~ubuntu-branches/ubuntu/vivid/postfix/vivid-proposed

$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>,

etc., it is important to understand that the table must

store each list member as a separate key. The table lookup

verifies the *existence* of the key. See "Postfix lists

versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis-

verifies the *existence* of the key. See "Postfix lists

versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis-

cussion.

Do NOT create tables that return the full list of domains

in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses

Do NOT create tables that return the full list of domains

in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses

in $<a href="postconf.5.html#mynetworks">mynetworks</a>.

DO create tables with each matching item as a key and with

an arbitrary value. With LDAP databases it is not uncommon

to return the key itself.

For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-

<a href="postconf.5.html#mydestination">tion</a>:

query_filter = domain=*

result_attribute = domain

100

GENERAL LDAP PARAMETERS

101

In the text below, default values are given in parenthe-

102

ses. Note: don't use quotes in these variables; at least,

103

not until the Postfix configuration routines understand

104

how to deal with quoted strings.

105

106

server_host (default: localhost)

107

The name of the host running the LDAP server, e.g.

100

The name of the host running the LDAP server, e.g.

108

101

109

102

server_host = ldap.example.com

110

103

111

Depending on the LDAP client library you're using,

112

it should be possible to specify multiple servers

113

here, with the library trying them in order should

114

the first one fail. It should also be possible to

115

give each server in the list a different port

104

Depending on the LDAP client library you're using,

105

it should be possible to specify multiple servers

106

here, with the library trying them in order should

107

the first one fail. It should also be possible to

108

give each server in the list a different port

116

109

(overriding server_port below), by naming them like

117

110

118

111

server_host = ldap.example.com:1444

123

116

server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444

124

117

<a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444

125

118

126

All LDAP URLs accepted by the OpenLDAP library are

127

supported, including connections over UNIX domain

128

sockets, and LDAP SSL (the last one provided that

119

All LDAP URLs accepted by the OpenLDAP library are

120

supported, including connections over UNIX domain

121

sockets, and LDAP SSL (the last one provided that

129

122

OpenLDAP was compiled with support for SSL):

130

123

131

124

server_host = ldapi://%2Fsome%2Fpath

148

141

149

142

search_base = dc=your, dc=com

150

143

151

With Postfix 2.2 and later this parameter supports

144

With Postfix 2.2 and later this parameter supports

152

145

the following '%' expansions:

153

146

154

147

%% This is replaced by a literal '%' character.

155

148

156

149

%s This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>

157

quoting is used to make sure that the input

158

key does not add unexpected metacharacters.

150

quoting is used to make sure that the input

151

key does not add unexpected metacharacters.

159

152

160

153

%u When the input key is an address of the form

161

user@domain, %u is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>

162

<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.

163

Otherwise, %u is replaced by the entire

164

search string. If the localpart is empty,

165

the search is suppressed and returns no

154

user@domain, %u is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>

155

<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.

156

Otherwise, %u is replaced by the entire

157

search string. If the localpart is empty,

158

the search is suppressed and returns no

166

159

results.

167

160

168

161

%d When the input key is an address of the form

169

user@domain, %d is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>

170

<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.

162

user@domain, %d is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>

163

<a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.

171

164

Otherwise, the search is suppressed and

172

165

returns no results.

173

166

174

%[SUD] For the search_base parameter, the upper-

175

case equivalents of the above expansions

176

behave identically to their lower-case

167

%[SUD] For the search_base parameter, the upper-

168

case equivalents of the above expansions

169

behave identically to their lower-case

177

170

counter-parts. With the result_format param-

178

eter (previously called result_filter see

179

the COMPATIBILITY section and below), they

180

expand to the corresponding components of

171

eter (previously called result_filter see

172

the COMPATIBILITY section and below), they

173

expand to the corresponding components of

181

174

input key rather than the result value.

182

175

183

%[1-9] The patterns %1, %2, ... %9 are replaced by

176

%[1-9] The patterns %1, %2, ... %9 are replaced by

184

177

the corresponding most significant component

185

of the input key's domain. If the input key

178

of the input key's domain. If the input key

186

179

is user@mail.example.com, then %1 is com, %2

187

is example and %3 is mail. If the input key

180

is example and %3 is mail. If the input key

188

181

is unqualified or does not have enough

189

domain components to satisfy all the speci-

190

fied patterns, the search is suppressed and

182

domain components to satisfy all the speci-

183

fied patterns, the search is suppressed and

191

184

returns no results.

