1#++
2# NAME
3#	ldap_table 5
4# SUMMARY
5#	Postfix LDAP client configuration
6# SYNOPSIS
7#	\fBpostmap -q "\fIstring\fB" ldap:/etc/postfix/filename\fR
8#
9#	\fBpostmap -q - ldap:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
10# DESCRIPTION
11#	The Postfix mail system uses optional tables for address
12#	rewriting or mail routing. These tables are usually in
13#	\fBdbm\fR or \fBdb\fR format.
14#
15#	Alternatively, lookup tables can be specified as LDAP databases.
16#
17#	In order to use LDAP lookups, define an LDAP source as a lookup
18#	table in main.cf, for example:
19#
20# .nf
21#	    alias_maps = ldap:/etc/postfix/ldap-aliases.cf
22# .fi
23#
24#	The file /etc/postfix/ldap-aliases.cf has the same format as
25#	the Postfix main.cf file, and can specify the parameters
26#	described below. An example is given at the end of this manual.
27#
28#	This configuration method is available with Postfix version
29#	2.1 and later.  See the section "BACKWARDS COMPATIBILITY"
30#	below for older Postfix versions.
31#
32#	For details about LDAP SSL and STARTTLS, see the section
33#	on SSL and STARTTLS below.
34# BACKWARDS COMPATIBILITY
35# .ad
36# .fi
37#	For backwards compatibility with Postfix version 2.0 and earlier,
38#	LDAP parameters can also be defined in main.cf.  Specify
39#	as LDAP source a name that doesn't begin with a slash or
40#	a dot.  The LDAP parameters will then be accessible as the
41#	name you've given the source in its definition, an underscore,
42#	and the name of the parameter.  For example, if the map is
43#	specified as "ldap:\fIldapsource\fR", the "server_host"
44#	parameter below would be defined in main.cf as
45#	"\fIldapsource\fR_server_host".
46#
47#	Note: with this form, the passwords for the LDAP sources are
48#	written in main.cf, which is normally world-readable.  Support
49#	for this form will be removed in a future Postfix version.
50#
51#	Postfix 2.2 has enhanced query interfaces for MySQL and PostgreSQL.
52#	These include features that were previously available only in the
53#	Postfix LDAP client. This work also created an opportunity for
54#	improvements in the LDAP interface. The primary compatibility
55#	issue is that \fBresult_filter\fR (a name that has caused some
56#	confusion as to its meaning in the past) has been renamed to
57#	\fBresult_format\fR.  For backwards compatibility with the pre
58#	2.2 LDAP client, \fBresult_filter\fR can for now be used instead
59#	of \fBresult_format\fR, when the latter parameter is not also set.
60#	The new name better reflects the function of the parameter. This
61#	compatibility interface may be removed in a future release.
62# LIST MEMBERSHIP
63# .ad
64# .fi
65#	When using LDAP to store lists such as $mynetworks,
66#	$mydestination, $relay_domains, $local_recipient_maps,
67#	etc., it is important to understand that the table must
68#	store each list member as a separate key. The table lookup
69#	verifies the *existence* of the key. See "Postfix lists
70#	versus tables" in the DATABASE_README document for a
71#	discussion.
72#
73#	Do NOT create tables that return the full list of domains
74#	in $mydestination or $relay_domains etc., or IP addresses
75#	in $mynetworks.
76#
77#	DO create tables with each matching item as a key and with
78#	an arbitrary value. With LDAP databases it is not uncommon to
79#	return the key itself.
80#
81#	For example, NEVER do this in a map defining $mydestination:
82#
83# .nf
84#	    query_filter = domain=*
85#	    result_attribute = domain
86# .fi
87#
88#	Do this instead:
89#
90# .nf
91#	    query_filter = domain=%s
92#	    result_attribute = domain
93# .fi
94# GENERAL LDAP PARAMETERS
95# .ad
96# .fi
97#	In the text below, default values are given in parentheses.
98#	Note: don't use quotes in these variables; at least, not until the
99#	Postfix configuration routines understand how to deal with quoted
100#	strings.
