From b7c15c31519dc44c1f691e0466badd556ffe9423 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 18:18:56 +0200
Subject: Adding upstream version 3.7.10.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 html/ldap_table.5.html | 676 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 676 insertions(+)
 create mode 100644 html/ldap_table.5.html

(limited to 'html/ldap_table.5.html')

diff --git a/html/ldap_table.5.html b/html/ldap_table.5.html
new file mode 100644
index 0000000..d35f5e1
--- /dev/null
+++ b/html/ldap_table.5.html
@@ -0,0 +1,676 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title> Postfix manual - ldap_table(5) </title>
+</head> <body> <pre>
+LDAP_TABLE(5)                                                    LDAP_TABLE(5)
+
+<b>NAME</b>
+       ldap_table - Postfix LDAP client configuration
+
+<b>SYNOPSIS</b>
+       <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i>
+
+       <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> &lt;<i>inputfile</i>
+
+<b>DESCRIPTION</b>
+       The  Postfix  mail system uses optional tables for address rewriting or
+       mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format.
+
+       Alternatively, lookup tables can be specified as LDAP databases.
+
+       In order to use LDAP lookups, define an LDAP source as a  lookup  table
+       in <a href="postconf.5.html">main.cf</a>, for example:
+
+           <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
+
+       The  file /etc/postfix/ldap-aliases.cf has the same format as the Post-
+       fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters  described  below.  An
+       example is given at the end of this manual.
+
+       This  configuration  method  is  available with Postfix version 2.1 and
+       later.  See the section "OBSOLETE MAIN.CF PARAMETERS" below  for  older
+       Postfix versions.
+
+       For  details  about  LDAP  SSL and STARTTLS, see the section on SSL and
+       STARTTLS below.
+
+<b>LIST MEMBERSHIP</b>
+       When using LDAP to store lists  such  as  $<a href="postconf.5.html#mynetworks">mynetworks</a>,  $<a href="postconf.5.html#mydestination">mydestination</a>,
+       $<a href="postconf.5.html#relay_domains">relay_domains</a>,  $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under-
+       stand that the table must store each list member as a separate key. The
+       table  lookup  verifies  the *existence* of the key. See "Postfix lists
+       versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion.
+
+       Do NOT create tables that return the full list of domains in  $<a href="postconf.5.html#mydestination">mydesti</a>-
+       <a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>.
+
+       DO create tables with each matching item as a key and with an arbitrary
+       value. With LDAP databases it is not uncommon to return the key itself.
+
+       For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>:
+
+           query_filter = domain=*
+           result_attribute = domain
+
+       Do this instead:
+
+           query_filter = domain=%s
+           result_attribute = domain
+
+<b>GENERAL LDAP PARAMETERS</b>
+       In  the  text  below,  default  values are given in parentheses.  Note:
+       don't use quotes in these variables; at least, not  until  the  Postfix
+       configuration routines understand how to deal with quoted strings.
+
+       <b>server_host (default: localhost)</b>
+              The name of the host running the LDAP server, e.g.
+
+                  server_host = ldap.example.com
+
+              Depending  on the LDAP client library you're using, it should be
+              possible to specify multiple servers here, with the library try-
+              ing  them  in order should the first one fail. It should also be
+              possible to give each server in the list a different port (over-
+              riding <b>server_port</b> below), by naming them like
+
+                  server_host = ldap.example.com:1444
+
+              With OpenLDAP, a (list of) LDAP URLs can be used to specify both
+              the hostname(s) and the port(s):
+
+                  server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444
+                              <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444
+
+              All LDAP URLs accepted by the OpenLDAP  library  are  supported,
+              including  connections  over  UNIX  domain sockets, and LDAP SSL
+              (the last one provided that OpenLDAP was compiled  with  support
+              for SSL):
+
+                  server_host = <a href="ldap_table.5.html">ldapi</a>://%2Fsome%2Fpath
+                              <a href="ldap_table.5.html">ldaps</a>://ldap.example.com:636
+
+       <b>server_port (default: 389)</b>
+              The port the LDAP server listens on, e.g.
+
+                  server_port = 778
+
+       <b>timeout (default: 10 seconds)</b>
+              The  number of seconds a search can take before timing out, e.g.
