summaryrefslogtreecommitdiffstats
path: root/proto/ldap_table
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:46:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:46:30 +0000
commitb5896ba9f6047e7031e2bdee0622d543e11a6734 (patch)
treefd7b460593a2fee1be579bec5697e6d887ea3421 /proto/ldap_table
parentInitial commit. (diff)
downloadpostfix-b5896ba9f6047e7031e2bdee0622d543e11a6734.tar.xz
postfix-b5896ba9f6047e7031e2bdee0622d543e11a6734.zip
Adding upstream version 3.4.23.upstream/3.4.23upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--proto/ldap_table723
1 files changed, 723 insertions, 0 deletions
diff --git a/proto/ldap_table b/proto/ldap_table
new file mode 100644
index 0000000..b770e4a
--- /dev/null
+++ b/proto/ldap_table
@@ -0,0 +1,723 @@
+#++
+# NAME
+# ldap_table 5
+# SUMMARY
+# Postfix LDAP client configuration
+# SYNOPSIS
+# \fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/\fIfilename\fR
+#
+# \fBpostmap -q - ldap:/etc/postfix/\fIfilename\fB <\fIinputfile\fR
+# DESCRIPTION
+# The Postfix mail system uses optional tables for address
+# rewriting or mail routing. These tables are usually in
+# \fBdbm\fR or \fBdb\fR format.
+#
+# Alternatively, lookup tables can be specified as LDAP databases.
+#
+# In order to use LDAP lookups, define an LDAP source as a lookup
+# table in main.cf, for example:
+#
+# .nf
+# alias_maps = ldap:/etc/postfix/ldap-aliases.cf
+# .fi
+#
+# The file /etc/postfix/ldap-aliases.cf has the same format as
+# the Postfix main.cf file, and can specify the parameters
+# described below. An example is given at the end of this manual.
+#
+# This configuration method is available with Postfix version
+# 2.1 and later. See the section "OBSOLETE MAIN.CF PARAMETERS"
+# below for older Postfix versions.
+#
+# For details about LDAP SSL and STARTTLS, see the section
+# on SSL and STARTTLS below.
+# LIST MEMBERSHIP
+# .ad
+# .fi
+# When using LDAP to store lists such as $mynetworks,
+# $mydestination, $relay_domains, $local_recipient_maps,
+# etc., it is important to understand that the table must
+# store each list member as a separate key. The table lookup
+# verifies the *existence* of the key. See "Postfix lists
+# versus tables" in the DATABASE_README document for a
+# discussion.
+#
+# Do NOT create tables that return the full list of domains
+# in $mydestination or $relay_domains etc., or IP addresses
+# in $mynetworks.
+#
+# DO create tables with each matching item as a key and with
+# an arbitrary value. With LDAP databases it is not uncommon to
+# return the key itself.
+#
+# For example, NEVER do this in a map defining $mydestination:
+#
+# .nf
+# query_filter = domain=*
+# result_attribute = domain
+# .fi
+#
+# Do this instead:
+#
+# .nf
+# query_filter = domain=%s
+# result_attribute = domain
+# .fi
+# GENERAL LDAP PARAMETERS
+# .ad
+# .fi
+# In the text below, default values are given in parentheses.
+# Note: don't use quotes in these variables; at least, not until the
+# Postfix configuration routines understand how to deal with quoted
+# strings.
+# .IP "\fBserver_host (default: localhost)\fR"
+# The name of the host running the LDAP server, e.g.
+#
+# .nf
+# server_host = ldap.example.com
+# .fi
+#
+# Depending on the LDAP client library you're using, it should
+# be possible to specify multiple servers here, with the library
+# trying them in order should the first one fail. It should also
+# be possible to give each server in the list a different port
+# (overriding \fBserver_port\fR below), by naming them like
+#
+# .nf
+# server_host = ldap.example.com:1444
+# .fi
+#
+# With OpenLDAP, a (list of) LDAP URLs can be used to specify both
+# the hostname(s) and the port(s):
+#
+# .nf
+# server_host = ldap://ldap.example.com:1444
+# ldap://ldap2.example.com:1444
+# .fi
+#
+# All LDAP URLs accepted by the OpenLDAP library are supported,
+# including connections over UNIX domain sockets, and LDAP SSL
+# (the last one provided that OpenLDAP was compiled with support
+# for SSL):
+#
+# .nf
+# server_host = ldapi://%2Fsome%2Fpath
+# ldaps://ldap.example.com:636
+# .fi
+# .IP "\fBserver_port (default: 389)\fR"
+# The port the LDAP server listens on, e.g.