101# .IP "\fBserver_host (default: localhost)\fR"
102#	The name of the host running the LDAP server, e.g.
103#
104# .nf
105#	    server_host = ldap.example.com
106# .fi
107#
108#	Depending on the LDAP client library you're using, it should
109#	be possible to specify multiple servers here, with the library
110#	trying them in order should the first one fail. It should also
111#	be possible to give each server in the list a different port
112#	(overriding \fBserver_port\fR below), by naming them like
113#
114# .nf
115#	    server_host = ldap.example.com:1444
116# .fi
117#
118#	With OpenLDAP, a (list of) LDAP URLs can be used to specify both
119#	the hostname(s) and the port(s):
120#
121# .nf
122#	    server_host = ldap://ldap.example.com:1444
123#	                ldap://ldap2.example.com:1444
124# .fi
125#
126#	All LDAP URLs accepted by the OpenLDAP library are supported,
127#	including connections over UNIX domain sockets, and LDAP SSL
128#	(the last one provided that OpenLDAP was compiled with support
129#	for SSL):
130#
131# .nf
132#	    server_host = ldapi://%2Fsome%2Fpath
133#	                ldaps://ldap.example.com:636
134# .fi
135# .IP "\fBserver_port (default: 389)\fR"
136#	The port the LDAP server listens on, e.g.
137#
138# .nf
139#	    server_port = 778
140# .fi
141# .IP "\fBtimeout (default: 10 seconds)\fR"
142#	The number of seconds a search can take before timing out, e.g.
143#
144# .fi
145#	    timeout = 5
146# .fi
147# .IP "\fBsearch_base (No default; you must configure this)\fR"
148#	The RFC2253 base DN at which to conduct the search, e.g.
149#
150# .nf
151#	    search_base = dc=your, dc=com
152# .fi
153# .IP
154#	With Postfix 2.2 and later this parameter supports the
155#	following '%' expansions:
156# .RS
157# .IP "\fB\fB%%\fR\fR"
158#	This is replaced by a literal '%' character.
159# .IP "\fB\fB%s\fR\fR"
160#	This is replaced by the input key.
161#	RFC 2253 quoting is used to make sure that the input key
162#	does not add unexpected metacharacters.
163# .IP "\fB\fB%u\fR\fR"
164#	When the input key is an address of the form user@domain, \fB%u\fR
165#	is replaced by the (RFC 2253) quoted local part of the address.
166#	Otherwise, \fB%u\fR is replaced by the entire search string.
167#	If the localpart is empty, the search is suppressed and returns
168#	no results.
169# .IP "\fB\fB%d\fR\fR"
170#	When the input key is an address of the form user@domain, \fB%d\fR
171#	is replaced by the (RFC 2253) quoted domain part of the address.
172#	Otherwise, the search is suppressed and returns no results.
173# .IP "\fB\fB%[SUD]\fR\fR"
174#	For the \fBsearch_base\fR parameter, the upper-case equivalents
175#	of the above expansions behave identically to their lower-case
176#	counter-parts. With the \fBresult_format\fR parameter (previously
177#	called \fBresult_filter\fR see the COMPATIBILITY section and below),
178#	they expand to the corresponding components of input key rather
179#	than the result value.
180# .IP "\fB\fB%[1-9]\fR\fR"
181#	The patterns %1, %2, ... %9 are replaced by the corresponding
182#	most significant component of the input key's domain. If the
183#	input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
184#	%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
185#	unqualified or does not have enough domain components to satisfy
186#	all the specified patterns, the search is suppressed and returns
187#	no results.
188# .RE
189# .IP "\fBquery_filter (default: mailacceptinggeneralid=%s)\fR"
190#	The RFC2254 filter used to search the directory, where \fB%s\fR
191#	is a substitute for the address Postfix is trying to resolve,
192#	e.g.
193#
194# .nf
195#	    query_filter = (&(mail=%s)(paid_up=true))
196# .fi
197#
198#	This parameter supports the following '%' expansions:
199# .RS
200# .IP "\fB\fB%%\fR\fR"
201#	This is replaced by a literal '%' character. (Postfix 2.2 and later).