+
+                  timeout = 5
+
+       <b>search_base (No default; you must configure this)</b>
+              The <a href="https://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.
+
+                  search_base = dc=your, dc=com
+
+              With Postfix 2.2 and later this parameter supports the following
+              '%' expansions:
+
+              <b>%%</b>     This is replaced by a literal '%' character.
+
+              <b>%s</b>     This  is  replaced by the input key.  <a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is
+                     used to make sure that the input key does not  add  unex-
+                     pected metacharacters.
+
+              <b>%u</b>     When the input key is an address of the form user@domain,
+                     <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the
+                     address.   Otherwise, <b>%u</b> is replaced by the entire search
+                     string.  If the localpart is empty, the  search  is  sup-
+                     pressed and returns no results.
+
+              <b>%d</b>     When the input key is an address of the form user@domain,
+                     <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted  domain  part  of
+                     the  address.   Otherwise,  the  search is suppressed and
+                     returns no results.
+
+              <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents
+                     of  the  above  expansions  behave  identically  to their
+                     lower-case counter-parts. With the <b>result_format</b>  parame-
+                     ter  (previously called <b>result_filter</b> see the OTHER OBSO-
+                     LETE FEATURES section and below), they expand to the cor-
+                     responding components of input key rather than the result
+                     value.
+
+              <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced  by  the  corre-
+                     sponding  most  significant  component of the input key's
+                     domain. If the input key is  <i>user@mail.example.com</i>,  then
+                     %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
+                     is unqualified or does not have enough domain  components
+                     to satisfy all the specified patterns, the search is sup-
+                     pressed and returns no results.
+
+       <b>query_filter (default: mailacceptinggeneralid=%s)</b>
+              The <a href="https://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b>  is  a
+              substitute for the address Postfix is trying to resolve, e.g.
+
+                  query_filter = (&amp;(mail=%s)(paid_up=true))
+
+              This parameter supports the following '%' expansions:
+
+              <b>%%</b>     This is replaced by a literal '%' character. (Postfix 2.2
+                     and later).
+
+              <b>%s</b>     This is replaced by the input key.  <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>  quoting  is
+                     used  to  make sure that the input key does not add unex-
+                     pected metacharacters.
+
+              <b>%u</b>     When the input key is an address of the form user@domain,
+                     <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
+                     address.  Otherwise, <b>%u</b> is replaced by the entire  search
+                     string.   If  the  localpart is empty, the search is sup-
+                     pressed and returns no results.
+
+              <b>%d</b>     When the input key is an address of the form user@domain,
+                     <b>%d</b>  is  replaced  by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of
+                     the address.  Otherwise, the  search  is  suppressed  and
+                     returns no results.
+
+              <b>%[SUD]</b> The upper-case equivalents of the above expansions behave
+                     in  the  <b>query_filter</b>  parameter  identically  to   their
+                     lower-case  counter-parts. With the <b>result_format</b> parame-
+                     ter (previously called <b>result_filter</b> see the OTHER  OBSO-
+                     LETE FEATURES section and below), they expand to the cor-
+                     responding components of input key rather than the result
+                     value.
+
+                     The  above  %S,  %U  and %D expansions are available with
+                     Postfix 2.2 and later.
+
+              <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced  by  the  corre-
+                     sponding  most  significant  component of the input key's
+                     domain. If the input key is  <i>user@mail.example.com</i>,  then
+                     %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
+                     is unqualified or does not have enough domain  components
+                     to satisfy all the specified patterns, the search is sup-
+                     pressed and returns no results.
+
+                     The above %1, ..., %9 expansions are available with Post-
+                     fix 2.2 and later.
+
+              The  "domain" parameter described below limits the input keys to
+              addresses in matching domains. When the  "domain"  parameter  is
+              non-empty,  LDAP  queries for unqualified addresses or addresses
+              in non-matching domains are suppressed and return no results.
+
+              NOTE: DO NOT put quotes around the <b>query_filter</b> parameter.
+
+       <b>result_format (default: %s</b>)
+              Called <b>result_filter</b> in Postfix releases prior to  2.2.   Format
+              template  applied  to  result  attributes. Most commonly used to
+              append (or prepend) text to the result. This parameter  supports
+              the following '%' expansions:
+
+              <b>%%</b>     This is replaced by a literal '%' character. (Postfix 2.2
+                     and later).