+#
+# .nf
+# server_port = 778
+# .fi
+# .IP "\fBtimeout (default: 10 seconds)\fR"
+# The number of seconds a search can take before timing out, e.g.
+#
+# .fi
+# timeout = 5
+# .fi
+# .IP "\fBsearch_base (No default; you must configure this)\fR"
+# The RFC2253 base DN at which to conduct the search, e.g.
+#
+# .nf
+# search_base = dc=your, dc=com
+# .fi
+# .IP
+# With Postfix 2.2 and later this parameter supports the
+# following '%' expansions:
+# .RS
+# .IP "\fB%%\fR"
+# This is replaced by a literal '%' character.
+# .IP "\fB%s\fR"
+# This is replaced by the input key.
+# RFC 2253 quoting is used to make sure that the input key
+# does not add unexpected metacharacters.
+# .IP "\fB%u\fR"
+# When the input key is an address of the form user@domain, \fB%u\fR
+# is replaced by the (RFC 2253) quoted local part of the address.
+# Otherwise, \fB%u\fR is replaced by the entire search string.
+# If the localpart is empty, the search is suppressed and returns
+# no results.
+# .IP "\fB%d\fR"
+# When the input key is an address of the form user@domain, \fB%d\fR
+# is replaced by the (RFC 2253) quoted domain part of the address.
+# Otherwise, the search is suppressed and returns no results.
+# .IP "\fB%[SUD]\fR"
+# For the \fBsearch_base\fR parameter, the upper-case equivalents
+# of the above expansions behave identically to their lower-case
+# counter-parts. With the \fBresult_format\fR parameter (previously
+# called \fBresult_filter\fR see the COMPATIBILITY section and below),
+# they expand to the corresponding components of input key rather
+# than the result value.
+# .IP "\fB%[1-9]\fR"
+# The patterns %1, %2, ... %9 are replaced by the corresponding
+# most significant component of the input key's domain. If the
+# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
+# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
+# unqualified or does not have enough domain components to satisfy
+# all the specified patterns, the search is suppressed and returns
+# no results.
+# .RE
+# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR"
+# The RFC2254 filter used to search the directory, where \fB%s\fR
+# is a substitute for the address Postfix is trying to resolve,
+# e.g.
+#
+# .nf
+# query_filter = (&(mail=%s)(paid_up=true))
+# .fi
+#
+# This parameter supports the following '%' expansions:
+# .RS
+# .IP "\fB%%\fR"
+# This is replaced by a literal '%' character. (Postfix 2.2 and later).
+# .IP "\fB%s\fR"
+# This is replaced by the input key.
+# RFC 2254 quoting is used to make sure that the input key
+# does not add unexpected metacharacters.
+# .IP "\fB%u\fR"
+# When the input key is an address of the form user@domain, \fB%u\fR
+# is replaced by the (RFC 2254) quoted local part of the address.
+# Otherwise, \fB%u\fR is replaced by the entire search string.
+# If the localpart is empty, the search is suppressed and returns
+# no results.
+# .IP "\fB%d\fR"
+# When the input key is an address of the form user@domain, \fB%d\fR
+# is replaced by the (RFC 2254) quoted domain part of the address.
+# Otherwise, the search is suppressed and returns no results.
+# .IP "\fB%[SUD]\fR"
+# The upper-case equivalents of the above expansions behave in the
+# \fBquery_filter\fR parameter identically to their lower-case
+# counter-parts. With the \fBresult_format\fR parameter (previously
+# called \fBresult_filter\fR see the COMPATIBILITY section and below),
+# they expand to the corresponding components of input key rather
+# than the result value.
+# .IP
+# The above %S, %U and %D expansions are available with Postfix 2.2
+# and later.
+# .IP "\fB%[1-9]\fR"
+# The patterns %1, %2, ... %9 are replaced by the corresponding
+# most significant component of the input key's domain. If the
+# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
+# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
+# unqualified or does not have enough domain components to satisfy
+# all the specified patterns, the search is suppressed and returns
+# no results.