202# .IP "\fB\fB%s\fR\fR"
203#	This is replaced by the input key.
204#	RFC 2254 quoting is used to make sure that the input key
205#	does not add unexpected metacharacters.
206# .IP "\fB\fB%u\fR\fR"
207#	When the input key is an address of the form user@domain, \fB%u\fR
208#	is replaced by the (RFC 2254) quoted local part of the address.
209#	Otherwise, \fB%u\fR is replaced by the entire search string.
210#	If the localpart is empty, the search is suppressed and returns
211#	no results.
212# .IP "\fB\fB%d\fR\fR"
213#	When the input key is an address of the form user@domain, \fB%d\fR
214#	is replaced by the (RFC 2254) quoted domain part of the address.
215#	Otherwise, the search is suppressed and returns no results.
216# .IP "\fB\fB%[SUD]\fR\fR"
217#	The upper-case equivalents of the above expansions behave in the
218#	\fBquery_filter\fR parameter identically to their lower-case
219#	counter-parts. With the \fBresult_format\fR parameter (previously
220#	called \fBresult_filter\fR see the COMPATIBILITY section and below),
221#	they expand to the corresponding components of input key rather
222#	than the result value.
223# .IP
224#	The above %S, %U and %D expansions are available with Postfix 2.2
225#	and later.
226# .IP "\fB\fB%[1-9]\fR\fR"
227#	The patterns %1, %2, ... %9 are replaced by the corresponding
228#	most significant component of the input key's domain. If the
229#	input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
230#	%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
231#	unqualified or does not have enough domain components to satisfy
232#	all the specified patterns, the search is suppressed and returns
233#	no results.
234# .IP
235#	The above %1, ..., %9 expansions are available with Postfix 2.2
236#	and later.
237# .RE
238# .IP
239#	The "domain" parameter described below limits the input
240#	keys to addresses in matching domains. When the "domain"
241#	parameter is non-empty, LDAP queries for unqualified
242#	addresses or addresses in non-matching domains are suppressed
243#	and return no results.
244#
245#	NOTE: DO NOT put quotes around the \fBquery_filter\fR parameter.
246# .IP "\fBresult_format (default: \fB%s\fR)\fR"
247#	Called \fBresult_filter\fR in Postfix releases prior to 2.2.
248#	Format template applied to result attributes. Most commonly used
249#	to append (or prepend) text to the result. This parameter supports
250#	the following '%' expansions:
251# .RS
252# .IP "\fB\fB%%\fR\fR"
253#	This is replaced by a literal '%' character. (Postfix 2.2 and later).
254# .IP "\fB\fB%s\fR\fR"
255#	This is replaced by the value of the result attribute. When
256#	result is empty it is skipped.
257# .IP "\fB%u\fR
258#	When the result attribute value is an address of the form
259#	user@domain, \fB%u\fR is replaced by the local part of the
260#	address. When the result has an empty localpart it is skipped.
261# .IP "\fB\fB%d\fR\fR"
262#	When a result attribute value is an address of the form
263#	user@domain, \fB%d\fR is replaced by the domain part of
264#	the attribute value. When the result is unqualified it
265#	is skipped.
266# .IP "\fB\fB%[SUD1-9]\fR\fB"
267#	The upper-case and decimal digit expansions interpolate
268#	the parts of the input key rather than the result. Their
269#	behavior is identical to that described with \fBquery_filter\fR,
270#	and in fact because the input key is known in advance, lookups
271#	whose key does not contain all the information specified in
272#	the result template are suppressed and return no results.
273# .IP
274#	The above %S, %U, %D and %1, ..., %9 expansions are available with
275#	Postfix 2.2 and later.
276# .RE
277# .IP
278#	For example, using "result_format = smtp:[%s]" allows one
279#	to use a mailHost attribute as the basis of a transport(5)
280#	table. After applying the result format, multiple values
281#	are concatenated as comma separated strings. The expansion_limit
282#	and size_limit parameters explained below allow one to
283#	restrict the number of values in the result, which is
284#	especially useful for maps that should return a single
285#	value.