+
+              <b>%s</b>     This is replaced by the value of  the  result  attribute.
+                     When result is empty it is skipped.
+
+              <b>%u</b>     When the result attribute value is an address of the form
+                     user@domain, <b>%u</b> is replaced by  the  local  part  of  the
+                     address.  When  the  result  has an empty localpart it is
+                     skipped.
+
+              <b>%d</b>     When a result attribute value is an address of  the  form
+                     user@domain,  <b>%d</b>  is  replaced  by the domain part of the
+                     attribute value. When the result  is  unqualified  it  is
+                     skipped.
+
+              <b>%[SUD1-9]</b>
+                     The  upper-case  and decimal digit expansions interpolate
+                     the parts of the input key rather than the result.  Their
+                     behavior  is  identical to that described with <b>query_fil-</b>
+                     <b>ter</b>, and in fact  because  the  input  key  is  known  in
+                     advance,  lookups  whose  key  does  not  contain all the
+                     information specified in the  result  template  are  sup-
+                     pressed and return no results.
+
+                     The  above  %S,  %U,  %D  and  %1, ..., %9 expansions are
+                     available with Postfix 2.2 and later.
+
+              For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use
+              a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After
+              applying the result format, multiple values are concatenated  as
+              comma  separated  strings.  The  expansion_limit  and size_limit
+              parameters explained below allow one to restrict the  number  of
+              values  in  the result, which is especially useful for maps that
+              should return a single value.
+
+              The default value <b>%s</b> specifies that each attribute value  should
+              be used as is.
+
+              This  parameter  was  called  <b>result_filter</b>  in Postfix releases
+              prior to 2.2. If no "result_format" is specified, the  value  of
+              "result_filter"  will  be  used  instead before resorting to the
+              default value. This provides compatibility with  old  configura-
+              tion files.
+
+              NOTE: DO NOT put quotes around the result format!
+
+       <b>domain (default: no domain list)</b>
+              This  is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
+              databases. When specified, only fully qualified search keys with
+              a  *non-empty*  localpart and a matching domain are eligible for
+              lookup:  'user'  lookups,  bare  domain  lookups  and  "@domain"
+              lookups  are  not  performed.  This can significantly reduce the
+              query load on the LDAP server.
+
+                  domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains
+
+              It is best not to use LDAP to store  the  domains  eligible  for
+              LDAP lookups.
+
+              NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases.
+
+              This feature is available in Postfix 1.0 and later.
+
+       <b>result_attribute (default: maildrop)</b>
+              The  attribute(s)  Postfix  will read from any directory entries
+              returned by the lookup, to be resolved to an email address.
+
+                  result_attribute = mailbox, maildrop
+
+              Don't  rely  on  the  default  value   ("maildrop").   Set   the
+              result_attribute  explicitly  in  all  ldap  table configuration
+              files. This is particularly relevant when no result_attribute is
+              applicable,  e.g.  cases  in  which leaf_result_attribute and/or
+              terminal_result_attribute are used instead. The default value is
+              harmless  if  "maildrop"  is  also  listed as a leaf or terminal
+              result attribute, but it is best to not leave this to chance.
+
+       <b>special_result_attribute (default: empty)</b>
+              The attribute(s) of directory entries that can  contain  DNs  or
+              <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to
+              retrieve the entry referenced by the DN, or the entries  matched
+              by the URL query.
+
+                  special_result_attribute = memberdn
+
+              DN  recursion  retrieves  the same result_attributes as the main
+              query, including the special attributes for further recursion.
+
+              URL processing retrieves only those attributes that are included
+              in  both  the URL definition and as result attributes (ordinary,
+              special, leaf or terminal) in the Postfix table definition.   If
+              the  URL  lists  any  of  the table's special result attributes,
+              these are retrieved and used recursively. A URL  that  does  not
+              specify  any  attribute selection, is equivalent (<a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a
+              URL that selects all attributes,  in  which  case  the  selected
+              attributes  will  be  the  full  set of result attributes in the
+              Postfix table.
