From 5e61585d76ae77fd5e9e96ebabb57afa4d74880d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:06:34 +0200 Subject: Adding upstream version 3.5.24. Signed-off-by: Daniel Baumann --- html/ldap_table.5.html | 674 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 674 insertions(+) create mode 100644 html/ldap_table.5.html (limited to 'html/ldap_table.5.html') diff --git a/html/ldap_table.5.html b/html/ldap_table.5.html new file mode 100644 index 0000000..8d4ee06 --- /dev/null +++ b/html/ldap_table.5.html @@ -0,0 +1,674 @@ + + + + Postfix manual - ldap_table(5) +
+LDAP_TABLE(5)                                                    LDAP_TABLE(5)
+
+NAME
+       ldap_table - Postfix LDAP client configuration
+
+SYNOPSIS
+       postmap -q "string" ldap:/etc/postfix/filename
+
+       postmap -q - ldap:/etc/postfix/filename <inputfile
+
+DESCRIPTION
+       The  Postfix  mail system uses optional tables for address rewriting or
+       mail routing. These tables are usually in dbm or db format.
+
+       Alternatively, lookup tables can be specified as LDAP databases.
+
+       In order to use LDAP lookups, define an LDAP source as a  lookup  table
+       in main.cf, for example:
+
+           alias_maps = ldap:/etc/postfix/ldap-aliases.cf
+
+       The  file /etc/postfix/ldap-aliases.cf has the same format as the Post-
+       fix main.cf file, and can specify the parameters  described  below.  An
+       example is given at the end of this manual.
+
+       This  configuration  method  is  available with Postfix version 2.1 and
+       later.  See the section "OBSOLETE MAIN.CF PARAMETERS" below  for  older
+       Postfix versions.
+
+       For  details  about  LDAP  SSL and STARTTLS, see the section on SSL and
+       STARTTLS below.
+
+LIST MEMBERSHIP
+       When using LDAP to store lists  such  as  $mynetworks,  $mydestination,
+       $relay_domains,  $local_recipient_maps, etc., it is important to under-
+       stand that the table must store each list member as a separate key. The
+       table  lookup  verifies  the *existence* of the key. See "Postfix lists
+       versus tables" in the DATABASE_README document for a discussion.
+
+       Do NOT create tables that return the full list of domains in  $mydesti-
+       nation or $relay_domains etc., or IP addresses in $mynetworks.
+
+       DO create tables with each matching item as a key and with an arbitrary
+       value. With LDAP databases it is not uncommon to return the key itself.
+
+       For example, NEVER do this in a map defining $mydestination:
+
+           query_filter = domain=*
+           result_attribute = domain
+
+       Do this instead:
+
+           query_filter = domain=%s
+           result_attribute = domain
+
+GENERAL LDAP PARAMETERS
+       In  the  text  below,  default  values are given in parentheses.  Note:
+       don't use quotes in these variables; at least, not  until  the  Postfix
+       configuration routines understand how to deal with quoted strings.
+
+       server_host (default: localhost)
+              The name of the host running the LDAP server, e.g.
+
+                  server_host = ldap.example.com
+
+              Depending  on the LDAP client library you're using, it should be
+              possible to specify multiple servers here, with the library try-
+              ing  them  in order should the first one fail. It should also be
+              possible to give each server in the list a different port (over-
+              riding server_port below), by naming them like
+
+                  server_host = ldap.example.com:1444
+
+              With OpenLDAP, a (list of) LDAP URLs can be used to specify both
+              the hostname(s) and the port(s):
+
+                  server_host = ldap://ldap.example.com:1444
+                              ldap://ldap2.example.com:1444
+
+              All LDAP URLs accepted by the OpenLDAP  library  are  supported,
+              including  connections  over  UNIX  domain sockets, and LDAP SSL
+              (the last one provided that OpenLDAP was compiled  with  support
+              for SSL):
+
+                  server_host = ldapi://%2Fsome%2Fpath
+                              ldaps://ldap.example.com:636
+
+       server_port (default: 389)
+              The port the LDAP server listens on, e.g.