286#
287#	The default value \fB%s\fR specifies that each
288#	attribute value should be used as is.
289#
290#	This parameter was called \fBresult_filter\fR in Postfix
291#	releases prior to 2.2. If no "result_format" is specified,
292#	the value of "result_filter" will be used instead before
293#	resorting to the default value. This provides compatibility
294#	with old configuration files.
295#
296#	NOTE: DO NOT put quotes around the result format!
297# .IP "\fBdomain (default: no domain list)\fR"
298#	This is a list of domain names, paths to files, or
299#	dictionaries. When specified, only fully qualified search
300#	keys with a *non-empty* localpart and a matching domain
301#	are eligible for lookup: 'user' lookups, bare domain lookups
302#	and "@domain" lookups are not performed. This can significantly
303#	reduce the query load on the LDAP server.
304#
305# .nf
306#	    domain = postfix.org, hash:/etc/postfix/searchdomains
307# .fi
308#
309#	It is best not to use LDAP to store the domains eligible
310#	for LDAP lookups.
311#
312#	NOTE: DO NOT define this parameter for local(8) aliases.
313#
314#	This feature is available in Postfix 1.0 and later.
315# .IP "\fBresult_attribute (default: maildrop)\fR"
316#	The attribute(s) Postfix will read from any directory
317#	entries returned by the lookup, to be resolved to an email
318#	address.
319#
320# .nf
321#	    result_attribute = mailbox, maildrop
322# .fi
323# .IP "\fBspecial_result_attribute (default: empty)\fR"
324#	The attribute(s) of directory entries that can contain DNs
325#	or URLs. If found, a recursive subsequent search is done
326#	using their values.
327#
328# .nf
329#	    special_result_attribute = memberdn
330# .fi
331#
332#	DN recursion retrieves the same result_attributes as the
333#	main query, including the special attributes for further
334#	recursion. URI processing retrieves only those attributes
335#	that are included in the URI definition and are *also*
336#	listed in "result_attribute". If the URI lists any of the
337#	map's special result attributes, these are also retrieved
338#	and used recursively.
339# .IP "\fBterminal_result_attribute (default: empty)\fR"
340#	When one or more terminal result attributes are found in an LDAP
341#	entry, all other result attributes are ignored and only the terminal
342#	result attributes are returned. This is useful for delegating expansion
343#	of group members to a particular host, by using an optional "maildrop"
344#	attribute on selected groups to route the group to a specific host,
345#	where the group is expanded, possibly via mailing-list manager or
346#	other special processing.
347#
348# .nf
349#	    terminal_result_attribute = maildrop
350# .fi
351#
352#	This feature is available with Postfix 2.4 or later.
353# .IP "\fBleaf_result_attribute (default: empty)\fR"
354#	When one or more special result attributes are found in a non-terminal
355#	(see above) LDAP entry, leaf result attributes are excluded from the
356#	expansion of that entry. This is useful when expanding groups and the
357#	desired mail address attribute(s) of the member objects obtained via
358#	DN or URI recursion are also present in the group object. To only
359#	return the attribute values from the leaf objects and not the
360#	containing group, add the attribute to the leaf_result_attribute list,
361#	and not the result_attribute list, which is always expanded. Note,
362#	the default value of "result_attribute" is not empty, you may want to
363#	set it explicitly empty when using "leaf_result_attribute" to expand
364#	the group to a list of member DN addresses. If groups have both
365#	member DN references AND attributes that hold multiple string valued
366#	rfc822 addresses, then the string attributes go in "result_attribute".
367#	The attributes that represent the email addresses of objects
368#	referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
369#
370# .nf
371#	    result_attribute = memberaddr
372#	    special_result_attribute = memberdn
373#	    terminal_result_attribute = maildrop
374#	    leaf_result_attribute = mail
375# .fi
376#
377#	This feature is available with Postfix 2.4 or later.
378# .IP "\fBscope (default: sub)\fR"
379#	The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
380#	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
381#	and LDAP_SCOPE_ONELEVEL.