+
+              If an LDAP URL attribute-descriptor or the corresponding Postfix
+              LDAP  table  result  attribute  (but  not  both)  uses  <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>
+              sub-type options ("attr;option"), the attribute  requested  from
+              the  LDAP  server will include the sub-type option. In all other
+              cases, the URL attribute and  the  table  attribute  must  match
+              exactly. Attributes with options in both the URL and the Postfix
+              table are requested only when the options  are  identical.  LDAP
+              attribute-descriptor  options  are  very  rarely used, most LDAP
+              users will not need to concern themselves  with  this  level  of
+              nuanced detail.
+
+       <b>terminal_result_attribute (default: empty)</b>
+              When one or more terminal result attributes are found in an LDAP
+              entry, all other result attributes are ignored and only the ter-
+              minal  result  attributes are returned. This is useful for dele-
+              gating expansion of group members to a particular host, by using
+              an optional "maildrop" attribute on selected groups to route the
+              group to a specific host, where the group is expanded,  possibly
+              via mailing-list manager or other special processing.
+
+                  result_attribute =
+                  terminal_result_attribute = maildrop
+
+              When   using   terminal   and/or  leaf  result  attributes,  the
+              result_attribute is best set to an empty value when  it  is  not
+              used, or else explicitly set to the desired value, even if it is
+              the default value "maildrop".
+
+              This feature is available with Postfix 2.4 or later.
+
+       <b>leaf_result_attribute (default: empty)</b>
+              When one or more  special  result  attributes  are  found  in  a
+              non-terminal  (see above) LDAP entry, leaf result attributes are
+              excluded from the expansion of that entry. This is  useful  when
+              expanding  groups  and  the desired mail address attribute(s) of
+              the member objects obtained via DN or  URI  recursion  are  also
+              present in the group object. To only return the attribute values
+              from the leaf objects and not  the  containing  group,  add  the
+              attribute   to  the  leaf_result_attribute  list,  and  not  the
+              result_attribute list,  which  is  always  expanded.  Note,  the
+              default  value  of "result_attribute" is not empty, you may want
+              to set it explicitly empty when using "leaf_result_attribute" to
+              expand  the  group  to  a list of member DN addresses. If groups
+              have both member DN references AND attributes that hold multiple
+              string valued rfc822 addresses, then the string attributes go in
+              "result_attribute".  The attributes  that  represent  the  email
+              addresses  of  objects  referenced  via a DN (or LDAP URI) go in
+              "leaf_result_attribute".
+
+                  result_attribute = memberaddr
+                  special_result_attribute = memberdn
+                  terminal_result_attribute = maildrop
+                  leaf_result_attribute = mail
+
+              When  using  terminal  and/or  leaf   result   attributes,   the
+              result_attribute  is  best  set to an empty value when it is not
+              used, or else explicitly set to the desired value, even if it is
+              the default value "maildrop".
+
+              This feature is available with Postfix 2.4 or later.
+
+       <b>scope (default: sub)</b>
+              The  LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>.  These translate into
+              LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
+
+       <b>bind (default: yes)</b>
+              Whether or how to bind to the LDAP server. Newer LDAP  implemen-
+              tations  don't  require clients to bind, which saves time. Exam-
+              ple:
+
+                  # Don't bind
+                  bind = no
+                  # Use SIMPLE bind
+                  bind = yes
+                  # Use SASL bind
+                  bind = sasl
+
+              Postfix versions prior to 2.8 only support  "bind  =  no"  which
+              means don't bind, and "bind = yes" which means do a SIMPLE bind.
+              Postfix 2.8 and later also supports "bind = SASL" when  compiled
+              with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds
+              the synonyms "bind = none" and "bind = simple" for "bind  =  no"
+              and  "bind  =  yes" respectively. See the SASL section below for
+              additional parameters available with "bind = sasl".
+
+              If you do need to bind, you might consider  configuring  Postfix
+              to  connect  to the local machine on a port that's an SSL tunnel
+              to your LDAP server. If your LDAP server doesn't  natively  sup-
+              port  SSL,  put  a  tunnel (wrapper, proxy, whatever you want to
+              call it) on that system too. This should  prevent  the  password
+              from traversing the network in the clear.
