above. If
493
The password for the distinguished name above. If
438
494
you have to use this, you probably want to make the
439
495
map configuration file readable only by the Postfix
440
user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-
496
user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-
441
497
tax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is not pos-
442
sible to securely store the bind password. This is
498
sible to securely store the bind password. This is
443
499
because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow
444
500
local accounts to submit mail via the sendmail com-
447
503
bind_pw = postfixpw
504
With "bind = sasl" (see above) the password may be
505
optional for some SASL mechanisms, don't specify a
506
password if not needed.
449
508
<b>cache (IGNORED with a warning)</b>
451
510
<b>cache_expiry (IGNORED with a warning)</b>
453
512
<b>cache_size (IGNORED with a warning)</b>
454
The above parameters are NO LONGER SUPPORTED by
513
The above parameters are NO LONGER SUPPORTED by
455
514
Postfix. Cache support has been dropped from
456
515
OpenLDAP as of release 2.1.13.
458
517
<b>recursion_limit (default: 1000)</b>
459
A limit on the nesting depth of DN and URL special
460
result attribute evaluation. The limit must be a
518
A limit on the nesting depth of DN and URL special
519
result attribute evaluation. The limit must be a
461
520
non-zero positive number.
463
522
<b>expansion_limit (default: 0)</b>
464
A limit on the total number of result elements
465
returned (as a comma separated list) by a lookup
466
against the map. A setting of zero disables the
467
limit. Lookups fail with a temporary error if the
468
limit is exceeded. Setting the limit to 1 ensures
523
A limit on the total number of result elements
524
returned (as a comma separated list) by a lookup
525
against the map. A setting of zero disables the
526
limit. Lookups fail with a temporary error if the
527
limit is exceeded. Setting the limit to 1 ensures
469
528
that lookups do not return multiple values.
471
530
<b>size_limit (default: $expansion_limit)</b>
472
A limit on the number of LDAP entries returned by
473
any single LDAP search performed as part of the
474
lookup. A setting of 0 disables the limit. Expan-
475
sion of DN and URL references involves nested LDAP
476
queries, each of which is separately subjected to
531
A limit on the number of LDAP entries returned by
532
any single LDAP search performed as part of the
533
lookup. A setting of 0 disables the limit. Expan-
534
sion of DN and URL references involves nested LDAP
535
queries, each of which is separately subjected to
479
Note: even a single LDAP entry can generate multi-
480
ple lookup results, via multiple result attributes
481
and/or multi-valued result attributes. This limit
482
caps the per search resource utilization on the
483
LDAP server, not the final multiplicity of the
484
lookup result. It is analogous to the "-z" option
538
Note: even a single LDAP entry can generate multi-
539
ple lookup results, via multiple result attributes
540
and/or multi-valued result attributes. This limit
541
caps the per search resource utilization on the
542
LDAP server, not the final multiplicity of the
543
lookup result. It is analogous to the "-z" option
487
546
<b>dereference (default: 0)</b>
488
When to dereference LDAP aliases. (Note that this
547
When to dereference LDAP aliases. (Note that this
489
548
has nothing do with Postfix aliases.) The permitted
490
values are those legal for the OpenLDAP/UM LDAP
549
values are those legal for the OpenLDAP/UM LDAP
501
560
See ldap.h or the ldap_open(3) or ldapsearch(1) man
502
pages for more information. And if you're using an
561
pages for more information. And if you're using an
503
562
LDAP package that has other possible values, please
504
bring it to the attention of the postfix-
563
bring it to the attention of the postfix-
505
564
users@postfix.org mailing list.
507
566
<b>chase_referrals (default: 0)</b>
508
Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP
567
Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP
509
568
version 3 support).
511
570
<b>version (default: 2)</b>
512
571
Specifies the LDAP protocol version to use.
514
573
<b>debuglevel (default: 0)</b>
515
What level to set for debugging in the OpenLDAP
574
What level to set for debugging in the OpenLDAP
577
<b>LDAP SASL PARAMETERS</b>
578
If you're using the OpenLDAP libraries compiled with SASL
579
support, Postfix 2.8 and later built with LDAP SASL sup-
580
port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP
583
This enables authentication to the LDAP server via mecha-
584
nisms other than a simple password. The added flexibility
585
has a cost: it is no longer practical to set an explicit
586
timeout on the duration of an LDAP bind operation. Under
587
adverse conditions, whether a SASL bind times out, or if
588
it does, the duration of the timeout is determined by the
589
LDAP and SASL libraries.
591
It is best to use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>
592
<a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out the
593
proxymap request. This also lets you tailer the process
594
environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> import_environ-
595
ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings
596
may be needed to configure GSSAPI credential caches or
597
other SASL mechanism specific options. The GSSAPI creden-
598
tials used for LDAP lookups may need to be different than
599
say those used for the Postfix SMTP client to authenticate
602
Using SASL mechanisms requires LDAP protocol version 3,
603
the default protocol version is 2 for backwards compati-
604
bility. You must set "version = 3" in addition to "bind =
607
The following parameters are relevant to using LDAP with
610
<b>sasl_mechs (default: empty)</b>
611
Space separated list of SASL mechanism(s) to try.
613
<b>sasl_realm (default: empty)</b>
614
SASL Realm to use, if applicable.
616
<b>sasl_authz_id (default: empty)</b>
617
The SASL authorization identity to assert, if
620
<b>sasl_minssf (default: 0)</b>
621
The minimum required sasl security factor required
622
to establish a connection.
