LDAP_TABLE(5)                                       LDAP_TABLE(5)

       ldap_table - Postfix LDAP client configuration

       postmap -q "string" ldap:/etc/postfix/filename

       postmap -q - ldap:/etc/postfix/filename <inputfile

       The  Postfix  mail system uses optional tables for address
       rewriting or mail routing. These tables are usually in dbm
       or db format.

       Alternatively,  lookup  tables  can  be  specified as LDAP

       In order to use LDAP lookups, define an LDAP source  as  a
       lookup table in main.cf, for example:
           alias_maps = ldap:/etc/postfix/ldap-aliases.cf

       The  file /etc/postfix/ldap-aliases.cf has the same format
       as the Postfix main.cf file, and can specify  the  parame-
       ters  described  below.  An example is given at the end of
       this manual.

       This configuration method is available with  Postfix  ver-
       sion  2.1  and later.  See the section "BACKWARDS COMPATI-
       BILITY" below for older Postfix versions.

       For details about LDAP SSL and STARTTLS, see  the  section
       on SSL and STARTTLS below.

       For  backwards  compatibility with Postfix version 2.0 and
       earlier, LDAP parameters can also be defined  in  main.cf.
       Specify  as  LDAP  source a name that doesn't begin with a
       slash or a dot.  The LDAP parameters will then be accessi-
       ble as the name you've given the source in its definition,
       an underscore, and the name of the parameter.   For  exam-
       ple,  if  the  map  is specified as "ldap:ldapsource", the
       "server_host" parameter below would be defined in  main.cf
       as "ldapsource_server_host".

       Note:  with  this form, the passwords for the LDAP sources
       are written in main.cf, which is normally  world-readable.
       Support  for this form will be removed in a future Postfix

       When using  LDAP  to  store  lists  such  as  $mynetworks,
       $mydestination,   $relay_domains,   $local_recipient_maps,
       etc., it is important to understand that  the  table  must
       store each list member as a separate key. The table lookup
       verifies the *existence* of the key.  See  "Postfix  lists
       versus  tables" in the DATABASE_README document for a dis-

       Do NOT create tables that return the full list of  domains
       in  $mydestination or $relay_domains etc., or IP addresses
       in $mynetworks.

       DO create tables with each matching item as a key and with
       an arbitrary value. With LDAP databases it is not uncommon
       to return the key itself.

       For example, NEVER do this in a map  defining  $mydestina-
           query_filter = domain=*
           result_attribute = domain

       Do this instead:
           query_filter = domain=%s
           result_attribute = domain

       In  the  text below, default values are given in parenthe-
       ses.  Note: don't use quotes in these variables; at least,
       not  until  the  Postfix configuration routines understand
       how to deal with quoted strings.

       server_host (default: localhost)
              The name of the host running the LDAP server,  e.g.
                  server_host = ldap.your.com

              Depending  on the LDAP client library you're using,
              it should be possible to specify  multiple  servers
              here,  with the library trying them in order should
              the first one fail. It should also be  possible  to
              give  each  server  in  the  list  a different port
              (overriding server_port below), by naming them like
                  server_host = ldap.your.com:1444

              With OpenLDAP, a (list of) LDAP URLs can be used to
              specify both the hostname(s) and the port(s):
                  server_host = ldap://ldap.your.com:1444

              All LDAP URLs accepted by the OpenLDAP library  are
              supported,  including  connections over UNIX domain
              sockets, and LDAP SSL (the last one  provided  that
              OpenLDAP was compiled with support for SSL):
                  server_host = ldapi://%2Fsome%2Fpath
                  server_host = ldaps://ldap.your.com:636

       server_port (default: 389)
              The port the LDAP server listens on, e.g.
                  server_port = 778

       search_base (No default; you must configure this)
              The RFC2253 base DN at which to conduct the search,
                  search_base = dc=your, dc=com

       timeout (default: 10 seconds)
              The number of seconds a search can take before tim-
              ing out, e.g.
                  timeout = 5

       query_filter (default: mailacceptinggeneralid=%s)
              The  RFC2254  filter  used to search the directory,
              where %s is a substitute for the address Postfix is
              trying to resolve, e.g.
                  query_filter = (&(mail=%s)(paid_up=true))

              This  parameter  supports  the following '%' expan-

              %s     This is replaced by the input key. RFC  2254
                     quoting  is used to make sure that the input
                     key does not add unexpected  metacharacters.

              %u     When the input key is an address of the form
                     user@domain, %u  is  replaced  by  the  (RFC
                     2254)  quoted  local part of the address. If
                     no domain is specified, %u  is  replaced  by
                     the entire search string.

              %d     When the input key is an address of the form
                     user@domain, %d  is  replaced  by  the  (RFC
                     2254)  quoted  domain  part  of the address.
                     When the input key has no domain  qualifier,
                     %d  is replaced by the entire search string.