192

185

193

186

query_filter (default: mailacceptinggeneralid=%s)

194

The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,

187

The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,

195

188

where %s is a substitute for the address Postfix is

196

189

trying to resolve, e.g.

197

190

198

191

query_filter = (&(mail=%s)(paid_up=true))

199

192

200

This parameter supports the following '%' expan-

193

This parameter supports the following '%' expan-

201

194

sions:

202

195

203

196

%% This is replaced by a literal '%' character.

204

197

(Postfix 2.2 and later).

205

198

206

199

%s This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>

207

quoting is used to make sure that the input

208

key does not add unexpected metacharacters.

200

quoting is used to make sure that the input

201

key does not add unexpected metacharacters.

209

202

210

203

%u When the input key is an address of the form

211

user@domain, %u is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>

212

<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.

213

Otherwise, %u is replaced by the entire

214

search string. If the localpart is empty,

215

the search is suppressed and returns no

204

user@domain, %u is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>

205

<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.

206

Otherwise, %u is replaced by the entire

207

search string. If the localpart is empty,

208

the search is suppressed and returns no

216

209

results.

217

210

218

211

%d When the input key is an address of the form

219

user@domain, %d is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>

220

<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.

212

user@domain, %d is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>

213

<a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.

221

214

Otherwise, the search is suppressed and

222

215

returns no results.

223

216

225

218

expansions behave in the query_filter param-

226

219

eter identically to their lower-case

227

220

counter-parts. With the result_format param-

228

eter (previously called result_filter see

229

the COMPATIBILITY section and below), they

230

expand to the corresponding components of

221

eter (previously called result_filter see

222

the COMPATIBILITY section and below), they

223

expand to the corresponding components of

231

224

input key rather than the result value.

232

225

233

The above %S, %U and %D expansions are

226

The above %S, %U and %D expansions are

234

227

available with Postfix 2.2 and later.

235

228

236

%[1-9] The patterns %1, %2, ... %9 are replaced by

229

%[1-9] The patterns %1, %2, ... %9 are replaced by

237

230

the corresponding most significant component

238

of the input key's domain. If the input key

231

of the input key's domain. If the input key

239

232

is user@mail.example.com, then %1 is com, %2

240

is example and %3 is mail. If the input key

233

is example and %3 is mail. If the input key

241

234

is unqualified or does not have enough

242

domain components to satisfy all the speci-

243

fied patterns, the search is suppressed and

235

domain components to satisfy all the speci-

236

fied patterns, the search is suppressed and

244

237

returns no results.

245

238

246

The above %1, ..., %9 expansions are avail-

239

The above %1, ..., %9 expansions are avail-

247

240

able with Postfix 2.2 and later.

248

241

249

The "domain" parameter described below limits the

250

input keys to addresses in matching domains. When

251

the "domain" parameter is non-empty, LDAP queries

252

for unqualified addresses or addresses in non-

242

The "domain" parameter described below limits the

243

input keys to addresses in matching domains. When

244

the "domain" parameter is non-empty, LDAP queries

245

for unqualified addresses or addresses in non-

253

246

matching domains are suppressed and return no

254

247

results.

255

248

256

NOTE: DO NOT put quotes around the query_filter

249

NOTE: DO NOT put quotes around the query_filter

257

250

parameter.

258

251

259

252

result_format (default: %s)

260

Called result_filter in Postfix releases prior to

253

Called result_filter in Postfix releases prior to

261

254

2.2. Format template applied to result attributes.

262

Most commonly used to append (or prepend) text to

263

the result. This parameter supports the following

255

Most commonly used to append (or prepend) text to

256

the result. This parameter supports the following

264

257

'%' expansions:

265

258

266

259

%% This is replaced by a literal '%' character.

267

260

(Postfix 2.2 and later).

268

261

269

%s This is replaced by the value of the result

270

attribute. When result is empty it is

262

%s This is replaced by the value of the result

263

attribute. When result is empty it is

271

264

skipped.