382# .IP "\fBbind (default: yes)\fR"
383#	Whether or not to bind to the LDAP server. Newer LDAP
384#	implementations don't require clients to bind, which saves
385#	time. Example:
386#
387# .nf
388#	    bind = no
389# .fi
390#
391#	If you do need to bind, you might consider configuring
392#	Postfix to connect to the local machine on a port that's
393#	an SSL tunnel to your LDAP server. If your LDAP server
394#	doesn't natively support SSL, put a tunnel (wrapper, proxy,
395#	whatever you want to call it) on that system too. This
396#	should prevent the password from traversing the network in
397#	the clear.
398# .IP "\fBbind_dn (default: empty)\fR"
399#	If you do have to bind, do it with this distinguished name. Example:
400#
401# .nf
402#	    bind_dn = uid=postfix, dc=your, dc=com
403# .fi
404# .IP "\fBbind_pw (default: empty)\fR"
405#	The password for the distinguished name above. If you have
406#	to use this, you probably want to make the map configuration
407#	file readable only by the Postfix user. When using the
408#	obsolete ldap:ldapsource syntax, with map parameters in
409#	main.cf, it is not possible to securely store the bind
410#	password. This is because main.cf needs to be world readable
411#	to allow local accounts to submit mail via the sendmail
412#	command. Example:
413#
414# .nf
415#	    bind_pw = postfixpw
416# .fi
417# .IP "\fBcache (IGNORED with a warning)\fR"
418# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
419# .IP "\fBcache_size (IGNORED with a warning)\fR"
420#	The above parameters are NO LONGER SUPPORTED by Postfix.
421#	Cache support has been dropped from OpenLDAP as of release
422#	2.1.13.
423# .IP "\fBrecursion_limit (default: 1000)\fR"
424#	A limit on the nesting depth of DN and URL special result
425#	attribute evaluation. The limit must be a non-zero positive
426#	number.
427# .IP "\fBexpansion_limit (default: 0)\fR"
428#	A limit on the total number of result elements returned
429#	(as a comma separated list) by a lookup against the map.
430#	A setting of zero disables the limit. Lookups fail with a
431#	temporary error if the limit is exceeded.  Setting the
432#	limit to 1 ensures that lookups do not return multiple
433#	values.
434# .IP "\fBsize_limit (default: $expansion_limit)\fR"
435#	A limit on the number of LDAP entries returned by any single
436#	LDAP search performed as part of the lookup. A setting of
437#	0 disables the limit.  Expansion of DN and URL references
438#	involves nested LDAP queries, each of which is separately
439#	subjected to this limit.
440#
441#	Note: even a single LDAP entry can generate multiple lookup
442#	results, via multiple result attributes and/or multi-valued
443#	result attributes. This limit caps the per search resource
444#	utilization on the LDAP server, not the final multiplicity
445#	of the lookup result. It is analogous to the "-z" option
446#	of "ldapsearch".
447# .IP "\fBdereference (default: 0)\fR"
448#	When to dereference LDAP aliases. (Note that this has
449#	nothing do with Postfix aliases.) The permitted values are
450#	those legal for the OpenLDAP/UM LDAP implementations:
451# .RS
452# .IP 0
453#	never
454# .IP 1
455#	when searching
456# .IP 2
457#	when locating the base object for the search
458# .IP 3
459#	always
460# .RE
461# .IP
462#	See ldap.h or the ldap_open(3) or ldapsearch(1) man pages
463#	for more information. And if you're using an LDAP package
464#	that has other possible values, please bring it to the
465#	attention of the postfix-users@postfix.org mailing list.
466# .IP "\fBchase_referrals (default: 0)\fR"
467#	Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
468#	3 support).
469# .IP "\fBversion (default: 2)\fR"
470#	Specifies the LDAP protocol version to use.
471# .IP "\fBdebuglevel (default: 0)\fR"
472#	What level to set for debugging in the OpenLDAP libraries.