+
+       <b>bind_dn (default: empty)</b>
+              If  you  do  have  to  bind, do it with this distinguished name.
+              Example:
+
+                  bind_dn = uid=postfix, dc=your, dc=com
+              With "bind = sasl" (see above) the DN may be optional  for  some
+              SASL mechanisms, don't specify a DN if not needed.
+
+       <b>bind_pw (default: empty)</b>
+              The  password  for  the distinguished name above. If you have to
+              use this, you probably want to make the map  configuration  file
+              readable  only  by  the  Postfix  user.  When using the obsolete
+              <a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in  <a href="postconf.5.html">main.cf</a>,  it  is
+              not  possible  to  securely  store  the  bind  password. This is
+              because <a href="postconf.5.html">main.cf</a> needs  to  be  world  readable  to  allow  local
+              accounts to submit mail via the sendmail command. Example:
+
+                  bind_pw = postfixpw
+              With  "bind = sasl" (see above) the password may be optional for
+              some SASL mechanisms, don't specify a password if not needed.
+
+       <b>cache (IGNORED with a warning)</b>
+
+       <b>cache_expiry (IGNORED with a warning)</b>
+
+       <b>cache_size (IGNORED with a warning)</b>
+              The above parameters are NO LONGER SUPPORTED by Postfix.   Cache
+              support has been dropped from OpenLDAP as of release 2.1.13.
+
+       <b>recursion_limit (default: 1000)</b>
+              A  limit  on  the  nesting  depth  of  DN and URL special result
+              attribute evaluation. The limit must be a non-zero positive num-
+              ber.
+
+       <b>expansion_limit (default: 0)</b>
+              A  limit  on  the total number of result elements returned (as a
+              comma separated list) by a lookup against the map.  A setting of
+              zero  disables the limit. Lookups fail with a temporary error if
+              the limit is exceeded.  Setting the  limit  to  1  ensures  that
+              lookups do not return multiple values.
+
+       <b>size_limit (default: $expansion_limit)</b>
+              A  limit  on  the  number of LDAP entries returned by any single
+              LDAP search performed as part of the lookup. A setting of 0 dis-
+              ables  the  limit.   Expansion of DN and URL references involves
+              nested LDAP queries, each of which is  separately  subjected  to
+              this limit.
+
+              Note:  even  a  single  LDAP  entry can generate multiple lookup
+              results, via  multiple  result  attributes  and/or  multi-valued
+              result  attributes. This limit caps the per search resource uti-
+              lization on the LDAP server, not the final multiplicity  of  the
+              lookup   result.   It   is  analogous  to  the  "-z"  option  of
+              "ldapsearch".
+
+       <b>dereference (default: 0)</b>
+              When to dereference LDAP aliases. (Note that this has nothing do
+              with  Postfix aliases.) The permitted values are those legal for
+              the OpenLDAP/UM LDAP implementations:
+
+              0      never
+
+              1      when searching
+
+              2      when locating the base object for the search
+
+              3      always
+
+              See ldap.h or the ldap_open(3) or ldapsearch(1)  man  pages  for
+              more  information.  And if you're using an LDAP package that has
+              other possible values, please bring it to the attention  of  the
+              postfix-users@postfix.org mailing list.
+
+       <b>chase_referrals (default: 0)</b>
+              Sets  (or  clears)  LDAP_OPT_REFERRALS  (requires LDAP version 3
+              support).
+
+       <b>version (default: 2)</b>
+              Specifies the LDAP protocol version to use.
+
+       <b>debuglevel (default: 0)</b>
+              What level to set for debugging in the OpenLDAP libraries.
+
+<b>LDAP SASL PARAMETERS</b>
+       If you're using the OpenLDAP  libraries  compiled  with  SASL  support,
+       Postfix  2.8  and  later  built  with LDAP SASL support as described in
+       <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL.
+
+       This enables authentication to the LDAP  server  via  mechanisms  other
+       than  a  simple  password.  The  added flexibility has a cost: it is no
+       longer practical to set an explicit timeout on the duration of an  LDAP
+       bind  operation.  Under  adverse  conditions, whether a SASL bind times
+       out, or if it does, the duration of the timeout is  determined  by  the
+       LDAP and SASL libraries.
