diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:18:56 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:18:56 +0000 |
commit | b7c15c31519dc44c1f691e0466badd556ffe9423 (patch) | |
tree | f944572f288bab482a615e09af627d9a2b6727d8 /proto/ldap_table | |
parent | Initial commit. (diff) | |
download | postfix-b7c15c31519dc44c1f691e0466badd556ffe9423.tar.xz postfix-b7c15c31519dc44c1f691e0466badd556ffe9423.zip |
Adding upstream version 3.7.10.upstream/3.7.10
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'proto/ldap_table')
-rw-r--r-- | proto/ldap_table | 723 |
1 files changed, 723 insertions, 0 deletions
diff --git a/proto/ldap_table b/proto/ldap_table new file mode 100644 index 0000000..fe3626a --- /dev/null +++ b/proto/ldap_table @@ -0,0 +1,723 @@ +#++ +# NAME +# ldap_table 5 +# SUMMARY +# Postfix LDAP client configuration +# SYNOPSIS +# \fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/\fIfilename\fR +# +# \fBpostmap -q - ldap:/etc/postfix/\fIfilename\fB <\fIinputfile\fR +# DESCRIPTION +# The Postfix mail system uses optional tables for address +# rewriting or mail routing. These tables are usually in +# \fBdbm\fR or \fBdb\fR format. +# +# Alternatively, lookup tables can be specified as LDAP databases. +# +# In order to use LDAP lookups, define an LDAP source as a lookup +# table in main.cf, for example: +# +# .nf +# alias_maps = ldap:/etc/postfix/ldap-aliases.cf +# .fi +# +# The file /etc/postfix/ldap-aliases.cf has the same format as +# the Postfix main.cf file, and can specify the parameters +# described below. An example is given at the end of this manual. +# +# This configuration method is available with Postfix version +# 2.1 and later. See the section "OBSOLETE MAIN.CF PARAMETERS" +# below for older Postfix versions. +# +# For details about LDAP SSL and STARTTLS, see the section +# on SSL and STARTTLS below. +# LIST MEMBERSHIP +# .ad +# .fi +# When using LDAP to store lists such as $mynetworks, +# $mydestination, $relay_domains, $local_recipient_maps, +# etc., it is important to understand that the table must +# store each list member as a separate key. The table lookup +# verifies the *existence* of the key. See "Postfix lists +# versus tables" in the DATABASE_README document for a +# discussion. +# +# Do NOT create tables that return the full list of domains +# in $mydestination or $relay_domains etc., or IP addresses +# in $mynetworks. +# +# DO create tables with each matching item as a key and with +# an arbitrary value. With LDAP databases it is not uncommon to +# return the key itself. +# +# For example, NEVER do this in a map defining $mydestination: +# +# .nf +# query_filter = domain=* +# result_attribute = domain +# .fi +# +# Do this instead: +# +# .nf +# query_filter = domain=%s +# result_attribute = domain +# .fi +# GENERAL LDAP PARAMETERS +# .ad +# .fi +# In the text below, default values are given in parentheses. +# Note: don't use quotes in these variables; at least, not until the +# Postfix configuration routines understand how to deal with quoted +# strings. +# .IP "\fBserver_host (default: localhost)\fR" +# The name of the host running the LDAP server, e.g. +# +# .nf +# server_host = ldap.example.com +# .fi +# +# Depending on the LDAP client library you're using, it should +# be possible to specify multiple servers here, with the library +# trying them in order should the first one fail. It should also +# be possible to give each server in the list a different port +# (overriding \fBserver_port\fR below), by naming them like +# +# .nf +# server_host = ldap.example.com:1444 +# .fi +# +# With OpenLDAP, a (list of) LDAP URLs can be used to specify both +# the hostname(s) and the port(s): +# +# .nf +# server_host = ldap://ldap.example.com:1444 +# ldap://ldap2.example.com:1444 +# .fi +# +# All LDAP URLs accepted by the OpenLDAP library are supported, +# including connections over UNIX domain sockets, and LDAP SSL +# (the last one provided that OpenLDAP was compiled with support +# for SSL): +# +# .nf +# server_host = ldapi://%2Fsome%2Fpath +# ldaps://ldap.example.com:636 +# .fi +# .IP "\fBserver_port (default: 389)\fR" +# The port the LDAP server listens on, e.g. +# +# .nf +# server_port = 778 +# .fi +# .IP "\fBtimeout (default: 10 seconds)\fR" +# The number of seconds a search can