272

265

273

%u When the result attribute value is an

266

%u When the result attribute value is an

274

267

address of the form user@domain, %u is

275

replaced by the local part of the address.

268

replaced by the local part of the address.

276

269

When the result has an empty localpart it is

277

270

skipped.

278

271

279

%d When a result attribute value is an address

280

of the form user@domain, %d is replaced by

272

%d When a result attribute value is an address

273

of the form user@domain, %d is replaced by

281

274

the domain part of the attribute value. When

282

275

the result is unqualified it is skipped.

283

276

284

277

%[SUD1-9]

285

The upper-case and decimal digit expansions

278

The upper-case and decimal digit expansions

286

279

interpolate the parts of the input key

287

rather than the result. Their behavior is

288

identical to that described with query_fil-

289

ter, and in fact because the input key is

280

rather than the result. Their behavior is

281

identical to that described with query_fil-

282

ter, and in fact because the input key is

290

283

known in advance, lookups whose key does not

291

284

contain all the information specified in the

292

285

result template are suppressed and return no

293

286

results.

294

287

295

The above %S, %U, %D and %1, ..., %9 expan-

296

sions are available with Postfix 2.2 and

288

The above %S, %U, %D and %1, ..., %9 expan-

289

sions are available with Postfix 2.2 and

297

290

later.

298

291

299

292

For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]"

300

293

allows one to use a mailHost attribute as the basis

301

of a <a href="transport.5.html">transport(5)</a> table. After applying the result

302

format, multiple values are concatenated as comma

303

separated strings. The expansion_limit and

304

size_limit parameters explained below allow one to

305

restrict the number of values in the result, which

306

is especially useful for maps that should return a

294

of a <a href="transport.5.html">transport(5)</a> table. After applying the result

295

format, multiple values are concatenated as comma

296

separated strings. The expansion_limit and

297

size_limit parameters explained below allow one to

298

restrict the number of values in the result, which

299

is especially useful for maps that should return a

307

300

single value.

308

301

309

The default value %s specifies that each attribute

302

The default value %s specifies that each attribute

310

303

value should be used as is.

311

304

312

This parameter was called result_filter in Postfix

313

releases prior to 2.2. If no "result_format" is

314

specified, the value of "result_filter" will be

305

This parameter was called result_filter in Postfix

306

releases prior to 2.2. If no "result_format" is

307

specified, the value of "result_filter" will be

315

308

used instead before resorting to the default value.

316

This provides compatibility with old configuration

309

This provides compatibility with old configuration

317

310

files.

318

311

319

312

NOTE: DO NOT put quotes around the result format!

320

313

321

314

domain (default: no domain list)

322

This is a list of domain names, paths to files, or

323

dictionaries. When specified, only fully qualified

324

search keys with a *non-empty* localpart and a

325

matching domain are eligible for lookup: 'user'

326

lookups, bare domain lookups and "@domain" lookups

327

are not performed. This can significantly reduce

315

This is a list of domain names, paths to files, or

316

dictionaries. When specified, only fully qualified

317

search keys with a *non-empty* localpart and a

318

matching domain are eligible for lookup: 'user'

319

lookups, bare domain lookups and "@domain" lookups

320

are not performed. This can significantly reduce

328

321

the query load on the LDAP server.

329

322

330

323

domain = postfix.org, hash:/etc/postfix/searchdomains

331

324

332

It is best not to use LDAP to store the domains

325

It is best not to use LDAP to store the domains

333

326

eligible for LDAP lookups.

334

327

335

NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>

328

NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>

336

329

aliases.

337

330

338

331

This feature is available in Postfix 1.0 and later.

339

332

340

333

result_attribute (default: maildrop)

341

The attribute(s) Postfix will read from any direc-

334

The attribute(s) Postfix will read from any direc-

342

335

tory entries returned by the lookup, to be resolved

343

336

to an email address.

344

337

345

338

result_attribute = mailbox, maildrop

346

339

340

Don't rely on the default value ("maildrop"). Set

341

the result_attribute explicitly in all ldap table

342

configuration files. This is particularly relevant

343

when no result_attribute is applicable, e.g. cases

344

in which leaf_result_attribute and/or termi-

345

nal_result_attribute are used instead. The default

346

value is harmless if "maildrop" is also listed as a

347

leaf or terminal result attribute, but it is best

348

to not leave this to chance.