+
+                  server_port = 778
+
+       timeout (default: 10 seconds)
+              The  number of seconds a search can take before timing out, e.g.
+
+                  timeout = 5
+
+       search_base (No default; you must configure this)
+              The RFC2253 base DN at which to conduct the search, e.g.
+
+                  search_base = dc=your, dc=com
+
+              With Postfix 2.2 and later this parameter supports the following
+              '%' expansions:
+
+              %%     This is replaced by a literal '%' character.
+
+              %s     This  is  replaced by the input key.  RFC 2253 quoting is
+                     used to make sure that the input key does not  add  unex-
+                     pected metacharacters.
+
+              %u     When the input key is an address of the form user@domain,
+                     %u is replaced by the (RFC 2253) quoted local part of the
+                     address.   Otherwise, %u is replaced by the entire search
+                     string.  If the localpart is empty, the  search  is  sup-
+                     pressed and returns no results.
+
+              %d     When the input key is an address of the form user@domain,
+                     %d is replaced by the (RFC 2253) quoted  domain  part  of
+                     the  address.   Otherwise,  the  search is suppressed and
+                     returns no results.
+
+              %[SUD] For the search_base parameter, the upper-case equivalents
+                     of  the  above  expansions  behave  identically  to their
+                     lower-case counter-parts. With the result_format  parame-
+                     ter  (previously called result_filter see the COMPATIBIL-
+                     ITY section and below), they expand to the  corresponding
+                     components of input key rather than the result value.
+
+              %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
+                     sponding most significant component of  the  input  key's
+                     domain.  If  the input key is user@mail.example.com, then
+                     %1 is com, %2 is example and %3 is mail. If the input key
+                     is  unqualified or does not have enough domain components
+                     to satisfy all the specified patterns, the search is sup-
+                     pressed and returns no results.
+
+       query_filter (default: mailacceptinggeneralid=%s)
+              The  RFC2254  filter used to search the directory, where %s is a
+              substitute for the address Postfix is trying to resolve, e.g.
+
+                  query_filter = (&(mail=%s)(paid_up=true))
+
+              This parameter supports the following '%' expansions:
+
+              %%     This is replaced by a literal '%' character. (Postfix 2.2
+                     and later).
+
+              %s     This  is  replaced by the input key.  RFC 2254 quoting is
+                     used to make sure that the input key does not  add  unex-
+                     pected metacharacters.
+
+              %u     When the input key is an address of the form user@domain,
+                     %u is replaced by the (RFC 2254) quoted local part of the
+                     address.   Otherwise, %u is replaced by the entire search
+                     string.  If the localpart is empty, the  search  is  sup-
+                     pressed and returns no results.
+
+              %d     When the input key is an address of the form user@domain,
+                     %d is replaced by the (RFC 2254) quoted  domain  part  of
+                     the  address.   Otherwise,  the  search is suppressed and
+                     returns no results.
+
+              %[SUD] The upper-case equivalents of the above expansions behave
+                     in   the  query_filter  parameter  identically  to  their
+                     lower-case counter-parts. With the result_format  parame-
+                     ter  (previously called result_filter see the COMPATIBIL-
+                     ITY section and below), they expand to the  corresponding
+                     components of input key rather than the result value.
+
+                     The  above  %S,  %U  and %D expansions are available with
+                     Postfix 2.2 and later.
+
+              %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
+                     sponding  most  significant  component of the input key's
+                     domain. If the input key is  user@mail.example.com,  then
+                     %1 is com, %2 is example and %3 is mail. If the input key
+                     is unqualified or does not have enough domain  components
+                     to satisfy all the specified patterns, the search is sup-
+                     pressed and returns no results.
+
+                     The above %1, ..., %9 expansions are available with Post-
+                     fix 2.2 and later.
+
+              The  "domain" parameter described below limits the input keys to
+              addresses in matching domains. When the  "domain"  parameter  is
+              non-empty,  LDAP  queries for unqualified addresses or addresses
+              in non-matching domains are suppressed and return no results.
+
+              NOTE: DO NOT put quotes around the query_filter parameter.