take before timing out, e.g. +# +# .fi +# timeout = 5 +# .fi +# .IP "\fBsearch_base (No default; you must configure this)\fR" +# The RFC2253 base DN at which to conduct the search, e.g. +# +# .nf +# search_base = dc=your, dc=com +# .fi +# .IP +# With Postfix 2.2 and later this parameter supports the +# following '%' expansions: +# .RS +# .IP "\fB%%\fR" +# This is replaced by a literal '%' character. +# .IP "\fB%s\fR" +# This is replaced by the input key. +# RFC 2253 quoting is used to make sure that the input key +# does not add unexpected metacharacters. +# .IP "\fB%u\fR" +# When the input key is an address of the form user@domain, \fB%u\fR +# is replaced by the (RFC 2253) quoted local part of the address. +# Otherwise, \fB%u\fR is replaced by the entire search string. +# If the localpart is empty, the search is suppressed and returns +# no results. +# .IP "\fB%d\fR" +# When the input key is an address of the form user@domain, \fB%d\fR +# is replaced by the (RFC 2253) quoted domain part of the address. +# Otherwise, the search is suppressed and returns no results. +# .IP "\fB%[SUD]\fR" +# For the \fBsearch_base\fR parameter, the upper-case equivalents +# of the above expansions behave identically to their lower-case +# counter-parts. With the \fBresult_format\fR parameter (previously +# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section +# and below), they expand to the corresponding components of input +# key rather than the result value. +# .IP "\fB%[1-9]\fR" +# The patterns %1, %2, ... %9 are replaced by the corresponding +# most significant component of the input key's domain. If the +# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR, +# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is +# unqualified or does not have enough domain components to satisfy +# all the specified patterns, the search is suppressed and returns +# no results. +# .RE +# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR" +# The RFC2254 filter used to search the directory, where \fB%s\fR +# is a substitute for the address Postfix is trying to resolve, +# e.g. +# +# .nf +# query_filter = (&(mail=%s)(paid_up=true)) +# .fi +# +# This parameter supports the following '%' expansions: +# .RS +# .IP "\fB%%\fR" +# This is replaced by a literal '%' character. (Postfix 2.2 and later). +# .IP "\fB%s\fR" +# This is replaced by the input key. +# RFC 2254 quoting is used to make sure that the input key +# does not add unexpected metacharacters. +# .IP "\fB%u\fR" +# When the input key is an address of the form user@domain, \fB%u\fR +# is replaced by the (RFC 2254) quoted local part of the address. +# Otherwise, \fB%u\fR is replaced by the entire search string. +# If the localpart is empty, the search is suppressed and returns +# no results. +# .IP "\fB%d\fR" +# When the input key is an address of the form user@domain, \fB%d\fR +# is replaced by the (RFC 2254) quoted domain part of the address. +# Otherwise, the search is suppressed and returns no results. +# .IP "\fB%[SUD]\fR" +# The upper-case equivalents of the above expansions behave in the +# \fBquery_filter\fR parameter identically to their lower-case +# counter-parts. With the \fBresult_format\fR parameter (previously +# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section +# and below), they expand to the corresponding components of input +# key rather than the result value. +# .IP +# The above %S, %U and %D expansions are available with Postfix 2.2 +# and later. +# .IP "\fB%[1-9]\fR" +# The patterns %1, %2, ... %9 are replaced by the corresponding +# most significant component of the input key's domain. If the +# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR, +# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is +# unqualified or does not have enough domain components to satisfy +# all the specified patterns, the search is suppressed and returns +# no results. +# .IP +# The above %1, ..., %9 expansions are available with Postfix 2.2 +# and later. +# .RE +# .IP +# The "domain" parameter described below limits the input +# keys to addresses in matching domains. When the "domain" +# parameter is non-empty, LDAP queries for unqualified +# addresses or addresses in non-matching domains are suppressed +# and return no results. +# +# NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter. +# .IP "\fBresult_format (default: \fB%s\fR)\fR" +# Called \fBresult_filter\fR in Postfix releases prior to 2.2. +# Format template applied to result attributes. Most commonly used +# to append (or prepend) text to the result. This parameter supports +# the following '%' expansions: +# .RS +# .IP "\fB%%\fR" +# This is replaced by a literal '%' character. (Postfix 2.2 and later). +# .IP "\fB%s\fR" +# This is replaced by the value of the result attribute. When +# result is empty it is skipped. +# .IP "\fB%u\fR +# When the result attribute value is an address of the form +# user@domain, \fB%u\fR is replaced by the local part of the +# address. When the result has an empty localpart it is skipped. +# .IP "\fB%d\fR" +# When a result attribute value is an address of the form +# user@domain, \fB%d\fR is replaced by the domain part of +# the attribute value. When the result is unqualified it +# is skipped. +# .IP "\fB%[SUD1-9]\fR" +# The upper-case and decimal digit expansions interpolate +# the parts of the input key rather than the result. Their +# behavior is identical to that described with \fBquery_filter\fR, +# and in fact because the input key is known in advance, lookups +# whose key does not contain all the information specified in +# the result template are suppressed and return no results. +# .IP +# The above %S, %U, %D and %1, ..., %9 expansions are available with +# Postfix 2.2 and later. +# .RE +# .IP +# For example, using "result_format = smtp:[%s]" allows one +# to use a mailHost attribute as the basis of a transport(5) +# table. After applying the result format, multiple values +# are concatenated as comma separated strings. The expansion_limit +# and size_limit parameters explained below allow one to +# restrict the number of values in the result, which is +# especially useful for maps that should return a single +# value. +# +# The default value \fB%s\fR specifies that each +# attribute value should be used as is. +# +# This parameter was called \fBresult_filter\fR in Postfix +# releases prior to 2.2. If no "result_format" is specified, +# the value of "result_filter" will be used instead before +# resorting to the default value. This provides compatibility +# with old configuration files. +# +# NOTE: DO NOT put quotes around the result format! +# .IP "\fBdomain (default: no domain list)\fR" +# This is a list of domain names, paths to files, or +# "type:table" databases. When specified, only fully qualified search +# keys with a *non-empty* localpart and a matching domain +# are eligible for lookup: 'user' lookups, bare domain lookups +# and "@domain" lookups are not performed. This can significantly +# reduce the query load on the LDAP server. +# +# .nf +# domain = postfix.org, hash:/etc/postfix/searchdomains +# .fi +# +# It is best not to use LDAP to store the domains eligible +# for LDAP lookups. +# +# NOTE: DO NOT define this parameter for local(8) aliases. +# +# This feature is available in Postfix 1.0 and later. +# .IP "\fBresult_attribute (default: maildrop)\fR" +# The attribute(s) Postfix will read from any directory +# entries returned by the lookup, to be resolved to an email +# address. +# +# .nf +# result_attribute = mailbox, maildrop +# .fi +# +# Don't rely on the default value ("maildrop"). Set the +# result_attribute explicitly in all ldap table configuration +# files. This is particularly relevant when no result_attribute +# is applicable, e.g. cases in which leaf_result_attribute and/or +# terminal_result_attribute are used instead. The default value +# is harmless if "maildrop" is also listed as a leaf or terminal +# result attribute, but it is best to not leave this to chance. +# .IP "\fBspecial_result_attribute (default: empty)\fR" +# The attribute(s) of directory entries that can contain DNs +# or RFC 2255 LDAP URLs. If found, a recursive search +# is performed to retrieve the entry referenced by the DN, or +# the entries matched by the URL query. +# +# .nf +# special_result_attribute = memberdn +# .fi +# +# DN recursion retrieves the same result_attributes as the +# main query, including the special attributes for further +# recursion. +# +# URL processing retrieves only those attributes that are included +# in both the URL definition and as result attributes (ordinary, +# special, leaf or terminal) in the Postfix table definition. +# If the URL lists any of the table's special result attributes, +# these are retrieved and used recursively. A URL that does not +# specify any attribute selection, is equivalent (RFC 2255) to a +# URL that selects all attributes, in which case the selected +# attributes will be the full set of result attributes in the +# Postfix table. +# +# If an LDAP URL attribute-descriptor or the corresponding Postfix +# LDAP table result attribute (but not both) uses RFC 2255 sub-type +# options ("attr;option"), the attribute requested from the LDAP server +# will include the sub-type option. In all other cases, the URL +# attribute and the table attribute must match exactly. Attributes +# with options in both the URL and the Postfix table are requested +# only when the options are identical. LDAP attribute-descriptor +# options are very rarely used, most LDAP users will not +# need to concern themselves with this level of nuanced detail. +# .IP "\fBterminal_result_attribute (default: empty)\fR" +# When one or more terminal result attributes are found in an LDAP +# entry, all other result attributes are ignored and only the terminal +# result attributes are returned. This is useful for delegating expansion +# of group members to a particular host, by using an optional "maildrop" +# attribute on selected groups to route the group to a specific host, +# where the group is expanded, possibly via mailing-list manager or +# other special processing. +# +# .nf +# result_attribute = +# terminal_result_attribute = maildrop +# .fi +# +# When using terminal and/or leaf result attributes, the +# result_attribute is best set to an empty value when it is not +# used, or else explicitly set to the desired value, even if it is +# the default value "maildrop". +# +# This feature is available with Postfix 2.4 or later. +# .IP "\fBleaf_result_attribute (default: empty)\fR" +# When one or more special result attributes are found in a non-terminal +# (see above) LDAP entry, leaf result attributes are excluded from the +# expansion of that entry. This is useful when expanding groups and the +# desired mail address attribute(s) of the member objects obtained via +# DN or URI recursion are also present in the group object. To only +# return the attribute values from the leaf objects and not the +# containing group, add the attribute to the leaf_result_attribute list, +# and not the result_attribute list, which is always expanded. Note, +# the default value of "result_attribute" is not empty, you may want to +# set it explicitly empty when using "leaf_result_attribute" to expand +# the group to a list of member DN addresses. If groups have both +# member DN references AND attributes that hold multiple string valued +# rfc822 addresses, then the string attributes go in "result_attribute". +# The attributes that represent the email addresses of objects +# referenced via a DN (or LDAP URI) go in "leaf_result_attribute". +# +# .nf +# result_attribute = memberaddr +# special_result_attribute = memberdn +# terminal_result_attribute = maildrop +# leaf_result_attribute = mail +# .fi +# +# When using terminal and/or leaf result attributes, the +# result_attribute is best set to an empty value when it is not +# used, or else explicitly set to the desired value, even if it is +# the default value "maildrop". +# +# This feature is available with Postfix 2.4 or later. +# .IP "\fBscope (default: sub)\fR" +# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR. +# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, +# and LDAP_SCOPE_ONELEVEL. +# .IP "\fBbind (default: yes)\fR" +# Whether or how to bind to the LDAP server. Newer LDAP +# implementations don't require clients to bind, which saves +# time. Example: +# +# .nf +# # Don't bind +# bind = no +# # Use SIMPLE bind +# bind = yes +# # Use SASL bind +# bind = sasl +# .fi +# +# Postfix versions prior to 2.8 only support "bind = no" which +# means don't bind, and "bind = yes" which means do a SIMPLE bind. +# Postfix 2.8 and later also supports "bind = SASL" when compiled +# with LDAP SASL support as described in LDAP_README, it also adds +# the synonyms "bind = none" and "bind = simple" for "bind = no" +# and "bind = yes" respectively. See the SASL