518
624
<b>LDAP SSL AND STARTTLS PARAMETERS</b>
519
If you're using the OpenLDAP libraries compiled with SSL
520
support, Postfix can connect to LDAP SSL servers and can
625
If you're using the OpenLDAP libraries compiled with SSL
626
support, Postfix can connect to LDAP SSL servers and can
521
627
issue the STARTTLS command.
523
LDAP SSL service can be requested by using a LDAP SSL URL
629
LDAP SSL service can be requested by using a LDAP SSL URL
524
630
in the server_host parameter:
526
632
server_host = ldaps://ldap.example.com:636
532
Both forms require LDAP protocol version 3, which has to
638
Both forms require LDAP protocol version 3, which has to
533
639
be set explicitly with:
537
643
If any of the Postfix programs querying the map is config-
538
ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
644
ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
539
645
and keys involved have to be copied to the chroot jail. Of
540
course, the private keys should only be readable by the
646
course, the private keys should only be readable by the
543
The following parameters are relevant to LDAP SSL and
649
The following parameters are relevant to LDAP SSL and
546
652
<b>start_tls (default: no)</b>
547
653
Whether or not to issue STARTTLS upon connection to
548
the server. Don't set this with LDAP SSL (the SSL
654
the server. Don't set this with LDAP SSL (the SSL
549
655
session is setup automatically when the TCP connec-
552
<b>tls_ca_cert_dir (No default; set either this or</b>
658
<b>tls_ca_cert_dir (No default; set either this or</b>
553
659
<b>tls_ca_cert_file)</b>
554
660
Directory containing X509 Certificate Authority
555
certificates in PEM format which are to be recog-
556
nized by the client in SSL/TLS connections. The
557
files each contain one CA certificate. The files
558
are looked up by the CA subject name hash value,
559
which must hence be available. If more than one CA
560
certificate with the same name hash value exist,
561
the extension must be different (e.g. 9d66eef0.0,
562
9d66eef0.1 etc). The search is performed in the
563
ordering of the extension number, regardless of
661
certificates in PEM format which are to be recog-
662
nized by the client in SSL/TLS connections. The
663
files each contain one CA certificate. The files
664
are looked up by the CA subject name hash value,
665
which must hence be available. If more than one CA
666
certificate with the same name hash value exist,
667
the extension must be different (e.g. 9d66eef0.0,
668
9d66eef0.1 etc). The search is performed in the
669
ordering of the extension number, regardless of
564
670
other properties of the certificates. Use the
565
671
c_rehash utility (from the OpenSSL distribution) to
566
672
create the necessary links.
568
<b>tls_ca_cert_file (No default; set either this or</b>
674
<b>tls_ca_cert_file (No default; set either this or</b>
569
675
<b>tls_ca_cert_dir)</b>
570
676
File containing the X509 Certificate Authority cer-
571
tificates in PEM format which are to be recognized
572
by the client in SSL/TLS connections. This setting
677
tificates in PEM format which are to be recognized
678
by the client in SSL/TLS connections. This setting
573
679
takes precedence over tls_ca_cert_dir.
575
681
<b>tls_cert (No default; you must set this)</b>
576
File containing client's X509 certificate to be
682
File containing client's X509 certificate to be
577
683
used by the client in SSL/ TLS connections.
579
685
<b>tls_key (No default; you must set this)</b>
580
File containing the private key corresponding to
686
File containing the private key corresponding to
581
687
the above tls_cert.
583
689
<b>tls_require_cert (default: no)</b>
584
690
Whether or not to request server's X509 certificate
585
and check its validity when establishing SSL/TLS
586
connections. The supported values are <b>no</b> and <b>yes</b>.
691
and check its validity when establishing SSL/TLS
692
connections. The supported values are <b>no</b> and <b>yes</b>.
588
With <b>no</b>, the server certificate trust chain is not
589
checked, but with OpenLDAP prior to 2.1.13, the
694
With <b>no</b>, the server certificate trust chain is not
695
checked, but with OpenLDAP prior to 2.1.13, the
590
696
name in the server certificate must still match the
591
697
LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
592
server name is not necessarily what you specified,
593
rather it is determined (by reverse lookup) from
594
the IP address of the LDAP server connection. With
595
OpenLDAP prior to 2.0.13, subjectAlternativeName
698
server name is not necessarily what you specified,
699
rather it is determined (by reverse lookup) from
700
the IP address of the LDAP server connection. With
701
OpenLDAP prior to 2.0.13, subjectAlternativeName
596
702
extensions in the LDAP server certificate are
597
ignored: the server name must match the subject
703
ignored: the server name must match the subject
598
704
CommonName. The <b>no</b> setting corresponds to the <b>never</b>
599
value of <b>TLS_REQCERT</b> in LDAP client configuration
705
value of <b>TLS_REQCERT</b> in LDAP client configuration
602
Don't use TLS with OpenLDAP 2.0.x (and especially
708
Don't use TLS with OpenLDAP 2.0.x (and especially
603
709
with x <= 11) if you can avoid it.
605
With <b>yes</b>, the server certificate must be issued by
606
a trusted CA, and not be expired. The LDAP server
607
name must match one of the name(s) found in the
711
With <b>yes</b>, the server certificate must be issued by
712
a trusted CA, and not be expired. The LDAP server
713
name must match one of the name(s) found in the
608
714
certificate (see above for OpenLDAP library version
609
715
dependent behavior). The <b>yes</b> setting corresponds to
610
716
the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-