+# .IP
+# The above %1, ..., %9 expansions are available with Postfix 2.2
+# and later.
+# .RE
+# .IP
+# The "domain" parameter described below limits the input
+# keys to addresses in matching domains. When the "domain"
+# parameter is non-empty, LDAP queries for unqualified
+# addresses or addresses in non-matching domains are suppressed
+# and return no results.
+#
+# NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter.
+# .IP "\fBresult_format (default: \fB%s\fR)\fR"
+# Called \fBresult_filter\fR in Postfix releases prior to 2.2.
+# Format template applied to result attributes. Most commonly used
+# to append (or prepend) text to the result. This parameter supports
+# the following '%' expansions:
+# .RS
+# .IP "\fB%%\fR"
+# This is replaced by a literal '%' character. (Postfix 2.2 and later).
+# .IP "\fB%s\fR"
+# This is replaced by the value of the result attribute. When
+# result is empty it is skipped.
+# .IP "\fB%u\fR
+# When the result attribute value is an address of the form
+# user@domain, \fB%u\fR is replaced by the local part of the
+# address. When the result has an empty localpart it is skipped.
+# .IP "\fB%d\fR"
+# When a result attribute value is an address of the form
+# user@domain, \fB%d\fR is replaced by the domain part of
+# the attribute value. When the result is unqualified it
+# is skipped.
+# .IP "\fB%[SUD1-9]\fR"
+# The upper-case and decimal digit expansions interpolate
+# the parts of the input key rather than the result. Their
+# behavior is identical to that described with \fBquery_filter\fR,
+# and in fact because the input key is known in advance, lookups
+# whose key does not contain all the information specified in
+# the result template are suppressed and return no results.
+# .IP
+# The above %S, %U, %D and %1, ..., %9 expansions are available with
+# Postfix 2.2 and later.
+# .RE
+# .IP
+# For example, using "result_format = smtp:[%s]" allows one
+# to use a mailHost attribute as the basis of a transport(5)
+# table. After applying the result format, multiple values
+# are concatenated as comma separated strings. The expansion_limit
+# and size_limit parameters explained below allow one to
+# restrict the number of values in the result, which is
+# especially useful for maps that should return a single
+# value.
+#
+# The default value \fB%s\fR specifies that each
+# attribute value should be used as is.
+#
+# This parameter was called \fBresult_filter\fR in Postfix
+# releases prior to 2.2. If no "result_format" is specified,
+# the value of "result_filter" will be used instead before
+# resorting to the default value. This provides compatibility
+# with old configuration files.
+#
+# NOTE: DO NOT put quotes around the result format!
+# .IP "\fBdomain (default: no domain list)\fR"
+# This is a list of domain names, paths to files, or
+# dictionaries. When specified, only fully qualified search
+# keys with a *non-empty* localpart and a matching domain
+# are eligible for lookup: 'user' lookups, bare domain lookups
+# and "@domain" lookups are not performed. This can significantly
+# reduce the query load on the LDAP server.
+#
+# .nf
+# domain = postfix.org, hash:/etc/postfix/searchdomains
+# .fi
+#
+# It is best not to use LDAP to store the domains eligible
+# for LDAP lookups.
+#
+# NOTE: DO NOT define this parameter for local(8) aliases.
+#
+# This feature is available in Postfix 1.0 and later.
+# .IP "\fBresult_attribute (default: maildrop)\fR"
+# The attribute(s) Postfix will read from any directory
+# entries returned by the lookup, to be resolved to an email
+# address.
+#
+# .nf
+# result_attribute = mailbox, maildrop
+# .fi
+#
+# Don't rely on the default value ("maildrop"). Set the
+# result_attribute explicitly in all ldap table configuration
+# files. This is particularly relevant when no result_attribute
+# is applicable, e.g. cases in which leaf_result_attribute and/or
+# terminal_result_attribute are used instead. The default value
+# is harmless if "maildrop" is also listed as a leaf or terminal
+# result attribute, but it is best to not leave this to chance.
+# .IP "\fBspecial_result_attribute (default: empty)\fR"
+# The attribute(s) of directory entries that can contain DNs
+# or RFC 2255 LDAP URLs. If found, a recursive search
+# is performed to retrieve the entry referenced by the DN, or
+# the entries matched by the URL query.