section below for +# additional parameters available with "bind = sasl". +# +# If you do need to bind, you might consider configuring +# Postfix to connect to the local machine on a port that's +# an SSL tunnel to your LDAP server. If your LDAP server +# doesn't natively support SSL, put a tunnel (wrapper, proxy, +# whatever you want to call it) on that system too. This +# should prevent the password from traversing the network in +# the clear. +# .IP "\fBbind_dn (default: empty)\fR" +# If you do have to bind, do it with this distinguished name. Example: +# +# .nf +# bind_dn = uid=postfix, dc=your, dc=com +# .fi +# With "bind = sasl" (see above) the DN may be optional for some SASL +# mechanisms, don't specify a DN if not needed. +# .IP "\fBbind_pw (default: empty)\fR" +# The password for the distinguished name above. If you have +# to use this, you probably want to make the map configuration +# file readable only by the Postfix user. When using the +# obsolete ldap:ldapsource syntax, with map parameters in +# main.cf, it is not possible to securely store the bind +# password. This is because main.cf needs to be world readable +# to allow local accounts to submit mail via the sendmail +# command. Example: +# +# .nf +# bind_pw = postfixpw +# .fi +# With "bind = sasl" (see above) the password may be optional +# for some SASL mechanisms, don't specify a password if not needed. +# .IP "\fBcache (IGNORED with a warning)\fR" +# .IP "\fBcache_expiry (IGNORED with a warning)\fR" +# .IP "\fBcache_size (IGNORED with a warning)\fR" +# The above parameters are NO LONGER SUPPORTED by Postfix. +# Cache support has been dropped from OpenLDAP as of release +# 2.1.13. +# .IP "\fBrecursion_limit (default: 1000)\fR" +# A limit on the nesting depth of DN and URL special result +# attribute evaluation. The limit must be a non-zero positive +# number. +# .IP "\fBexpansion_limit (default: 0)\fR" +# A limit on the total number of result elements returned +# (as a comma separated list) by a lookup against the map. +# A setting of zero disables the limit. Lookups fail with a +# temporary error if the limit is exceeded. Setting the +# limit to 1 ensures that lookups do not return multiple +# values. +# .IP "\fBsize_limit (default: $expansion_limit)\fR" +# A limit on the number of LDAP entries returned by any single +# LDAP search performed as part of the lookup. A setting of +# 0 disables the limit. Expansion of DN and URL references +# involves nested LDAP queries, each of which is separately +# subjected to this limit. +# +# Note: even a single LDAP entry can generate multiple lookup +# results, via multiple result attributes and/or multi-valued +# result attributes. This limit caps the per search resource +# utilization on the LDAP server, not the final multiplicity +# of the lookup result. It is analogous to the "-z" option +# of "ldapsearch". +# .IP "\fBdereference (default: 0)\fR" +# When to dereference LDAP aliases. (Note that this has +# nothing do with Postfix aliases.) The permitted values are +# those legal for the OpenLDAP/UM LDAP implementations: +# .RS +# .IP 0 +# never +# .IP 1 +# when searching +# .IP 2 +# when locating the base object for the search +# .IP 3 +# always +# .RE +# .IP +# See ldap.h or the ldap_open(3) or ldapsearch(1) man pages +# for more information. And if you're using an LDAP package +# that has other possible values, please bring it to the +# attention of the postfix-users@postfix.org mailing list. +# .IP "\fBchase_referrals (default: 0)\fR" +# Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version +# 3 support). +# .IP "\fBversion (default: 2)\fR" +# Specifies the LDAP protocol version to use. +# .IP "\fBdebuglevel (default: 0)\fR" +# What level to set for debugging in the OpenLDAP libraries. +# LDAP SASL PARAMETERS +# .ad +# .fi +# If you're using the OpenLDAP libraries compiled with SASL +# support, Postfix 2.8 and later built with LDAP SASL support +# as described in LDAP_README can authenticate to LDAP servers +# via SASL. +# +# This enables authentication to the LDAP server via mechanisms +# other than a simple password. The added flexibility has a cost: +# it is no longer practical to set an explicit timeout on the duration +# of an LDAP bind operation. Under adverse conditions, whether a SASL +# bind