+
+       It  is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way
+       the requesting process can time-out the  proxymap  request.  This  also
+       lets  you  tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a>
+       <a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5).  Special  environment  set-
+       tings may be needed to configure GSSAPI credential caches or other SASL
+       mechanism specific  options.  The  GSSAPI  credentials  used  for  LDAP
+       lookups  may  need  to be different than say those used for the Postfix
+       SMTP client to authenticate to remote servers.
+
+       Using SASL mechanisms requires LDAP protocol  version  3,  the  default
+       protocol  version  is 2 for backwards compatibility. You must set "ver-
+       sion = 3" in addition to "bind = sasl".
+
+       The following parameters are relevant to using LDAP with SASL
+
+       <b>sasl_mechs (default: empty)</b>
+              Space separated list of SASL mechanism(s) to try.
+
+       <b>sasl_realm (default: empty)</b>
+              SASL Realm to use, if applicable.
+
+       <b>sasl_authz_id (default: empty)</b>
+              The SASL authorization identity to assert, if applicable.
+
+       <b>sasl_minssf (default: 0)</b>
+              The minimum required sasl security factor required to  establish
+              a connection.
+
+<b>LDAP SSL AND STARTTLS PARAMETERS</b>
+       If you're using the OpenLDAP libraries compiled with SSL support, Post-
+       fix can connect to LDAP SSL servers and can issue the STARTTLS command.
+
+       LDAP  SSL  service  can  be  requested  by  using a LDAP SSL URL in the
+       server_host parameter:
+
+           server_host = <a href="ldap_table.5.html">ldaps</a>://ldap.example.com:636
+
+       STARTTLS can be turned on with the start_tls parameter:
+
+           start_tls = yes
+
+       Both forms require LDAP protocol version 3, which has to be set explic-
+       itly with:
+
+           version = 3
+
+       If  any  of the Postfix programs querying the map is configured in <a href="master.5.html">mas-
+       ter.cf</a> to run chrooted, all the certificates and keys involved have  to
+       be  copied  to the chroot jail. Of course, the private keys should only
+       be readable by the user "postfix".
+
+       The following parameters are relevant to LDAP SSL and STARTTLS:
+
+       <b>start_tls (default: no)</b>
+              Whether or not to issue STARTTLS upon connection to the  server.
+              Don't set this with LDAP SSL (the SSL session is setup automati-
+              cally when the TCP connection is opened).
+
+       <b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b>
+              Directory containing X509 Certification  Authority  certificates
+              in  PEM  format  which  are  to  be  recognized by the client in
+              SSL/TLS connections. The files each contain one CA  certificate.
+              The files are looked up by the CA subject name hash value, which
+              must hence be available. If more than one  CA  certificate  with
+              the  same name hash value exist, the extension must be different
+              (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search  is  performed  in
+              the  ordering of the extension number, regardless of other prop-
+              erties of the certificates. Use the c_rehash utility  (from  the
+              OpenSSL distribution) to create the necessary links.
+
+       <b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b>
+              File containing the X509 Certification Authority certificates in
+              PEM format which are to be recognized by the client  in  SSL/TLS
+              connections. This setting takes precedence over tls_ca_cert_dir.
+
+       <b>tls_cert (No default; you must set this)</b>
+              File containing client's X509 certificate  to  be  used  by  the
+              client in SSL/ TLS connections.
+
+       <b>tls_key (No default; you must set this)</b>
+              File  containing  the  private  key  corresponding  to the above
+              tls_cert.
+
+       <b>tls_require_cert (default: no)</b>
+              Whether or not to request server's X509  certificate  and  check
+              its  validity  when  establishing SSL/TLS connections.  The sup-
+              ported values are <b>no</b> and <b>yes</b>.
+
+              With <b>no</b>, the server certificate trust chain is not checked,  but
+              with  OpenLDAP  prior to 2.1.13, the name in the server certifi-
+              cate must still match the LDAP server name. With OpenLDAP  2.0.0
+              to 2.0.11 the server name is not necessarily what you specified,
+              rather it is determined (by reverse lookup) from the IP  address
+              of  the  LDAP  server connection. With OpenLDAP prior to 2.0.13,
+              subjectAlternativeName extensions in the LDAP server certificate
+              are  ignored: the server name must match the subject CommonName.