+#
+# .nf
+# special_result_attribute = memberdn
+# .fi
+#
+# DN recursion retrieves the same result_attributes as the
+# main query, including the special attributes for further
+# recursion.
+#
+# URL processing retrieves only those attributes that are included
+# in both the URL definition and as result attributes (ordinary,
+# special, leaf or terminal) in the Postfix table definition.
+# If the URL lists any of the table's special result attributes,
+# these are retrieved and used recursively. A URL that does not
+# specify any attribute selection, is equivalent (RFC 2255) to a
+# URL that selects all attributes, in which case the selected
+# attributes will be the full set of result attributes in the
+# Postfix table.
+#
+# If an LDAP URL attribute-descriptor or the corresponding Postfix
+# LDAP table result attribute (but not both) uses RFC 2255 sub-type
+# options ("attr;option"), the attribute requested from the LDAP server
+# will include the sub-type option. In all other cases, the URL
+# attribute and the table attribute must match exactly. Attributes
+# with options in both the URL and the Postfix table are requested
+# only when the options are identical. LDAP attribute-descriptor
+# options are very rarely used, most LDAP users will not
+# need to concern themselves with this level of nuanced detail.
+# .IP "\fBterminal_result_attribute (default: empty)\fR"
+# When one or more terminal result attributes are found in an LDAP
+# entry, all other result attributes are ignored and only the terminal
+# result attributes are returned. This is useful for delegating expansion
+# of group members to a particular host, by using an optional "maildrop"
+# attribute on selected groups to route the group to a specific host,
+# where the group is expanded, possibly via mailing-list manager or
+# other special processing.
+#
+# .nf
+# result_attribute =
+# terminal_result_attribute = maildrop
+# .fi
+#
+# When using terminal and/or leaf result attributes, the
+# result_attribute is best set to an empty value when it is not
+# used, or else explicitly set to the desired value, even if it is
+# the default value "maildrop".
+#
+# This feature is available with Postfix 2.4 or later.
+# .IP "\fBleaf_result_attribute (default: empty)\fR"
+# When one or more special result attributes are found in a non-terminal
+# (see above) LDAP entry, leaf result attributes are excluded from the
+# expansion of that entry. This is useful when expanding groups and the
+# desired mail address attribute(s) of the member objects obtained via
+# DN or URI recursion are also present in the group object. To only
+# return the attribute values from the leaf objects and not the
+# containing group, add the attribute to the leaf_result_attribute list,
+# and not the result_attribute list, which is always expanded. Note,
+# the default value of "result_attribute" is not empty, you may want to
+# set it explicitly empty when using "leaf_result_attribute" to expand
+# the group to a list of member DN addresses. If groups have both
+# member DN references AND attributes that hold multiple string valued
+# rfc822 addresses, then the string attributes go in "result_attribute".
+# The attributes that represent the email addresses of objects
+# referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
+#
+# .nf
+# result_attribute = memberaddr
+# special_result_attribute = memberdn
+# terminal_result_attribute = maildrop
+# leaf_result_attribute = mail
+# .fi
+#
+# When using terminal and/or leaf result attributes, the
+# result_attribute is best set to an empty value when it is not
+# used, or else explicitly set to the desired value, even if it is
+# the default value "maildrop".
+#
+# This feature is available with Postfix 2.4 or later.
+# .IP "\fBscope (default: sub)\fR"
+# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
+# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
+# and LDAP_SCOPE_ONELEVEL.
+# .IP "\fBbind (default: yes)\fR"
+# Whether or how to bind to the LDAP server. Newer LDAP
+# implementations don't require clients to bind, which saves
+# time. Example:
+#
+# .nf
+# # Don't bind
+# bind = no
+# # Use SIMPLE bind
+# bind = yes
+# # Use SASL bind
+# bind = sasl
+# .fi
+#
+# Postfix versions prior to 2.8 only support "bind = no" which
+# means don't bind, and "bind = yes" which means do a SIMPLE bind.
+# Postfix 2.8 and later also supports "bind = SASL" when compiled
+# with LDAP SASL support as described in LDAP_README, it also adds
+# the synonyms "bind = none" and "bind = simple" for "bind = no"
+# and "bind = yes" respectively. See the SASL section below for
+# additional parameters available with "bind = sasl".
