LDAP_TABLE(5) File Formats Manual LDAP_TABLE(5)
NAME
ldap_table - Postfix LDAP client configuration
SYNOPSIS
postmap -q "string" ldap:/etc/postfix/filename
postmap -q - ldap:/etc/postfix/filename <inputfile
DESCRIPTION
The Postfix mail system uses optional tables for address rewriting or mail routing. These tables are usually
in dbm or db format.
Alternatively, lookup tables can be specified as LDAP databases.
In order to use LDAP lookups, define an LDAP source as a lookup table in main.cf, for example:
alias_maps = ldap:/etc/postfix/ldap-aliases.cf
The file /etc/postfix/ldap-aliases.cf has the same format as the Postfix main.cf file, and can specify the
parameters described below. An example is given at the end of this manual.
This configuration method is available with Postfix version 2.1 and later. See the section "BACKWARDS COMPAT‐
IBILITY" below for older Postfix versions.
For details about LDAP SSL and STARTTLS, see the section on SSL and STARTTLS below.
BACKWARDS COMPATIBILITY
For backwards compatibility with Postfix version 2.0 and earlier, LDAP parameters can also be defined in
main.cf. Specify as LDAP source a name that doesn't begin with a slash or a dot. The LDAP parameters will
then be accessible as the name you've given the source in its definition, an underscore, and the name of the
parameter. For example, if the map is specified as "ldap:ldapsource", the "server_host" parameter below would
be defined in main.cf as "ldapsource_server_host".
Note: with this form, the passwords for the LDAP sources are written in main.cf, which is normally world-read‐
able. Support for this form will be removed in a future Postfix version.
For backwards compatibility with the pre 2.2 LDAP clients, result_filter can for now be used instead of
result_format, when the latter parameter is not also set. The new name better reflects the function of the
parameter. This compatibility interface may be removed in a future release.
LIST MEMBERSHIP
When using LDAP to store lists such as $mynetworks, $mydestination, $relay_domains, $local_recipient_maps,
etc., it is important to understand that the table must store each list member as a separate key. The table
lookup verifies the *existence* of the key. See "Postfix lists versus tables" in the DATABASE_README document
for a discussion.
Do NOT create tables that return the full list of domains in $mydestination or $relay_domains etc., or IP
addresses in $mynetworks.
DO create tables with each matching item as a key and with an arbitrary value. With LDAP databases it is not
uncommon to return the key itself.
For example, NEVER do this in a map defining $mydestination:
query_filter = domain=*
result_attribute = domain
server_host = ldap.example.com
Depending on the LDAP client library you're using, it should be possible to specify multiple servers
here, with the library trying them in order should the first one fail. It should also be possible to
give each server in the list a different port (overriding server_port below), by naming them like
server_host = ldap.example.com:1444
With OpenLDAP, a (list of) LDAP URLs can be used to specify both the hostname(s) and the port(s):
server_host = ldap://ldap.example.com:1444
ldap://ldap2.example.com:1444
All LDAP URLs accepted by the OpenLDAP library are supported, including connections over UNIX domain
sockets, and LDAP SSL (the last one provided that OpenLDAP was compiled with support for SSL):
server_host = ldapi://%2Fsome%2Fpath
ldaps://ldap.example.com:636
server_port (default: 389)
The port the LDAP server listens on, e.g.
server_port = 778
timeout (default: 10 seconds)
The number of seconds a search can take before timing out, e.g.
timeout = 5
search_base (No default; you must configure this)
The RFC2253 base DN at which to conduct the search, e.g.
search_base = dc=your, dc=com
With Postfix 2.2 and later this parameter supports the following '%' expansions:
%% This is replaced by a literal '%' character.
%s This is replaced by the input key. RFC 2253 quoting is used to make sure that the input key
does not add unexpected metacharacters.
%u When the input key is an address of the form user@domain, %u is replaced by the (RFC 2253)
quoted local part of the address. Otherwise, %u is replaced by the entire search string. If
the localpart is empty, the search is suppressed and returns no results.
%d When the input key is an address of the form user@domain, %d is replaced by the (RFC 2253)
quoted domain part of the address. Otherwise, the search is suppressed and returns no results.
%[SUD] For the search_base parameter, the upper-case equivalents of the above expansions behave identi‐
cally to their lower-case counter-parts. With the result_format parameter (previously called
result_filter see the COMPATIBILITY section and below), they expand to the corresponding compo‐
nents of input key rather than the result value.
%% This is replaced by a literal '%' character. (Postfix 2.2 and later).