349

347

350

special_result_attribute (default: empty)

348

351

The attribute(s) of directory entries that can con-

349

tain DNs or URLs. If found, a recursive subsequent

350

search is done using their values.

352

tain DNs or <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recur-

353

sive search is performed to retrieve the entry ref-

354

erenced by the DN, or the entries matched by the

355

URL query.

351

356

352

357

special_result_attribute = memberdn

353

358

354

DN recursion retrieves the same result_attributes

359

DN recursion retrieves the same result_attributes

355

360

as the main query, including the special attributes

356

for further recursion. URI processing retrieves

357

only those attributes that are included in the URI

358

definition and are *also* listed in

359

"result_attribute". If the URI lists any of the

360

map's special result attributes, these are also

361

retrieved and used recursively.

361

for further recursion.

362

363

URL processing retrieves only those attributes that

364

are included in both the URL definition and as

365

result attributes (ordinary, special, leaf or ter-

366

minal) in the Postfix table definition. If the URL

367

lists any of the table's special result attributes,

368

these are retrieved and used recursively. A URL

369

that does not specify any attribute selection, is

370

equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a URL that selects all

371

attributes, in which case the selected attributes

372

will be the full set of result attributes in the

373

Postfix table.

374

375

If an LDAP URL attribute-descriptor or the corre-

376

sponding Postfix LDAP table result attribute (but

377

not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> sub-type options

378

("attr;option"), the attribute requested from the

379

LDAP server will include the sub-type option. In

380

all other cases, the URL attribute and the table

381

attribute must match exactly. Attributes with

382

options in both the URL and the Postfix table are

383

requested only when the options are identical. LDAP

384

attribute-descriptor options are very rarely used,

385

most LDAP users will not need to concern themselves

386

with this level of nuanced detail.

362

387

363

388

terminal_result_attribute (default: empty)

364

When one or more terminal result attributes are

389

When one or more terminal result attributes are

365

390

found in an LDAP entry, all other result attributes

366

391

are ignored and only the terminal result attributes

367

are returned. This is useful for delegating expan-

368

sion of group members to a particular host, by

369

using an optional "maildrop" attribute on selected

392

are returned. This is useful for delegating expan-

393

sion of group members to a particular host, by

394

using an optional "maildrop" attribute on selected

370

395

groups to route the group to a specific host, where

371

the group is expanded, possibly via mailing-list

396

the group is expanded, possibly via mailing-list

372

397

manager or other special processing.

373

398

399

result_attribute =

374

400

terminal_result_attribute = maildrop

375

401

376

This feature is available with Postfix 2.4 or

402

When using terminal and/or leaf result attributes,

403

the result_attribute is best set to an empty value

404

when it is not used, or else explicitly set to the

405

desired value, even if it is the default value

406

"maildrop".

407

408

This feature is available with Postfix 2.4 or

377

409

later.

378

410

379

411

leaf_result_attribute (default: empty)

380

When one or more special result attributes are

381

found in a non-terminal (see above) LDAP entry,

412

When one or more special result attributes are

413

found in a non-terminal (see above) LDAP entry,

382

414

leaf result attributes are excluded from the expan-

383

sion of that entry. This is useful when expanding

415

sion of that entry. This is useful when expanding

384

416

groups and the desired mail address attribute(s) of

385

417

the member objects obtained via DN or URI recursion

386

are also present in the group object. To only

387

return the attribute values from the leaf objects

388

and not the containing group, add the attribute to

389

the leaf_result_attribute list, and not the

390

result_attribute list, which is always expanded.

391

Note, the default value of "result_attribute" is

392

not empty, you may want to set it explicitly empty

393

when using "leaf_result_attribute" to expand the

394

group to a list of member DN addresses. If groups

395

have both member DN references AND attributes that

396

hold multiple string valued rfc822 addresses, then

397

the string attributes go in "result_attribute".

398

The attributes that represent the email addresses

399

of objects referenced via a DN (or LDAP URI) go in

418

are also present in the group object. To only

419

return the attribute values from the leaf objects

420

and not the containing group, add the attribute to

421

the leaf_result_attribute list, and not the

422

result_attribute list, which is always expanded.