+
+       result_format (default: %s)
+              Called result_filter in Postfix releases prior to  2.2.   Format
+              template  applied  to  result  attributes. Most commonly used to
+              append (or prepend) text to the result. This parameter  supports
+              the following '%' expansions:
+
+              %%     This is replaced by a literal '%' character. (Postfix 2.2
+                     and later).
+
+              %s     This is replaced by the value of  the  result  attribute.
+                     When result is empty it is skipped.
+
+              %u     When the result attribute value is an address of the form
+                     user@domain, %u is replaced by  the  local  part  of  the
+                     address.  When  the  result  has an empty localpart it is
+                     skipped.
+
+              %d     When a result attribute value is an address of  the  form
+                     user@domain,  %d  is  replaced  by the domain part of the
+                     attribute value. When the result  is  unqualified  it  is
+                     skipped.
+
+              %[SUD1-9]
+                     The  upper-case  and decimal digit expansions interpolate
+                     the parts of the input key rather than the result.  Their
+                     behavior  is  identical to that described with query_fil-
+                     ter, and in fact  because  the  input  key  is  known  in
+                     advance,  lookups  whose  key  does  not  contain all the
+                     information specified in the  result  template  are  sup-
+                     pressed and return no results.
+
+                     The  above  %S,  %U,  %D  and  %1, ..., %9 expansions are
+                     available with Postfix 2.2 and later.
+
+              For example, using "result_format = smtp:[%s]" allows one to use
+              a mailHost attribute as the basis of a transport(5) table. After
+              applying the result format, multiple values are concatenated  as
+              comma  separated  strings.  The  expansion_limit  and size_limit
+              parameters explained below allow one to restrict the  number  of
+              values  in  the result, which is especially useful for maps that
+              should return a single value.
+
+              The default value %s specifies that each attribute value  should
+              be used as is.
+
+              This  parameter  was  called  result_filter  in Postfix releases
+              prior to 2.2. If no "result_format" is specified, the  value  of
+              "result_filter"  will  be  used  instead before resorting to the
+              default value. This provides compatibility with  old  configura-
+              tion files.
+
+              NOTE: DO NOT put quotes around the result format!
+
+       domain (default: no domain list)
+              This is a list of domain names, paths to files, or dictionaries.
+              When  specified,  only  fully  qualified  search  keys  with   a
+              *non-empty*  localpart  and  a  matching domain are eligible for
+              lookup:  'user'  lookups,  bare  domain  lookups  and  "@domain"
+              lookups  are  not  performed.  This can significantly reduce the
+              query load on the LDAP server.
+
+                  domain = postfix.org, hash:/etc/postfix/searchdomains
+
+              It is best not to use LDAP to store  the  domains  eligible  for
+              LDAP lookups.
+
+              NOTE: DO NOT define this parameter for local(8) aliases.
+
+              This feature is available in Postfix 1.0 and later.
+
+       result_attribute (default: maildrop)
+              The  attribute(s)  Postfix  will read from any directory entries
+              returned by the lookup, to be resolved to an email address.
+
+                  result_attribute = mailbox, maildrop
+
+              Don't  rely  on  the  default  value   ("maildrop").   Set   the
+              result_attribute  explicitly  in  all  ldap  table configuration
+              files. This is particularly relevant when no result_attribute is
+              applicable,  e.g.  cases  in  which leaf_result_attribute and/or
+              terminal_result_attribute are used instead. The default value is
+              harmless  if  "maildrop"  is  also  listed as a leaf or terminal
+              result attribute, but it is best to not leave this to chance.
+
+       special_result_attribute (default: empty)
+              The attribute(s) of directory entries that can  contain  DNs  or
+              RFC 2255 LDAP URLs. If found, a recursive search is performed to
+              retrieve the entry referenced by the DN, or the entries  matched
+              by the URL query.
+
+                  special_result_attribute = memberdn
+
+              DN  recursion  retrieves  the same result_attributes as the main
+              query, including the special attributes for further recursion.