times out, or if it does, the duration of the timeout is +# determined by the LDAP and SASL libraries. +# +# It is best to use tables that use SASL binds via proxymap(8), this +# way the requesting process can time-out the proxymap request. This +# also lets you tailer the process environment by overriding the +# proxymap(8) import_environment setting in master.cf(5). Special +# environment settings may be needed to configure GSSAPI credential +# caches or other SASL mechanism specific options. The GSSAPI +# credentials used for LDAP lookups may need to be different than +# say those used for the Postfix SMTP client to authenticate to remote +# servers. +# +# Using SASL mechanisms requires LDAP protocol version 3, the default +# protocol version is 2 for backwards compatibility. You must set +# "version = 3" in addition to "bind = sasl". +# +# The following parameters are relevant to using LDAP with SASL +# .IP "\fBsasl_mechs (default: empty)\fR" +# Space separated list of SASL mechanism(s) to try. +# .IP "\fBsasl_realm (default: empty)\fR" +# SASL Realm to use, if applicable. +# .IP "\fBsasl_authz_id (default: empty)\fR" +# The SASL authorization identity to assert, if applicable. +# .IP "\fBsasl_minssf (default: 0)\fR" +# The minimum required sasl security factor required to establish a +# connection. +# LDAP SSL AND STARTTLS PARAMETERS +# .ad +# .fi +# If you're using the OpenLDAP libraries compiled with SSL +# support, Postfix can connect to LDAP SSL servers and can +# issue the STARTTLS command. +# +# LDAP SSL service can be requested by using a LDAP SSL URL +# in the server_host parameter: +# +# .nf +# server_host = ldaps://ldap.example.com:636 +# .fi +# +# STARTTLS can be turned on with the start_tls parameter: +# +# .nf +# start_tls = yes +# .fi +# +# Both forms require LDAP protocol version 3, which has to be set +# explicitly with: +# +# .nf +# version = 3 +# .fi +# +# If any of the Postfix programs querying the map is configured in +# master.cf to run chrooted, all the certificates and keys involved +# have to be copied to the chroot jail. Of course, the private keys +# should only be readable by the user "postfix". +# +# The following parameters are relevant to LDAP SSL and STARTTLS: +# .IP "\fBstart_tls (default: no)\fR" +# Whether or not to issue STARTTLS upon connection to the +# server. Don't set this with LDAP SSL (the SSL session is setup +# automatically when the TCP connection is opened). +# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR" +# Directory containing X509 Certification Authority certificates +# in PEM format which are to be recognized by the client in +# SSL/TLS connections. The files each contain one CA certificate. +# The files are looked up by the CA subject name hash value, +# which must hence be available. If more than one CA certificate +# with the same name hash value exist, the extension must be +# different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is +# performed in the ordering of the extension number, regardless +# of other properties of the certificates. Use the c_rehash +# utility (from the OpenSSL distribution) to create the +# necessary links. +# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR" +# File containing the X509 Certification Authority certificates +# in PEM format which are to be recognized by the client in +# SSL/TLS connections. This setting takes precedence over +# tls_ca_cert_dir. +# .IP "\fBtls_cert (No default; you must set this)\fR" +# File containing client's X509 certificate to be used by +# the client in SSL/ TLS connections. +# .IP "\fBtls_key (No default; you must set this)\fR" +# File containing the private key corresponding to the above +# tls_cert. +# .IP "\fBtls_require_cert (default: no)\fR" +# Whether or not to request server's X509 certificate and +# check its validity when establishing SSL/TLS connections. +# The supported values are \fBno\fR and \fByes\fR. +# .sp +# With \fBno\fR, the server certificate trust chain is not checked, +# but with OpenLDAP prior to 2.1.13, the name in the server +# certificate must still match the LDAP server name. With OpenLDAP +# 2.0.0 to 2.0.11 the server name is not necessarily what you +# specified, rather it is determined (by reverse lookup) from the +# IP address of the LDAP server