              The "domain" parameter described below  limits  the
              input  keys  to addresses in matching domains. When
              the "domain" parameter is non-empty,  LDAP  queries
              for  unqualified  addresses  or  addresses  in non-
              matching  domains  are  suppressed  and  return  no

              NOTE: DO NOT put quotes around the query filter.

       result_filter (default: %s)
              Format  template applied to result attributes. Sup-
              ports the same expansions as the query_filter,  and
              can  be  easily  used  to append (or prepend) text.
              This parameter supports the  following  '%'  expan-

              %s     This  is replaced by the value of the result

              %u     When the result attribute is an  address  of
                     the  form  user@domain, %u is replaced local
                     part of the address, if the result attribute
                     is unqualified, %u is replaced by the entire
                     attribute value.

              %d     When a result attribute is an address of the
                     form  user@domain,  %d  is  replaced  by the
                     domain part of the attribute value.   If  an
                     attribute   value   is   unqualified  %d  is
                     replaced by the entire attribute value.

              For  example,  using  "result_filter  =  smtp:[%s]"
              allows one to use a mailHost attribute as the basis
              of a transport(5) table. After applying the  result
              filter,  multiple  values are concatenated as comma
              separated   strings.   The   expansion_limit    and
              size_limit  parameters explained below allow one to
              restrict the number of values in the result,  which
              is  especially useful for maps that should return a
              single value.

              The default value %s specifies that each  attribute
              value should be used as is.

              NOTE: DO NOT put quotes around the result filter!

       domain (default: no domain list)
              This  is a list of domain names, paths to files, or
              dictionaries. When specified, only fully  qualified
              search  keys  with  a  *non-empty*  localpart and a
              matching domain are  eligible  for  lookup:  'user'
              lookups,  bare domain lookups and "@domain" lookups
              are not performed. This  can  significantly  reduce
              the query load on the LDAP server.
                  domain = postfix.org, hash:/etc/postfix/search-

              It is best not to use LDAP  to  store  the  domains
              eligible for LDAP lookups.

              NOTE:  DO  NOT  define  this parameter for local(8)

       result_attribute (default: maildrop)
              The attribute(s) Postfix will read from any  direc-
              tory entries returned by the lookup, to be resolved
              to an email address.
                  result_attribute = mailbox,maildrop

       special_result_attribute (No default)
              The attribute(s) of directory entries that can con-
              tain  DNs or URLs. If found, a recursive subsequent
              search is done using their values.
                  special_result_attribute = member

              DN recursion retrieves the  same  result_attributes
              as the main query, including the special attributes
              for further  recursion.  URI  processing  retrieves
              only  those attributes that are included in the URI
              definition    and    are    *also*    listed     in
              "result_attribute".  If  the  URI  lists any of the
              map's special result  attributes,  these  are  also
              retrieved and used recursively.

       scope (default: sub)
              The  LDAP  search  scope: sub, base, or one.  These
              translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
              and LDAP_SCOPE_ONELEVEL.

       bind (default: yes)
              Whether  or  not  to bind to the LDAP server. Newer
              LDAP implementations don't require clients to bind,
              which saves time. Example:
                  bind = no

              If  you do need to bind, you might consider config-
              uring Postfix to connect to the local machine on  a
              port  that's  an SSL tunnel to your LDAP server. If
              your LDAP server doesn't natively support SSL,  put
              a tunnel (wrapper, proxy, whatever you want to call
              it) on that system too.  This  should  prevent  the
              password  from traversing the network in the clear.

       bind_dn (default: empty)
              If you do have to bind, do  it  with  this  distin-
              guished name. Example:
                  bind_dn = uid=postfix, dc=your, dc=com

       bind_pw (default: empty)
              The  password  for the distinguished name above. If
              you have to use this, you probably want to make the
              map configuration file readable only by the Postfix
              user. When using the obsolete ldap:ldapsource  syn-
              tax, with map parameters in main.cf, it is not pos-
              sible to securely store the bind password. This  is
              because main.cf needs to be world readable to allow
              local accounts to submit mail via the sendmail com-
              mand. Example:
                  bind_pw = postfixpw

       cache (IGNORED with a warning)

       cache_expiry (IGNORED with a warning)

       cache_size (IGNORED with a warning)
              The  above  parameters  are  NO LONGER SUPPORTED by
              Postfix.   Cache  support  has  been  dropped  from
              OpenLDAP as of release 2.1.13.

       recursion_limit (default: 1000)
              A  limit on the nesting depth of DN and URL special
              result attribute evaluation. The limit  must  be  a
              non-zero positive number.

       expansion_limit (default: 0)
              A  limit  on  the  total  number of result elements
              returned (as a comma separated list)  by  a  lookup
              against  the  map.   A setting of zero disables the
              limit. Lookups fail with a temporary error  if  the
              limit  is exceeded.  Setting the limit to 1 ensures
              that lookups do not return multiple values.

       size_limit (default: $expansion_limit)
              A limit on the number of LDAP entries  returned  by
              any  single  LDAP  query  performed  as part of the
              lookup. A setting of 0 disables the limit.   Expan-
              sion  of DN and URL references involves nested LDAP
              queries, each of which is separately  subjected  to
              this limit.