423

Note, the default value of "result_attribute" is

424

not empty, you may want to set it explicitly empty

425

when using "leaf_result_attribute" to expand the

426

group to a list of member DN addresses. If groups

427

have both member DN references AND attributes that

428

hold multiple string valued rfc822 addresses, then

429

the string attributes go in "result_attribute".

430

The attributes that represent the email addresses

431

of objects referenced via a DN (or LDAP URI) go in

400

432

"leaf_result_attribute".

401

433

402

434

result_attribute = memberaddr

404

436

terminal_result_attribute = maildrop

405

437

leaf_result_attribute = mail

406

438

407

This feature is available with Postfix 2.4 or

439

When using terminal and/or leaf result attributes,

440

the result_attribute is best set to an empty value

441

when it is not used, or else explicitly set to the

442

desired value, even if it is the default value

443

"maildrop".

444

445

This feature is available with Postfix 2.4 or

408

446

later.

409

447

410

448

scope (default: sub)

411

The LDAP search scope: sub, base, or one. These

449

The LDAP search scope: sub, base, or one. These

412

450

translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,

413

451

and LDAP_SCOPE_ONELEVEL.

414

452

415

453

bind (default: yes)

416

Whether or not to bind to the LDAP server. Newer

454

Whether or how to bind to the LDAP server. Newer

417

455

LDAP implementations don't require clients to bind,

418

456

which saves time. Example:

419

457

458

# Don't bind

420

459

bind = no

421

422

If you do need to bind, you might consider config-

423

uring Postfix to connect to the local machine on a

424

port that's an SSL tunnel to your LDAP server. If

425

your LDAP server doesn't natively support SSL, put

460

# Use SIMPLE bind

461

bind = yes

462

# Use SASL bind

463

bind = sasl

464

465

Postfix versions prior to 2.8 only support "bind =

466

no" which means don't bind, and "bind = yes" which

467

means do a SIMPLE bind. Postfix 2.8 and later also

468

supports "bind = SASL" when compiled with LDAP SASL

469

support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds

470

the synonyms "bind = none" and "bind = simple" for

471

"bind = no" and "bind = yes" respectively. See the

472

SASL section below for additional parameters avail-

473

able with "bind = sasl".

474

475

If you do need to bind, you might consider config-

476

uring Postfix to connect to the local machine on a

477

port that's an SSL tunnel to your LDAP server. If

478

your LDAP server doesn't natively support SSL, put

426

479

a tunnel (wrapper, proxy, whatever you want to call

427

it) on that system too. This should prevent the

428

password from traversing the network in the clear.

480

it) on that system too. This should prevent the

481

password from traversing the network in the clear.

429

482

430

483

bind_dn (default: empty)

431

If you do have to bind, do it with this distin-

484

If you do have to bind, do it with this distin-

432

485

guished name. Example:

433

486

434

487

bind_dn = uid=postfix, dc=your, dc=com

488

With "bind = sasl" (see above) the DN may be

489

optional for some SASL mechanisms, don't specify a

490

DN if not needed.

435

491

436

492

bind_pw (default: empty)

437

The password for the distinguished name above. If

493

The password for the distinguished name above. If

438

494

you have to use this, you probably want to make the

439

495

map configuration file readable only by the Postfix

440

user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-

496

user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-

441

497

tax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is not pos-

442

sible to securely store the bind password. This is

498

sible to securely store the bind password. This is

443

499

because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow

444

500

local accounts to submit mail via the sendmail com-

445

501

mand. Example:

446

502

447

503

bind_pw = postfixpw

504

With "bind = sasl" (see above) the password may be

505

optional for some SASL mechanisms, don't specify a

506

password if not needed.

448

507

449

508

cache (IGNORED with a warning)

450

509

451

510

cache_expiry (IGNORED with a warning)

452

511

453

512

cache_size (IGNORED with a warning)

454

The above parameters are NO LONGER SUPPORTED by

513

The above parameters are NO LONGER SUPPORTED by

455

514

Postfix. Cache support has been dropped from

456

515

OpenLDAP as of release 2.1.13.

457

516

458

517

recursion_limit (default: 1000)

459

A limit on the nesting depth of DN and URL special

460

result attribute evaluation. The limit must be a

518

A limit on the nesting depth of DN and URL special

519

result attribute evaluation. The limit must be a

461

520

non-zero positive number.