+#
+# If you do need to bind, you might consider configuring
+# Postfix to connect to the local machine on a port that's
+# an SSL tunnel to your LDAP server. If your LDAP server
+# doesn't natively support SSL, put a tunnel (wrapper, proxy,
+# whatever you want to call it) on that system too. This
+# should prevent the password from traversing the network in
+# the clear.
+# .IP "\fBbind_dn (default: empty)\fR"
+# If you do have to bind, do it with this distinguished name. Example:
+#
+# .nf
+# bind_dn = uid=postfix, dc=your, dc=com
+# .fi
+# With "bind = sasl" (see above) the DN may be optional for some SASL
+# mechanisms, don't specify a DN if not needed.
+# .IP "\fBbind_pw (default: empty)\fR"
+# The password for the distinguished name above. If you have
+# to use this, you probably want to make the map configuration
+# file readable only by the Postfix user. When using the
+# obsolete ldap:ldapsource syntax, with map parameters in
+# main.cf, it is not possible to securely store the bind
+# password. This is because main.cf needs to be world readable
+# to allow local accounts to submit mail via the sendmail
+# command. Example:
+#
+# .nf
+# bind_pw = postfixpw
+# .fi
+# With "bind = sasl" (see above) the password may be optional
+# for some SASL mechanisms, don't specify a password if not needed.
+# .IP "\fBcache (IGNORED with a warning)\fR"
+# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
+# .IP "\fBcache_size (IGNORED with a warning)\fR"
+# The above parameters are NO LONGER SUPPORTED by Postfix.
+# Cache support has been dropped from OpenLDAP as of release
+# 2.1.13.
+# .IP "\fBrecursion_limit (default: 1000)\fR"
+# A limit on the nesting depth of DN and URL special result
+# attribute evaluation. The limit must be a non-zero positive
+# number.
+# .IP "\fBexpansion_limit (default: 0)\fR"
+# A limit on the total number of result elements returned
+# (as a comma separated list) by a lookup against the map.
+# A setting of zero disables the limit. Lookups fail with a
+# temporary error if the limit is exceeded. Setting the
+# limit to 1 ensures that lookups do not return multiple
+# values.
+# .IP "\fBsize_limit (default: $expansion_limit)\fR"
+# A limit on the number of LDAP entries returned by any single
+# LDAP search performed as part of the lookup. A setting of
+# 0 disables the limit. Expansion of DN and URL references
+# involves nested LDAP queries, each of which is separately
+# subjected to this limit.
+#
+# Note: even a single LDAP entry can generate multiple lookup
+# results, via multiple result attributes and/or multi-valued
+# result attributes. This limit caps the per search resource
+# utilization on the LDAP server, not the final multiplicity
+# of the lookup result. It is analogous to the "-z" option
+# of "ldapsearch".
+# .IP "\fBdereference (default: 0)\fR"
+# When to dereference LDAP aliases. (Note that this has
+# nothing do with Postfix aliases.) The permitted values are
+# those legal for the OpenLDAP/UM LDAP implementations:
+# .RS
+# .IP 0
+# never
+# .IP 1
+# when searching
+# .IP 2
+# when locating the base object for the search
+# .IP 3
+# always
+# .RE
+# .IP
+# See ldap.h or the ldap_open(3) or ldapsearch(1) man pages
+# for more information. And if you're using an LDAP package
+# that has other possible values, please bring it to the
+# attention of the postfix-users@postfix.org mailing list.
+# .IP "\fBchase_referrals (default: 0)\fR"
+# Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
+# 3 support).
+# .IP "\fBversion (default: 2)\fR"
+# Specifies the LDAP protocol version to use.
+# .IP "\fBdebuglevel (default: 0)\fR"
+# What level to set for debugging in the OpenLDAP libraries.
+# LDAP SASL PARAMETERS
+# .ad
+# .fi
+# If you're using the OpenLDAP libraries compiled with SASL
+# support, Postfix 2.8 and later built with LDAP SASL support
+# as described in LDAP_README can authenticate to LDAP servers
+# via SASL.
+#
+# This enables authentication to the LDAP server via mechanisms
+# other than a simple password. The added flexibility has a cost:
+# it is no longer practical to set an explicit timeout on the duration
+# of an LDAP bind operation. Under adverse conditions, whether a SASL
+# bind times out, or if it does, the duration of the timeout is
+# determined by the LDAP and SASL libraries.