%s This is replaced by the input key. RFC 2254 quoting is used to make sure that the input key
does not add unexpected metacharacters.
%u When the input key is an address of the form user@domain, %u is replaced by the (RFC 2254)
quoted local part of the address. Otherwise, %u is replaced by the entire search string. If
the localpart is empty, the search is suppressed and returns no results.
%d When the input key is an address of the form user@domain, %d is replaced by the (RFC 2254)
quoted domain part of the address. Otherwise, the search is suppressed and returns no results.
%[SUD] The upper-case equivalents of the above expansions behave in the query_filter parameter identi‐
cally to their lower-case counter-parts. With the result_format parameter (previously called
result_filter see the COMPATIBILITY section and below), they expand to the corresponding compo‐
nents of input key rather than the result value.
The above %S, %U and %D expansions are available with Postfix 2.2 and later.
%[1-9] The patterns %1, %2, ... %9 are replaced by the corresponding most significant component of the
input key's domain. If the input key is [email protected], then %1 is com, %2 is example and
%3 is mail. If the input key is unqualified or does not have enough domain components to satisfy
all the specified patterns, the search is suppressed and returns no results.
The above %1, ..., %9 expansions are available with Postfix 2.2 and later.
The "domain" parameter described below limits the input keys to addresses in matching domains. When the
"domain" parameter is non-empty, LDAP queries for unqualified addresses or addresses in non-matching
domains are suppressed and return no results.
NOTE: DO NOT put quotes around the query_filter parameter.
result_format (default: %s)
Called result_filter in Postfix releases prior to 2.2. Format template applied to result attributes.
Most commonly used to append (or prepend) text to the result. This parameter supports the following '%'
expansions:
%% This is replaced by a literal '%' character. (Postfix 2.2 and later).
%s This is replaced by the value of the result attribute. When result is empty it is skipped.
%u When the result attribute value is an address of the form user@domain, %u is replaced by the
local part of the address. When the result has an empty localpart it is skipped.
%d When a result attribute value is an address of the form user@domain, %d is replaced by the
domain part of the attribute value. When the result is unqualified it is skipped.
%[SUD1-9]
The upper-case and decimal digit expansions interpolate the parts of the input key rather than
the result. Their behavior is identical to that described with query_filter, and in fact because
the input key is known in advance, lookups whose key does not contain all the information speci‐
fied in the result template are suppressed and return no results.
NOTE: DO NOT put quotes around the result format!
domain (default: no domain list)
This is a list of domain names, paths to files, or dictionaries. When specified, only fully qualified
search keys with a *non-empty* localpart and a matching domain are eligible for lookup: 'user' lookups,
bare domain lookups and "@domain" lookups are not performed. This can significantly reduce the query
load on the LDAP server.
domain = postfix.org, hash:/etc/postfix/searchdomains
It is best not to use LDAP to store the domains eligible for LDAP lookups.
NOTE: DO NOT define this parameter for local(8) aliases.
This feature is available in Postfix 1.0 and later.
result_attribute (default: maildrop)
The attribute(s) Postfix will read from any directory entries returned by the lookup, to be resolved to
an email address.
result_attribute = mailbox, maildrop
Don't rely on the default value ("maildrop"). Set the result_attribute explicitly in all ldap table
configuration files. This is particularly relevant when no result_attribute is applicable, e.g. cases
in which leaf_result_attribute and/or terminal_result_attribute are used instead. The default value is
harmless if "maildrop" is also listed as a leaf or terminal result attribute, but it is best to not
leave this to chance.
special_result_attribute (default: empty)
The attribute(s) of directory entries that can contain DNs or RFC 2255 LDAP URLs. If found, a recursive
search is performed to retrieve the entry referenced by the DN, or the entries matched by the URL
query.
special_result_attribute = memberdn
DN recursion retrieves the same result_attributes as the main query, including the special attributes
for further recursion.
URL processing retrieves only those attributes that are included in both the URL definition and as
result attributes (ordinary, special, leaf or terminal) in the Postfix table definition. If the URL
lists any of the table's special result attributes, these are retrieved and used recursively. A URL
that does not specify any attribute selection, is equivalent (RFC 2255) to a URL that selects all
attributes, in which case the selected attributes will be the full set of result attributes in the
Postfix table.