+
+              URL processing retrieves only those attributes that are included
+              in  both  the URL definition and as result attributes (ordinary,
+              special, leaf or terminal) in the Postfix table definition.   If
+              the  URL  lists  any  of  the table's special result attributes,
+              these are retrieved and used recursively. A URL  that  does  not
+              specify  any  attribute selection, is equivalent (RFC 2255) to a
+              URL that selects all attributes,  in  which  case  the  selected
+              attributes  will  be  the  full  set of result attributes in the
+              Postfix table.
+
+              If an LDAP URL attribute-descriptor or the corresponding Postfix
+              LDAP  table  result  attribute  (but  not  both)  uses  RFC 2255
+              sub-type options ("attr;option"), the attribute  requested  from
+              the  LDAP  server will include the sub-type option. In all other
+              cases, the URL attribute and  the  table  attribute  must  match
+              exactly. Attributes with options in both the URL and the Postfix
+              table are requested only when the options  are  identical.  LDAP
+              attribute-descriptor  options  are  very  rarely used, most LDAP
+              users will not need to concern themselves  with  this  level  of
+              nuanced detail.
+
+       terminal_result_attribute (default: empty)
+              When one or more terminal result attributes are found in an LDAP
+              entry, all other result attributes are ignored and only the ter-
+              minal  result  attributes are returned. This is useful for dele-
+              gating expansion of group members to a particular host, by using
+              an optional "maildrop" attribute on selected groups to route the
+              group to a specific host, where the group is expanded,  possibly
+              via mailing-list manager or other special processing.
+
+                  result_attribute =
+                  terminal_result_attribute = maildrop
+
+              When   using   terminal   and/or  leaf  result  attributes,  the
+              result_attribute is best set to an empty value when  it  is  not
+              used, or else explicitly set to the desired value, even if it is
+              the default value "maildrop".
+
+              This feature is available with Postfix 2.4 or later.
+
+       leaf_result_attribute (default: empty)
+              When one or more  special  result  attributes  are  found  in  a
+              non-terminal  (see above) LDAP entry, leaf result attributes are
+              excluded from the expansion of that entry. This is  useful  when
+              expanding  groups  and  the desired mail address attribute(s) of
+              the member objects obtained via DN or  URI  recursion  are  also
+              present in the group object. To only return the attribute values
+              from the leaf objects and not  the  containing  group,  add  the
+              attribute   to  the  leaf_result_attribute  list,  and  not  the
+              result_attribute list,  which  is  always  expanded.  Note,  the
+              default  value  of "result_attribute" is not empty, you may want
+              to set it explicitly empty when using "leaf_result_attribute" to
+              expand  the  group  to  a list of member DN addresses. If groups
+              have both member DN references AND attributes that hold multiple
+              string valued rfc822 addresses, then the string attributes go in
+              "result_attribute".  The attributes  that  represent  the  email
+              addresses  of  objects  referenced  via a DN (or LDAP URI) go in
+              "leaf_result_attribute".
+
+                  result_attribute = memberaddr
+                  special_result_attribute = memberdn
+                  terminal_result_attribute = maildrop
+                  leaf_result_attribute = mail
+
+              When  using  terminal  and/or  leaf   result   attributes,   the
+              result_attribute  is  best  set to an empty value when it is not
+              used, or else explicitly set to the desired value, even if it is
+              the default value "maildrop".
+
+              This feature is available with Postfix 2.4 or later.
+
+       scope (default: sub)
+              The  LDAP search scope: sub, base, or one.  These translate into
+              LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
+
+       bind (default: yes)
+              Whether or how to bind to the LDAP server. Newer LDAP  implemen-
+              tations  don't  require clients to bind, which saves time. Exam-
+              ple:
+
+                  # Don't bind
+                  bind = no
+                  # Use SIMPLE bind
+                  bind = yes
+                  # Use SASL bind
+                  bind = sasl
+
+              Postfix versions prior to 2.8 only support  "bind  =  no"  which
+              means don't bind, and "bind = yes" which means do a SIMPLE bind.
+              Postfix 2.8 and later also supports "bind = SASL" when  compiled
+              with LDAP SASL support as described in LDAP_README, it also adds
+              the synonyms "bind = none" and "bind = simple" for "bind  =  no"
+              and  "bind  =  yes" respectively. See the SASL section below for
+              additional parameters available with "bind = sasl".