462

521

463

522

expansion_limit (default: 0)

464

A limit on the total number of result elements

465

returned (as a comma separated list) by a lookup

466

against the map. A setting of zero disables the

467

limit. Lookups fail with a temporary error if the

468

limit is exceeded. Setting the limit to 1 ensures

523

A limit on the total number of result elements

524

returned (as a comma separated list) by a lookup

525

against the map. A setting of zero disables the

526

limit. Lookups fail with a temporary error if the

527

limit is exceeded. Setting the limit to 1 ensures

469

528

that lookups do not return multiple values.

470

529

471

530

size_limit (default: $expansion_limit)

472

A limit on the number of LDAP entries returned by

473

any single LDAP search performed as part of the

474

lookup. A setting of 0 disables the limit. Expan-

475

sion of DN and URL references involves nested LDAP

476

queries, each of which is separately subjected to

531

A limit on the number of LDAP entries returned by

532

any single LDAP search performed as part of the

533

lookup. A setting of 0 disables the limit. Expan-

534

sion of DN and URL references involves nested LDAP

535

queries, each of which is separately subjected to

477

536

this limit.

478

537

479

Note: even a single LDAP entry can generate multi-

480

ple lookup results, via multiple result attributes

481

and/or multi-valued result attributes. This limit

482

caps the per search resource utilization on the

483

LDAP server, not the final multiplicity of the

484

lookup result. It is analogous to the "-z" option

538

Note: even a single LDAP entry can generate multi-

539

ple lookup results, via multiple result attributes

540

and/or multi-valued result attributes. This limit

541

caps the per search resource utilization on the

542

LDAP server, not the final multiplicity of the

543

lookup result. It is analogous to the "-z" option

485

544

of "ldapsearch".

486

545

487

546

dereference (default: 0)

488

When to dereference LDAP aliases. (Note that this

547

When to dereference LDAP aliases. (Note that this

489

548

has nothing do with Postfix aliases.) The permitted

490

values are those legal for the OpenLDAP/UM LDAP

549

values are those legal for the OpenLDAP/UM LDAP

491

550

implementations:

492

551

493

552

0 never

499

558

3 always

500

559

501

560

See ldap.h or the ldap_open(3) or ldapsearch(1) man

502

pages for more information. And if you're using an

561

pages for more information. And if you're using an

503

562

LDAP package that has other possible values, please

504

bring it to the attention of the postfix-

563

bring it to the attention of the postfix-

505

564

users@postfix.org mailing list.

506

565

507

566

chase_referrals (default: 0)

508

Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP

567

Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP

509

568

version 3 support).

510

569

511

570

version (default: 2)

512

571

Specifies the LDAP protocol version to use.

513

572

514

573

debuglevel (default: 0)

515

What level to set for debugging in the OpenLDAP

574

What level to set for debugging in the OpenLDAP

516

575

libraries.

517

576

577

LDAP SASL PARAMETERS

578

If you're using the OpenLDAP libraries compiled with SASL

579

support, Postfix 2.8 and later built with LDAP SASL sup-

580

port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP

581

servers via SASL.

582

583

This enables authentication to the LDAP server via mecha-

584

nisms other than a simple password. The added flexibility

585

has a cost: it is no longer practical to set an explicit

586

timeout on the duration of an LDAP bind operation. Under

587

adverse conditions, whether a SASL bind times out, or if

588

it does, the duration of the timeout is determined by the

589

LDAP and SASL libraries.

590

591

It is best to use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>

592

<a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out the

593

proxymap request. This also lets you tailer the process

594

environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> import_environ-

595

ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings

596

may be needed to configure GSSAPI credential caches or

597

other SASL mechanism specific options. The GSSAPI creden-

598

tials used for LDAP lookups may need to be different than

599

say those used for the Postfix SMTP client to authenticate

600

to remote servers.

601

602

Using SASL mechanisms requires LDAP protocol version 3,

603

the default protocol version is 2 for backwards compati-

604

bility. You must set "version = 3" in addition to "bind =

605

sasl".

606

607

The following parameters are relevant to using LDAP with

608

SASL

609

610

sasl_mechs (default: empty)

611

Space separated list of SASL mechanism(s) to try.