connection. With OpenLDAP prior to +# 2.0.13, subjectAlternativeName extensions in the LDAP server +# certificate are ignored: the server name must match the subject +# CommonName. The \fBno\fR setting corresponds to the \fBnever\fR +# value of \fBTLS_REQCERT\fR in LDAP client configuration files. +# .sp +# Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) +# if you can avoid it. +# .sp +# With \fByes\fR, the server certificate must be issued by a trusted +# CA, and not be expired. The LDAP server name must match one of the +# name(s) found in the certificate (see above for OpenLDAP library +# version dependent behavior). The \fByes\fR setting corresponds to the +# \fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration +# files. +# .sp +# The "try" and "allow" values of \fBTLS_REQCERT\fR have no equivalents +# here. They are not available with OpenLDAP 2.0, and in any case have +# questionable security properties. Either you want TLS verified LDAP +# connections, or you don't. +# .sp +# The \fByes\fR value only works correctly with Postfix 2.5 and later, +# or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP +# releases don't work together with this setting. Support for LDAP +# over TLS was added to Postfix based on the OpenLDAP 2.0 API. +# .IP "\fBtls_random_file (No default)\fR" +# Path of a file to obtain random bits from when /dev/[u]random +# is not available, to be used by the client in SSL/TLS +# connections. +# .IP "\fBtls_cipher_suite (No default)\fR" +# Cipher suite to use in SSL/TLS negotiations. +# EXAMPLE +# .ad +# .fi +# Here's a basic example for using LDAP to look up local(8) +# aliases. +# Assume that in main.cf, you have: +# +# .nf +# alias_maps = hash:/etc/aliases, +# ldap:/etc/postfix/ldap-aliases.cf +# .fi +# +# and in ldap:/etc/postfix/ldap-aliases.cf you have: +# +# .nf +# server_host = ldap.example.com +# search_base = dc=example, dc=com +# .fi +# +# Upon receiving mail for a local address "ldapuser" that +# isn't found in the /etc/aliases database, Postfix will +# search the LDAP server listening at port 389 on ldap.example.com. +# It will bind anonymously, search for any directory entries +# whose mailacceptinggeneralid attribute is "ldapuser", read +# the "maildrop" attributes of those found, and build a list +# of their maildrops, which will be treated as RFC822 addresses +# to which the message will be delivered. +# OBSOLETE MAIN.CF PARAMETERS +# .ad +# .fi +# For backwards compatibility with Postfix version 2.0 and earlier, +# LDAP parameters can also be defined in main.cf. Specify +# as LDAP source a name that doesn't begin with a slash or +# a dot. The LDAP parameters will then be accessible as the +# name you've given the source in its definition, an underscore, +# and the name of the parameter. For example, if the map is +# specified as "ldap:\fIldapsource\fR", the "server_host" +# parameter below would be defined in main.cf as +# "\fIldapsource\fR_server_host". +# +# Note: with this form, the passwords for the LDAP sources are +# written in main.cf, which is normally world-readable. Support +# for this form will be removed in a future Postfix version. +# OTHER OBSOLETE FEATURES +# .ad +# .fi +# For backwards compatibility with the pre +# 2.2 LDAP clients, \fBresult_filter\fR can for now be used instead +# of \fBresult_format\fR, when the latter parameter is not also set. +# The new name better reflects the function of the parameter. This +# compatibility interface may be removed in a future release. +# SEE ALSO +# postmap(1), Postfix lookup table manager +# postconf(5), configuration parameters +# mysql_table(5), MySQL lookup tables +# pgsql_table(5), PostgreSQL lookup tables +# README FILES +# .ad +# .fi +# Use "\fBpostconf readme_directory\fR" or +# "\fBpostconf html_directory\fR" to locate this information. +# .na +# .nf +# DATABASE_README, Postfix lookup table overview +# LDAP_README, Postfix LDAP client guide +# LICENSE +# .ad +# .fi +# The Secure Mailer license must be distributed with this software. +# AUTHOR(S) +# .ad +# .fi +# Carsten Hoeger, +# Hery Rakotoarisoa, +# John Hensley, +# Keith Stevenson, +# LaMont Jones, +# Liviu Daia, +# Manuel Guesdon, +# Mike Mattice, +# Prabhat K Singh, +# Sami Haahtinen, +# Samuel Tardieu, +# Victor Duchovni, +# and many others. +#-- |