If an LDAP URL attribute-descriptor or the corresponding Postfix LDAP table result attribute (but not
both) uses RFC 2255 sub-type options ("attr;option"), the attribute requested from the LDAP server will
include the sub-type option. In all other cases, the URL attribute and the table attribute must match
exactly. Attributes with options in both the URL and the Postfix table are requested only when the
options are identical. LDAP attribute-descriptor options are very rarely used, most LDAP users will not
need to concern themselves with this level of nuanced detail.
terminal_result_attribute (default: empty)
This feature is available with Postfix 2.4 or later.
leaf_result_attribute (default: empty)
When one or more special result attributes are found in a non-terminal (see above) LDAP entry, leaf
result attributes are excluded from the expansion of that entry. This is useful when expanding groups
and the desired mail address attribute(s) of the member objects obtained via DN or URI recursion are
also present in the group object. To only return the attribute values from the leaf objects and not the
containing group, add the attribute to the leaf_result_attribute list, and not the result_attribute
list, which is always expanded. Note, the default value of "result_attribute" is not empty, you may
want to set it explicitly empty when using "leaf_result_attribute" to expand the group to a list of
member DN addresses. If groups have both member DN references AND attributes that hold multiple string
valued rfc822 addresses, then the string attributes go in "result_attribute". The attributes that rep‐
resent the email addresses of objects referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
result_attribute = memberaddr
special_result_attribute = memberdn
terminal_result_attribute = maildrop
leaf_result_attribute = mail
When using terminal and/or leaf result attributes, the result_attribute is best set to an empty value
when it is not used, or else explicitly set to the desired value, even if it is the default value
"maildrop".
This feature is available with Postfix 2.4 or later.
scope (default: sub)
The LDAP search scope: sub, base, or one. These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
and LDAP_SCOPE_ONELEVEL.
bind (default: yes)
Whether or how to bind to the LDAP server. Newer LDAP implementations don't require clients to bind,
which saves time. Example:
# Don't bind
bind = no
# Use SIMPLE bind
bind = yes
# Use SASL bind
bind = sasl
Postfix versions prior to 2.8 only support "bind = no" which means don't bind, and "bind = yes" which
means do a SIMPLE bind. Postfix 2.8 and later also supports "bind = SASL" when compiled with LDAP SASL
support as described in LDAP_README, it also adds the synonyms "bind = none" and "bind = simple" for
"bind = no" and "bind = yes" respectively. See the SASL section below for additional parameters avail‐
able with "bind = sasl".
If you do need to bind, you might consider configuring Postfix to connect to the local machine on a
port that's an SSL tunnel to your LDAP server. If your LDAP server doesn't natively support SSL, put a
tunnel (wrapper, proxy, whatever you want to call it) on that system too. This should prevent the pass‐
word from traversing the network in the clear.
bind_dn (default: empty)
If you do have to bind, do it with this distinguished name. Example:
bind_pw = postfixpw
With "bind = sasl" (see above) the password may be optional for some SASL mechanisms, don't specify a
password if not needed.
cache (IGNORED with a warning)
cache_expiry (IGNORED with a warning)
cache_size (IGNORED with a warning)
The above parameters are NO LONGER SUPPORTED by Postfix. Cache support has been dropped from OpenLDAP
as of release 2.1.13.
recursion_limit (default: 1000)
A limit on the nesting depth of DN and URL special result attribute evaluation. The limit must be a
non-zero positive number.
expansion_limit (default: 0)
A limit on the total number of result elements returned (as a comma separated list) by a lookup against
the map. A setting of zero disables the limit. Lookups fail with a temporary error if the limit is
exceeded. Setting the limit to 1 ensures that lookups do not return multiple values.
size_limit (default: $expansion_limit)
A limit on the number of LDAP entries returned by any single LDAP search performed as part of the
lookup. A setting of 0 disables the limit. Expansion of DN and URL references involves nested LDAP
queries, each of which is separately subjected to this limit.
Note: even a single LDAP entry can generate multiple lookup results, via multiple result attributes
and/or multi-valued result attributes. This limit caps the per search resource utilization on the LDAP
server, not the final multiplicity of the lookup result. It is analogous to the "-z" option of
"ldapsearch".
dereference (default: 0)
When to dereference LDAP aliases. (Note that this has nothing do with Postfix aliases.) The permitted
values are those legal for the OpenLDAP/UM LDAP implementations:
0 never
1 when searching
2 when locating the base object for the search
3 always
See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for more information. And if you're using an
LDAP package that has other possible values, please bring it to the attention of the postfix-
[email protected] mailing list.
chase_referrals (default: 0)
Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 support).
version (default: 2)
Specifies the LDAP protocol version to use.
debuglevel (default: 0)
proxymap request. This also lets you tailer the process environment by overriding the proxymap(8) import_envi‐
ronment setting in master.cf(5). Special environment settings may be needed to configure GSSAPI credential
caches or other SASL mechanism specific options. The GSSAPI credentials used for LDAP lookups may need to be
different than say those used for the Postfix SMTP client to authenticate to remote servers.