+
+              If you do need to bind, you might consider  configuring  Postfix
+              to  connect  to the local machine on a port that's an SSL tunnel
+              to your LDAP server. If your LDAP server doesn't  natively  sup-
+              port  SSL,  put  a  tunnel (wrapper, proxy, whatever you want to
+              call it) on that system too. This should  prevent  the  password
+              from traversing the network in the clear.
+
+       bind_dn (default: empty)
+              If  you  do  have  to  bind, do it with this distinguished name.
+              Example:
+
+                  bind_dn = uid=postfix, dc=your, dc=com
+              With "bind = sasl" (see above) the DN may be optional  for  some
+              SASL mechanisms, don't specify a DN if not needed.
+
+       bind_pw (default: empty)
+              The  password  for  the distinguished name above. If you have to
+              use this, you probably want to make the map  configuration  file
+              readable  only  by  the  Postfix  user.  When using the obsolete
+              ldap:ldapsource syntax, with map parameters in  main.cf,  it  is
+              not  possible  to  securely  store  the  bind  password. This is
+              because main.cf needs  to  be  world  readable  to  allow  local
+              accounts to submit mail via the sendmail command. Example:
+
+                  bind_pw = postfixpw
+              With  "bind = sasl" (see above) the password may be optional for
+              some SASL mechanisms, don't specify a password if not needed.
+
+       cache (IGNORED with a warning)
+
+       cache_expiry (IGNORED with a warning)
+
+       cache_size (IGNORED with a warning)
+              The above parameters are NO LONGER SUPPORTED by Postfix.   Cache
+              support has been dropped from OpenLDAP as of release 2.1.13.
+
+       recursion_limit (default: 1000)
+              A  limit  on  the  nesting  depth  of  DN and URL special result
+              attribute evaluation. The limit must be a non-zero positive num-
+              ber.
+
+       expansion_limit (default: 0)
+              A  limit  on  the total number of result elements returned (as a
+              comma separated list) by a lookup against the map.  A setting of
+              zero  disables the limit. Lookups fail with a temporary error if
+              the limit is exceeded.  Setting the  limit  to  1  ensures  that
+              lookups do not return multiple values.
+
+       size_limit (default: $expansion_limit)
+              A  limit  on  the  number of LDAP entries returned by any single
+              LDAP search performed as part of the lookup. A setting of 0 dis-
+              ables  the  limit.   Expansion of DN and URL references involves
+              nested LDAP queries, each of which is  separately  subjected  to
+              this limit.
+
+              Note:  even  a  single  LDAP  entry can generate multiple lookup
+              results, via  multiple  result  attributes  and/or  multi-valued
+              result  attributes. This limit caps the per search resource uti-
+              lization on the LDAP server, not the final multiplicity  of  the
+              lookup   result.   It   is  analogous  to  the  "-z"  option  of
+              "ldapsearch".
+
+       dereference (default: 0)
+              When to dereference LDAP aliases. (Note that this has nothing do
+              with  Postfix aliases.) The permitted values are those legal for
+              the OpenLDAP/UM LDAP implementations:
+
+              0      never
+
+              1      when searching
+
+              2      when locating the base object for the search
+
+              3      always
+
+              See ldap.h or the ldap_open(3) or ldapsearch(1)  man  pages  for
+              more  information.  And if you're using an LDAP package that has
+              other possible values, please bring it to the attention  of  the
+              postfix-users@postfix.org mailing list.
+
+       chase_referrals (default: 0)
+              Sets  (or  clears)  LDAP_OPT_REFERRALS  (requires LDAP version 3
+              support).
+
+       version (default: 2)
+              Specifies the LDAP protocol version to use.
+
+       debuglevel (default: 0)
+              What level to set for debugging in the OpenLDAP libraries.
+
+LDAP SASL PARAMETERS
+       If you're using the OpenLDAP  libraries  compiled  with  SASL  support,
+       Postfix  2.8  and  later  built  with LDAP SASL support as described in
+       LDAP_README can authenticate to LDAP servers via SASL.