+              The <b>no</b> setting corresponds to the <b>never</b> value of <b>TLS_REQCERT</b>  in
+              LDAP client configuration files.
+
+              Don't  use TLS with OpenLDAP 2.0.x (and especially with x &lt;= 11)
+              if you can avoid it.
+
+              With <b>yes</b>, the server certificate must be issued by a trusted CA,
+              and  not  be expired. The LDAP server name must match one of the
+              name(s) found in the certificate (see above for OpenLDAP library
+              version  dependent behavior). The <b>yes</b> setting corresponds to the
+              <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client configuration  files.
+
+              The  "try" and "allow" values of <b>TLS_REQCERT</b> have no equivalents
+              here. They are not available with OpenLDAP 2.0, and in any  case
+              have questionable security properties. Either you want TLS veri-
+              fied LDAP connections, or you don't.
+
+              The <b>yes</b> value only works correctly with Postfix 2.5  and  later,
+              or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
+              releases don't work together with this setting. Support for LDAP
+              over TLS was added to Postfix based on the OpenLDAP 2.0 API.
+
+       <b>tls_random_file (No default)</b>
+              Path of a file to obtain random bits from when /dev/[u]random is
+              not available, to be used by the client in SSL/TLS  connections.
+
+       <b>tls_cipher_suite (No default)</b>
+              Cipher suite to use in SSL/TLS negotiations.
+
+<b>EXAMPLE</b>
+       Here's  a  basic  example  for  using LDAP to look up <a href="local.8.html">local(8)</a> aliases.
+       Assume that in <a href="postconf.5.html">main.cf</a>, you have:
+
+           <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases,
+                   <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
+
+       and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:
+
+           server_host = ldap.example.com
+           search_base = dc=example, dc=com
+
+       Upon receiving mail for a local address "ldapuser" that isn't found  in
+       the  /etc/aliases database, Postfix will search the LDAP server listen-
+       ing at port 389 on ldap.example.com.  It will bind anonymously,  search
+       for  any  directory  entries  whose mailacceptinggeneralid attribute is
+       "ldapuser", read the "maildrop" attributes of those found, and build  a
+       list  of  their maildrops, which will be treated as <a href="https://tools.ietf.org/html/rfc822">RFC822</a> addresses to
+       which the message will be delivered.
+
+<b>OBSOLETE MAIN.CF PARAMETERS</b>
+       For backwards compatibility with Postfix version 2.0 and earlier,  LDAP
+       parameters  can  also  be defined in <a href="postconf.5.html">main.cf</a>.  Specify as LDAP source a
+       name that doesn't begin with a slash or a  dot.   The  LDAP  parameters
+       will then be accessible as the name you've given the source in its def-
+       inition, an underscore, and the name of the parameter.  For example, if
+       the  map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the "server_host" parameter
+       below would be defined in <a href="postconf.5.html">main.cf</a> as "<i>ldapsource</i>_server_host".
+
+       Note: with this form, the passwords for the LDAP sources are written in
+       <a href="postconf.5.html">main.cf</a>,  which is normally world-readable.  Support for this form will
+       be removed in a future Postfix version.
+
+<b>OTHER OBSOLETE FEATURES</b>
+       For backwards compatibility with the pre 2.2 LDAP clients,  <b>result_fil-</b>
+       <b>ter</b>  can  for  now  be  used  instead of <b>result_format</b>, when the latter
+       parameter is not also set.  The new name better reflects  the  function
+       of  the  parameter.  This  compatibility  interface may be removed in a
+       future release.
+
+<b>SEE ALSO</b>
+       <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
+       <a href="postconf.5.html">postconf(5)</a>, configuration parameters
+       <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables
+       <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables
+
+<b>README FILES</b>
+       <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
+       <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
+
+<b>LICENSE</b>
+       The Secure Mailer license must be distributed with this software.
+
+<b>AUTHOR(S)</b>
+       Carsten  Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
+       ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat  K  Singh,
+       Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
+
+                                                                 LDAP_TABLE(5)
+</pre> </body> </html>
-- 
cgit v1.2.3