Using SASL mechanisms requires LDAP protocol version 3, the default protocol version is 2 for backwards com‐
patibility. You must set "version = 3" in addition to "bind = sasl".
The following parameters are relevant to using LDAP with SASL
sasl_mechs (default: empty)
Space separated list of SASL mechanism(s) to try.
sasl_realm (default: empty)
SASL Realm to use, if applicable.
sasl_authz_id (default: empty)
The SASL authorization identity to assert, if applicable.
sasl_minssf (default: 0)
The minimum required sasl security factor required to establish a connection.
LDAP SSL AND STARTTLS PARAMETERS
If you're using the OpenLDAP libraries compiled with SSL support, Postfix can connect to LDAP SSL servers and
can issue the STARTTLS command.
LDAP SSL service can be requested by using a LDAP SSL URL in the server_host parameter:
server_host = ldaps://ldap.example.com:636
STARTTLS can be turned on with the start_tls parameter:
start_tls = yes
Both forms require LDAP protocol version 3, which has to be set explicitly with:
version = 3
If any of the Postfix programs querying the map is configured in master.cf to run chrooted, all the certifi‐
cates and keys involved have to be copied to the chroot jail. Of course, the private keys should only be read‐
able by the user "postfix".
The following parameters are relevant to LDAP SSL and STARTTLS:
start_tls (default: no)
Whether or not to issue STARTTLS upon connection to the server. Don't set this with LDAP SSL (the SSL
session is setup automatically when the TCP connection is opened).
tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
Directory containing X509 Certificate Authority certificates in PEM format which are to be recognized
by the client in SSL/TLS connections. The files each contain one CA certificate. The files are looked
up by the CA subject name hash value, which must hence be available. If more than one CA certificate
with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc).
The search is performed in the ordering of the extension number, regardless of other properties of the
tls_require_cert (default: no)
Whether or not to request server's X509 certificate and check its validity when establishing SSL/TLS
connections. The supported values are no and yes.
With no, the server certificate trust chain is not checked, but with OpenLDAP prior to 2.1.13, the name
in the server certificate must still match the LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
server name is not necessarily what you specified, rather it is determined (by reverse lookup) from the
IP address of the LDAP server connection. With OpenLDAP prior to 2.0.13, subjectAlternativeName exten‐
sions in the LDAP server certificate are ignored: the server name must match the subject CommonName.
The no setting corresponds to the never value of TLS_REQCERT in LDAP client configuration files.
Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) if you can avoid it.
With yes, the server certificate must be issued by a trusted CA, and not be expired. The LDAP server
name must match one of the name(s) found in the certificate (see above for OpenLDAP library version
dependent behavior). The yes setting corresponds to the demand value of TLS_REQCERT in LDAP client con‐
figuration files.
The "try" and "never" values of TLS_REQCERT have no equivalents here. They are not available with
OpenLDAP 2.0, and in any case have questionable security properties. Either you want TLS verified LDAP
connections, or you don't.
The yes value only works correctly with Postfix 2.5 and later, or with OpenLDAP 2.0. Earlier Postfix
releases or later OpenLDAP releases don't work together with this setting. Support for LDAP over TLS
was added to Postfix based on the OpenLDAP 2.0 API.
tls_random_file (No default)
Path of a file to obtain random bits from when /dev/[u]random is not available, to be used by the
client in SSL/TLS connections.
tls_cipher_suite (No default)
Cipher suite to use in SSL/TLS negotiations.
EXAMPLE
Here's a basic example for using LDAP to look up local(8) aliases. Assume that in main.cf, you have:
alias_maps = hash:/etc/aliases,
ldap:/etc/postfix/ldap-aliases.cf
and in ldap:/etc/postfix/ldap-aliases.cf you have:
server_host = ldap.example.com
search_base = dc=example, dc=com
Upon receiving mail for a local address "ldapuser" that isn't found in the /etc/aliases database, Postfix will
search the LDAP server listening at port 389 on ldap.example.com. It will bind anonymously, search for any
directory entries whose mailacceptinggeneralid attribute is "ldapuser", read the "maildrop" attributes of
those found, and build a list of their maildrops, which will be treated as RFC822 addresses to which the mes‐
sage will be delivered.
SEE ALSO
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
mysql_table(5), MySQL lookup tables
Mike Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
LDAP_TABLE(5)
Back to main site | Back to man page index