+
+       This enables authentication to the LDAP  server  via  mechanisms  other
+       than  a  simple  password.  The  added flexibility has a cost: it is no
+       longer practical to set an explicit timeout on the duration of an  LDAP
+       bind  operation.  Under  adverse  conditions, whether a SASL bind times
+       out, or if it does, the duration of the timeout is  determined  by  the
+       LDAP and SASL libraries.
+
+       It  is best to use tables that use SASL binds via proxymap(8), this way
+       the requesting process can time-out the  proxymap  request.  This  also
+       lets  you  tailer the process environment by overriding the proxymap(8)
+       import_environment setting in master.cf(5).  Special  environment  set-
+       tings may be needed to configure GSSAPI credential caches or other SASL
+       mechanism specific  options.  The  GSSAPI  credentials  used  for  LDAP
+       lookups  may  need  to be different than say those used for the Postfix
+       SMTP client to authenticate to remote servers.
+
+       Using SASL mechanisms requires LDAP protocol  version  3,  the  default
+       protocol  version  is 2 for backwards compatibility. You must set "ver-
+       sion = 3" in addition to "bind = sasl".
+
+       The following parameters are relevant to using LDAP with SASL
+
+       sasl_mechs (default: empty)
+              Space separated list of SASL mechanism(s) to try.
+
+       sasl_realm (default: empty)
+              SASL Realm to use, if applicable.
+
+       sasl_authz_id (default: empty)
+              The SASL authorization identity to assert, if applicable.
+
+       sasl_minssf (default: 0)
+              The minimum required sasl security factor required to  establish
+              a connection.
+
+LDAP SSL AND STARTTLS PARAMETERS
+       If you're using the OpenLDAP libraries compiled with SSL support, Post-
+       fix can connect to LDAP SSL servers and can issue the STARTTLS command.
+
+       LDAP  SSL  service  can  be  requested  by  using a LDAP SSL URL in the
+       server_host parameter:
+
+           server_host = ldaps://ldap.example.com:636
+
+       STARTTLS can be turned on with the start_tls parameter:
+
+           start_tls = yes
+
+       Both forms require LDAP protocol version 3, which has to be set explic-
+       itly with:
+
+           version = 3
+
+       If  any  of the Postfix programs querying the map is configured in mas-
+       ter.cf to run chrooted, all the certificates and keys involved have  to
+       be  copied  to the chroot jail. Of course, the private keys should only
+       be readable by the user "postfix".
+
+       The following parameters are relevant to LDAP SSL and STARTTLS:
+
+       start_tls (default: no)
+              Whether or not to issue STARTTLS upon connection to the  server.
+              Don't set this with LDAP SSL (the SSL session is setup automati-
+              cally when the TCP connection is opened).
+
+       tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
+              Directory containing X509 Certification  Authority  certificates
+              in  PEM  format  which  are  to  be  recognized by the client in
+              SSL/TLS connections. The files each contain one CA  certificate.
+              The files are looked up by the CA subject name hash value, which
+              must hence be available. If more than one  CA  certificate  with
+              the  same name hash value exist, the extension must be different
+              (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search  is  performed  in
+              the  ordering of the extension number, regardless of other prop-
+              erties of the certificates. Use the c_rehash utility  (from  the
+              OpenSSL distribution) to create the necessary links.
+
+       tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
+              File containing the X509 Certification Authority certificates in
+              PEM format which are to be recognized by the client  in  SSL/TLS
+              connections. This setting takes precedence over tls_ca_cert_dir.
+
+       tls_cert (No default; you must set this)
+              File containing client's X509 certificate  to  be  used  by  the
+              client in SSL/ TLS connections.
+
+       tls_key (No default; you must set this)
+              File  containing  the  private  key  corresponding  to the above
+              tls_cert.
+
+       tls_require_cert (default: no)
+              Whether or not to request server's X509  certificate  and  check
+              its  validity  when  establishing SSL/TLS connections.  The sup-
+              ported values are no and yes.