612

613

sasl_realm (default: empty)

614

SASL Realm to use, if applicable.

615

616

sasl_authz_id (default: empty)

617

The SASL authorization identity to assert, if

618

applicable.

619

620

sasl_minssf (default: 0)

621

The minimum required sasl security factor required

622

to establish a connection.

623

518

624

LDAP SSL AND STARTTLS PARAMETERS

519

If you're using the OpenLDAP libraries compiled with SSL

520

support, Postfix can connect to LDAP SSL servers and can

625

If you're using the OpenLDAP libraries compiled with SSL

626

support, Postfix can connect to LDAP SSL servers and can

521

627

issue the STARTTLS command.

522

628

523

LDAP SSL service can be requested by using a LDAP SSL URL

629

LDAP SSL service can be requested by using a LDAP SSL URL

524

630

in the server_host parameter:

525

631

526

632

server_host = ldaps://ldap.example.com:636

529

635

530

636

start_tls = yes

531

637

532

Both forms require LDAP protocol version 3, which has to

638

Both forms require LDAP protocol version 3, which has to

533

639

be set explicitly with:

534

640

535

641

version = 3

536

642

537

643

If any of the Postfix programs querying the map is config-

538

ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates

644

ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates

539

645

and keys involved have to be copied to the chroot jail. Of

540

course, the private keys should only be readable by the

646

course, the private keys should only be readable by the

541

647

user "postfix".

542

648

543

The following parameters are relevant to LDAP SSL and

649

The following parameters are relevant to LDAP SSL and

544

650

STARTTLS:

545

651

546

652

start_tls (default: no)

547

653

Whether or not to issue STARTTLS upon connection to

548

the server. Don't set this with LDAP SSL (the SSL

654

the server. Don't set this with LDAP SSL (the SSL

549

655

session is setup automatically when the TCP connec-

550

656

tion is opened).

551

657

552

tls_ca_cert_dir (No default; set either this or

658

tls_ca_cert_dir (No default; set either this or

553

659

tls_ca_cert_file)

554

660

Directory containing X509 Certificate Authority

555

certificates in PEM format which are to be recog-

556

nized by the client in SSL/TLS connections. The

557

files each contain one CA certificate. The files

558

are looked up by the CA subject name hash value,

559

which must hence be available. If more than one CA

560

certificate with the same name hash value exist,

561

the extension must be different (e.g. 9d66eef0.0,

562

9d66eef0.1 etc). The search is performed in the

563

ordering of the extension number, regardless of

661

certificates in PEM format which are to be recog-

662

nized by the client in SSL/TLS connections. The

663

files each contain one CA certificate. The files

664

are looked up by the CA subject name hash value,

665

which must hence be available. If more than one CA

666

certificate with the same name hash value exist,

667

the extension must be different (e.g. 9d66eef0.0,

668

9d66eef0.1 etc). The search is performed in the

669

ordering of the extension number, regardless of

564

670

other properties of the certificates. Use the

565

671

c_rehash utility (from the OpenSSL distribution) to

566

672

create the necessary links.

567

673

568

tls_ca_cert_file (No default; set either this or

674

tls_ca_cert_file (No default; set either this or

569

675

tls_ca_cert_dir)

570

676

File containing the X509 Certificate Authority cer-

571

tificates in PEM format which are to be recognized

572

by the client in SSL/TLS connections. This setting

677

tificates in PEM format which are to be recognized

678

by the client in SSL/TLS connections. This setting

573

679

takes precedence over tls_ca_cert_dir.

574

680

575

681

tls_cert (No default; you must set this)

576

File containing client's X509 certificate to be

682

File containing client's X509 certificate to be

577

683

used by the client in SSL/ TLS connections.

578

684

579

685

tls_key (No default; you must set this)

580

File containing the private key corresponding to

686

File containing the private key corresponding to

581

687

the above tls_cert.

582

688

583

689

tls_require_cert (default: no)

584

690

Whether or not to request server's X509 certificate

585

and check its validity when establishing SSL/TLS

586

connections. The supported values are no and yes.

691

and check its validity when establishing SSL/TLS

692

connections. The supported values are no and yes.