+#
+# It is best to use tables that use SASL binds via proxymap(8), this
+# way the requesting process can time-out the proxymap request. This
+# also lets you tailer the process environment by overriding the
+# proxymap(8) import_environment setting in master.cf(5). Special
+# environment settings may be needed to configure GSSAPI credential
+# caches or other SASL mechanism specific options. The GSSAPI
+# credentials used for LDAP lookups may need to be different than
+# say those used for the Postfix SMTP client to authenticate to remote
+# servers.
+#
+# Using SASL mechanisms requires LDAP protocol version 3, the default
+# protocol version is 2 for backwards compatibility. You must set
+# "version = 3" in addition to "bind = sasl".
+#
+# The following parameters are relevant to using LDAP with SASL
+# .IP "\fBsasl_mechs (default: empty)\fR"
+# Space separated list of SASL mechanism(s) to try.
+# .IP "\fBsasl_realm (default: empty)\fR"
+# SASL Realm to use, if applicable.
+# .IP "\fBsasl_authz_id (default: empty)\fR"
+# The SASL authorization identity to assert, if applicable.
+# .IP "\fBsasl_minssf (default: 0)\fR"
+# The minimum required sasl security factor required to establish a
+# connection.
+# LDAP SSL AND STARTTLS PARAMETERS
+# .ad
+# .fi
+# If you're using the OpenLDAP libraries compiled with SSL
+# support, Postfix can connect to LDAP SSL servers and can
+# issue the STARTTLS command.
+#
+# LDAP SSL service can be requested by using a LDAP SSL URL
+# in the server_host parameter:
+#
+# .nf
+# server_host = ldaps://ldap.example.com:636
+# .fi
+#
+# STARTTLS can be turned on with the start_tls parameter:
+#
+# .nf
+# start_tls = yes
+# .fi
+#
+# Both forms require LDAP protocol version 3, which has to be set
+# explicitly with:
+#
+# .nf
+# version = 3
+# .fi
+#
+# If any of the Postfix programs querying the map is configured in
+# master.cf to run chrooted, all the certificates and keys involved
+# have to be copied to the chroot jail. Of course, the private keys
+# should only be readable by the user "postfix".
+#
+# The following parameters are relevant to LDAP SSL and STARTTLS:
+# .IP "\fBstart_tls (default: no)\fR"
+# Whether or not to issue STARTTLS upon connection to the
+# server. Don't set this with LDAP SSL (the SSL session is setup
+# automatically when the TCP connection is opened).
+# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR"
+# Directory containing X509 Certification Authority certificates
+# in PEM format which are to be recognized by the client in
+# SSL/TLS connections. The files each contain one CA certificate.
+# The files are looked up by the CA subject name hash value,
+# which must hence be available. If more than one CA certificate
+# with the same name hash value exist, the extension must be
+# different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is
+# performed in the ordering of the extension number, regardless
+# of other properties of the certificates. Use the c_rehash
+# utility (from the OpenSSL distribution) to create the
+# necessary links.
+# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR"
+# File containing the X509 Certification Authority certificates
+# in PEM format which are to be recognized by the client in
+# SSL/TLS connections. This setting takes precedence over
+# tls_ca_cert_dir.
+# .IP "\fBtls_cert (No default; you must set this)\fR"
+# File containing client's X509 certificate to be used by
+# the client in SSL/ TLS connections.
+# .IP "\fBtls_key (No default; you must set this)\fR"
+# File containing the private key corresponding to the above
+# tls_cert.
+# .IP "\fBtls_require_cert (default: no)\fR"
+# Whether or not to request server's X509 certificate and
+# check its validity when establishing SSL/TLS connections.
+# The supported values are \fBno\fR and \fByes\fR.
+# .sp
+# With \fBno\fR, the server certificate trust chain is not checked,
+# but with OpenLDAP prior to 2.1.13, the name in the server
+# certificate must still match the LDAP server name. With OpenLDAP
+# 2.0.0 to 2.0.11 the server name is not necessarily what you
+# specified, rather it is determined (by reverse lookup) from the
+# IP address of the LDAP server connection. With OpenLDAP prior to
+# 2.0.13, subjectAlternativeName extensions in the LDAP server
+# certificate are ignored: the server name must match the subject
+# CommonName. The \fBno\fR setting corresponds to the \fBnever\fR
+# value of \fBTLS_REQCERT\fR in LDAP client configuration files.