+
+              With no, the server certificate trust chain is not checked,  but
+              with  OpenLDAP  prior to 2.1.13, the name in the server certifi-
+              cate must still match the LDAP server name. With OpenLDAP  2.0.0
+              to 2.0.11 the server name is not necessarily what you specified,
+              rather it is determined (by reverse lookup) from the IP  address
+              of  the  LDAP  server connection. With OpenLDAP prior to 2.0.13,
+              subjectAlternativeName extensions in the LDAP server certificate
+              are  ignored: the server name must match the subject CommonName.
+              The no setting corresponds to the never value of TLS_REQCERT  in
+              LDAP client configuration files.
+
+              Don't  use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
+              if you can avoid it.
+
+              With yes, the server certificate must be issued by a trusted CA,
+              and  not  be expired. The LDAP server name must match one of the
+              name(s) found in the certificate (see above for OpenLDAP library
+              version  dependent behavior). The yes setting corresponds to the
+              demand value of TLS_REQCERT in LDAP client configuration  files.
+
+              The  "try" and "allow" values of TLS_REQCERT have no equivalents
+              here. They are not available with OpenLDAP 2.0, and in any  case
+              have questionable security properties. Either you want TLS veri-
+              fied LDAP connections, or you don't.
+
+              The yes value only works correctly with Postfix 2.5  and  later,
+              or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
+              releases don't work together with this setting. Support for LDAP
+              over TLS was added to Postfix based on the OpenLDAP 2.0 API.
+
+       tls_random_file (No default)
+              Path of a file to obtain random bits from when /dev/[u]random is
+              not available, to be used by the client in SSL/TLS  connections.
+
+       tls_cipher_suite (No default)
+              Cipher suite to use in SSL/TLS negotiations.
+
+EXAMPLE
+       Here's  a  basic  example  for  using LDAP to look up local(8) aliases.
+       Assume that in main.cf, you have:
+
+           alias_maps = hash:/etc/aliases,
+                   ldap:/etc/postfix/ldap-aliases.cf
+
+       and in ldap:/etc/postfix/ldap-aliases.cf you have:
+
+           server_host = ldap.example.com
+           search_base = dc=example, dc=com
+
+       Upon receiving mail for a local address "ldapuser" that isn't found  in
+       the  /etc/aliases database, Postfix will search the LDAP server listen-
+       ing at port 389 on ldap.example.com.  It will bind anonymously,  search
+       for  any  directory  entries  whose mailacceptinggeneralid attribute is
+       "ldapuser", read the "maildrop" attributes of those found, and build  a
+       list  of  their maildrops, which will be treated as RFC822 addresses to
+       which the message will be delivered.
+
+OBSOLETE MAIN.CF PARAMETERS
+       For backwards compatibility with Postfix version 2.0 and earlier,  LDAP
+       parameters  can  also  be defined in main.cf.  Specify as LDAP source a
+       name that doesn't begin with a slash or a  dot.   The  LDAP  parameters
+       will then be accessible as the name you've given the source in its def-
+       inition, an underscore, and the name of the parameter.  For example, if
+       the  map is specified as "ldap:ldapsource", the "server_host" parameter
+       below would be defined in main.cf as "ldapsource_server_host".
+
+       Note: with this form, the passwords for the LDAP sources are written in
+       main.cf,  which is normally world-readable.  Support for this form will
+       be removed in a future Postfix version.
+
+OTHER OBSOLETE FEATURES
+       For backwards compatibility with the pre 2.2 LDAP clients,  result_fil-
+       ter  can  for  now  be  used  instead of result_format, when the latter
+       parameter is not also set.  The new name better reflects  the  function
+       of  the  parameter.  This  compatibility  interface may be removed in a
+       future release.
+
+SEE ALSO
+       postmap(1), Postfix lookup table manager
+       postconf(5), configuration parameters
+       mysql_table(5), MySQL lookup tables
+       pgsql_table(5), PostgreSQL lookup tables
+
+README FILES
+       DATABASE_README, Postfix lookup table overview
+       LDAP_README, Postfix LDAP client guide
+
+LICENSE
+       The Secure Mailer license must be distributed with this software.
+
+AUTHOR(S)
+       Carsten  Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
+       ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat  K  Singh,
+       Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
+
+                                                                 LDAP_TABLE(5)
+
-- cgit v1.2.3