587

693

588

With no, the server certificate trust chain is not

589

checked, but with OpenLDAP prior to 2.1.13, the

694

With no, the server certificate trust chain is not

695

checked, but with OpenLDAP prior to 2.1.13, the

590

696

name in the server certificate must still match the

591

697

LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the

592

server name is not necessarily what you specified,

593

rather it is determined (by reverse lookup) from

594

the IP address of the LDAP server connection. With

595

OpenLDAP prior to 2.0.13, subjectAlternativeName

698

server name is not necessarily what you specified,

699

rather it is determined (by reverse lookup) from

700

the IP address of the LDAP server connection. With

701

OpenLDAP prior to 2.0.13, subjectAlternativeName

596

702

extensions in the LDAP server certificate are

597

ignored: the server name must match the subject

703

ignored: the server name must match the subject

598

704

CommonName. The no setting corresponds to the never

599

value of TLS_REQCERT in LDAP client configuration

705

value of TLS_REQCERT in LDAP client configuration

600

706

files.

601

707

602

Don't use TLS with OpenLDAP 2.0.x (and especially

708

Don't use TLS with OpenLDAP 2.0.x (and especially

603

709

with x <= 11) if you can avoid it.

604

710

605

With yes, the server certificate must be issued by

606

a trusted CA, and not be expired. The LDAP server

607

name must match one of the name(s) found in the

711

With yes, the server certificate must be issued by

712

a trusted CA, and not be expired. The LDAP server

713

name must match one of the name(s) found in the

608

714

certificate (see above for OpenLDAP library version

609

715

dependent behavior). The yes setting corresponds to

610

716

the demand value of TLS_REQCERT in LDAP client con-

612

718

613

719

The "try" and "never" values of TLS_REQCERT have no

614

720

equivalents here. They are not available with

615

OpenLDAP 2.0, and in any case have questionable

616

security properties. Either you want TLS verified

721

OpenLDAP 2.0, and in any case have questionable

722

security properties. Either you want TLS verified

617

723

LDAP connections, or you don't.

618

724

619

725

The yes value only works correctly with Postfix 2.5

620

and later, or with OpenLDAP 2.0. Earlier Postfix

621

releases or later OpenLDAP releases don't work

622

together with this setting. Support for LDAP over

623

TLS was added to Postfix based on the OpenLDAP 2.0

726

and later, or with OpenLDAP 2.0. Earlier Postfix

727

releases or later OpenLDAP releases don't work

728

together with this setting. Support for LDAP over

729

TLS was added to Postfix based on the OpenLDAP 2.0

624

730

API.

625

731

626

732

tls_random_file (No default)

627

Path of a file to obtain random bits from when

628

/dev/[u]random is not available, to be used by the

733

Path of a file to obtain random bits from when

734

/dev/[u]random is not available, to be used by the

629

735

client in SSL/TLS connections.

630

736

631

737

tls_cipher_suite (No default)

632

738

Cipher suite to use in SSL/TLS negotiations.

633

739

634

740

EXAMPLE

635

Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>

741

Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>

636

742

aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:

637

743

638

744

<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,

643

749

server_host = ldap.example.com

644

750

search_base = dc=example, dc=com

645

751

646

Upon receiving mail for a local address "ldapuser" that

647

isn't found in the /etc/aliases database, Postfix will

752

Upon receiving mail for a local address "ldapuser" that

753

isn't found in the /etc/aliases database, Postfix will

648

754

search the LDAP server listening at port 389 on ldap.exam-

649

ple.com. It will bind anonymously, search for any direc-

650

tory entries whose mailacceptinggeneralid attribute is

755

ple.com. It will bind anonymously, search for any direc-

756

tory entries whose mailacceptinggeneralid attribute is

651

757

"ldapuser", read the "maildrop" attributes of those found,

652

758

and build a list of their maildrops, which will be treated

653

as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-

759

as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-

654

760

ered.

655

761

656

762

SEE ALSO

664

770

<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide

665

771

666

772

LICENSE

667

The Secure Mailer license must be distributed with this

773

The Secure Mailer license must be distributed with this

668

774

software.

669

775

670

776

AUTHOR(S)

671

Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith

672

Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike

673

Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,

777

Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith

778

Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike

779

Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,

674

780

Victor Duchovni, and many others.

675

781

676

782

LDAP_TABLE(5)

Older »