+# .sp
+# Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
+# if you can avoid it.
+# .sp
+# With \fByes\fR, the server certificate must be issued by a trusted
+# CA, and not be expired. The LDAP server name must match one of the
+# name(s) found in the certificate (see above for OpenLDAP library
+# version dependent behavior). The \fByes\fR setting corresponds to the
+# \fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration
+# files.
+# .sp
+# The "try" and "allow" values of \fBTLS_REQCERT\fR have no equivalents
+# here. They are not available with OpenLDAP 2.0, and in any case have
+# questionable security properties. Either you want TLS verified LDAP
+# connections, or you don't.
+# .sp
+# The \fByes\fR value only works correctly with Postfix 2.5 and later,
+# or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
+# releases don't work together with this setting. Support for LDAP
+# over TLS was added to Postfix based on the OpenLDAP 2.0 API.
+# .IP "\fBtls_random_file (No default)\fR"
+# Path of a file to obtain random bits from when /dev/[u]random
+# is not available, to be used by the client in SSL/TLS
+# connections.
+# .IP "\fBtls_cipher_suite (No default)\fR"
+# Cipher suite to use in SSL/TLS negotiations.
+# EXAMPLE
+# .ad
+# .fi
+# Here's a basic example for using LDAP to look up local(8)
+# aliases.
+# Assume that in main.cf, you have:
+#
+# .nf
+# alias_maps = hash:/etc/aliases,
+# ldap:/etc/postfix/ldap-aliases.cf
+# .fi
+#
+# and in ldap:/etc/postfix/ldap-aliases.cf you have:
+#
+# .nf
+# server_host = ldap.example.com
+# search_base = dc=example, dc=com
+# .fi
+#
+# Upon receiving mail for a local address "ldapuser" that
+# isn't found in the /etc/aliases database, Postfix will
+# search the LDAP server listening at port 389 on ldap.example.com.
+# It will bind anonymously, search for any directory entries
+# whose mailacceptinggeneralid attribute is "ldapuser", read
+# the "maildrop" attributes of those found, and build a list
+# of their maildrops, which will be treated as RFC822 addresses
+# to which the message will be delivered.
+# OBSOLETE MAIN.CF PARAMETERS
+# .ad
+# .fi
+# For backwards compatibility with Postfix version 2.0 and earlier,
+# LDAP parameters can also be defined in main.cf. Specify
+# as LDAP source a name that doesn't begin with a slash or
+# a dot. The LDAP parameters will then be accessible as the
+# name you've given the source in its definition, an underscore,
+# and the name of the parameter. For example, if the map is
+# specified as "ldap:\fIldapsource\fR", the "server_host"
+# parameter below would be defined in main.cf as
+# "\fIldapsource\fR_server_host".
+#
+# Note: with this form, the passwords for the LDAP sources are
+# written in main.cf, which is normally world-readable. Support
+# for this form will be removed in a future Postfix version.
+# OTHER OBSOLETE FEATURES
+# .ad
+# .fi
+# For backwards compatibility with the pre
+# 2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
+# of \fBresult_format\fR, when the latter parameter is not also set.
+# The new name better reflects the function of the parameter. This
+# compatibility interface may be removed in a future release.
+# SEE ALSO
+# postmap(1), Postfix lookup table manager
+# postconf(5), configuration parameters
+# mysql_table(5), MySQL lookup tables
+# pgsql_table(5), PostgreSQL lookup tables
+# README FILES
+# .ad
+# .fi
+# Use "\fBpostconf readme_directory\fR" or
+# "\fBpostconf html_directory\fR" to locate this information.
+# .na
+# .nf
+# DATABASE_README, Postfix lookup table overview
+# LDAP_README, Postfix LDAP client guide
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# AUTHOR(S)
+# .ad
+# .fi
+# Carsten Hoeger,
+# Hery Rakotoarisoa,
+# John Hensley,
+# Keith Stevenson,
+# LaMont Jones,
+# Liviu Daia,
+# Manuel Guesdon,
+# Mike Mattice,
+# Prabhat K Singh,
+# Sami Haahtinen,
+# Samuel Tardieu,
+# Victor Duchovni,
+# and many others.
+#--