              Note:  even a single LDAP entry can generate multi-
              ple lookup results, via multiple result  attributes
              and/or  multi-valued  result attributes. This limit
              caps the per query resource utilization on the LDAP
              server,  not  the  final multiplicity of the lookup
              result. It is  analogous  to  the  "-z"  option  of

       dereference (default: 0)
              When  to  dereference LDAP aliases. (Note that this
              has nothing do with Postfix aliases.) The permitted
              values  are  those  legal  for the OpenLDAP/UM LDAP

              0      never

              1      when searching

              2      when locating the base object for the search

              3      always

              See ldap.h or the ldap_open(3) or ldapsearch(1) man
              pages for more information. And if you're using  an
              LDAP package that has other possible values, please
              bring  it  to  the  attention   of   the   postfix-
              users@postfix.org mailing list.

       chase_referrals (default: 0)
              Sets  (or clears) LDAP_OPT_REFERRALS (requires LDAP
              version 3 support).

       version (default: 2)
              Specifies the LDAP protocol version to use.

       debuglevel (default: 0)
              What level to set for  debugging  in  the  OpenLDAP

       If  you're  using the OpenLDAP libraries compiled with SSL
       support, Postfix can connect to LDAP SSL servers  and  can
       issue the STARTTLS command.

       LDAP  SSL service can be requested by using a LDAP SSL URL
       in the server_host parameter:
           server_host = ldaps://ldap.your.com:636

       STARTTLS can be turned on with the start_tls parameter:
           start_tls = yes

       Both forms require LDAP protocol version 3, which  has  to
       be set explicitly with:
           version = 3

       If any of the Postfix programs querying the map is config-
       ured in master.cf to run chrooted,  all  the  certificates
       and keys involved have to be copied to the chroot jail. Of
       course, the private keys should only be  readable  by  the
       user "postfix".

       The  following  parameters  are  relevant  to LDAP SSL and

       start_tls (default: no)
              Whether or not to issue STARTTLS upon connection to
              the  server.  Don't set this with LDAP SSL (the SSL
              session is setup automatically when the TCP connec-
              tion is opened).

       tls_ca_cert_dir   (No   default;   set   either   this  or
              Directory  containing  X509  Certificate  Authority
              certificates in PEM format which are to  be  recog-
              nized  by  the  client  in SSL/TLS connections. The
              files each contain one CA certificate.   The  files
              are  looked  up  by the CA subject name hash value,
              which must hence be available. If more than one  CA
              certificate  with  the  same name hash value exist,
              the extension must be different  (e.g.  9d66eef0.0,
              9d66eef0.1  etc).  The  search  is performed in the
              ordering of the  extension  number,  regardless  of
              other  properties  of  the  certificates.  Use  the
              c_rehash utility (from the OpenSSL distribution) to
              create the necessary links.

       tls_ca_cert_file   (No   default;   set   either  this  or
              File containing the X509 Certificate Authority cer-
              tificates in PEM format which are to be  recognized
              by  the client in SSL/TLS connections. This setting
              takes precedence over tls_ca_cert_dir.

       tls_cert (No default; you must set this)
              File containing client's  X509  certificate  to  be
              used by the client in SSL/ TLS connections.

       tls_key (No default; you must set this)
              File  containing  the  private key corresponding to
              the above tls_cert.

       tls_require_cert (default: no)
              Whether or not to request server's X509 certificate
              and  check  its  validity when establishing SSL/TLS

       tls_random_file (No default)
              Path of a file to  obtain  random  bits  from  when
              /dev/[u]random  is not available, to be used by the
              client in SSL/TLS connections.

       tls_cipher_suite (No default)
              Cipher suite to use in SSL/TLS negotiations.

       Here's a basic example for using LDAP to look up  local(8)
       aliases.  Assume that in main.cf, you have:
           alias_maps = hash:/etc/aliases,

       and in ldap:/etc/postfix/ldap-aliases.cf you have:
           server_host = ldap.my.com
           search_base = dc=my, dc=com

       Upon  receiving  mail  for a local address "ldapuser" that
       isn't found in the  /etc/aliases  database,  Postfix  will
       search   the   LDAP   server  listening  at  port  389  on
       ldap.my.com.  It will bind  anonymously,  search  for  any
       directory  entries  whose mailacceptinggeneralid attribute
       is "ldapuser", read the  "maildrop"  attributes  of  those
       found,  and build a list of their maildrops, which will be
       treated as RFC822 addresses to which the message  will  be

       postmap(1), Postfix lookup table manager
       postconf(5), configuration parameters
       mysql_table(5), MySQL lookup tables
       pgsql_table(5), PostgreSQL lookup tables

       DATABASE_README, Postfix lookup table overview
       LDAP_README, Postfix LDAP client guide

       The Secure Mailer license must be  distributed  with  this

       Carsten  Hoeger,  Hery  Rakotoarisoa,  John Hensley, Keith
       Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon,  Mike
       Mattice,  Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
       Victor Duchovni, and many others.