473# LDAP SSL AND STARTTLS PARAMETERS
474# .ad
475# .fi
476#	If you're using the OpenLDAP libraries compiled with SSL
477#	support, Postfix can connect to LDAP SSL servers and can
478#	issue the STARTTLS command.
479#
480#	LDAP SSL service can be requested by using a LDAP SSL URL
481#	in the server_host parameter:
482#
483# .nf
484#	    server_host = ldaps://ldap.example.com:636
485# .fi
486#
487#	STARTTLS can be turned on with the start_tls parameter:
488#
489# .nf
490#	    start_tls = yes
491# .fi
492#
493#	Both forms require LDAP protocol version 3, which has to be set
494#	explicitly with:
495#
496# .nf
497#	    version = 3
498# .fi
499#
500#	If any of the Postfix programs querying the map is configured in
501#	master.cf to run chrooted, all the certificates and keys involved
502#	have to be copied to the chroot jail. Of course, the private keys
503#	should only be readable by the user "postfix".
504#
505#	The following parameters are relevant to LDAP SSL and STARTTLS:
506# .IP "\fBstart_tls (default: no)\fR"
507#	Whether or not to issue STARTTLS upon connection to the
508#	server.  Don't set this with LDAP SSL (the SSL session is setup
509#	automatically when the TCP connection is opened).
510# .IP "\fBtls_ca_cert_dir (No default; set either this or tls_ca_cert_file)\fR"
511#	Directory containing X509 Certificate Authority certificates
512#	in PEM format which are to be recognized by the client in
513#	SSL/TLS connections. The files each contain one CA certificate.
514#	The files are looked up by the CA subject name hash value,
515#	which must hence be available. If more than one CA certificate
516#	with the same name hash value exist, the extension must be
517#	different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is
518#	performed in the ordering of the extension number, regardless
519#	of other properties of the certificates. Use the c_rehash
520#	utility (from the OpenSSL distribution) to create the
521#	necessary links.
522# .IP "\fBtls_ca_cert_file (No default; set either this or tls_ca_cert_dir)\fR"
523#	File containing the X509 Certificate Authority certificates
524#	in PEM format which are to be recognized by the client in
525#	SSL/TLS connections. This setting takes precedence over
526#	tls_ca_cert_dir.
527# .IP "\fBtls_cert (No default; you must set this)\fR"
528#	File containing client's X509 certificate to be used by
529#	the client in SSL/ TLS connections.
530# .IP "\fBtls_key (No default; you must set this)\fR"
531#	File containing the private key corresponding to the above
532#	tls_cert.
533# .IP "\fBtls_require_cert (default: no)\fR"
534#	Whether or not to request server's X509 certificate and
535#	check its validity when establishing SSL/TLS connections.
536#	The supported values are \fBno\fR and \fByes\fR.
537# .sp
538#	With \fBno\fR, the server certificate trust chain is not checked,
539#	but with OpenLDAP prior to 2.1.13, the name in the server
540#	certificate must still match the LDAP server name. With OpenLDAP
541#	2.0.0 to 2.0.11 the server name is not necessarily what you
542#	specified, rather it is determined (by reverse lookup) from the
543#	IP address of the LDAP server connection. With OpenLDAP prior to
544#	2.0.13, subjectAlternativeName extensions in the LDAP server
545#	certificate are ignored: the server name must match the subject
546#	CommonName. The \fBno\fR setting corresponds to the \fBnever\fR
547#	value of \fBTLS_REQCERT\fR in LDAP client configuration files.
548# .sp
549#	Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
550#	if you can avoid it.
551# .sp
552#	With \fByes\fR, the server certificate must be issued by a trusted
553#	CA, and not be expired. The LDAP server name must match one of the
554#	name(s) found in the certificate (see above for OpenLDAP library
555#	version dependent behavior). The \fByes\fR setting corresponds to the
556#	\fBdemand\fR value of \fBTLS_REQCERT\fR in LDAP client configuration
557#	files.
558# .sp
559#	The "try" and "never" values of \fBTLS_REQCERT\fR have no equivalents
560#	here. They are not available with OpenLDAP 2.0, and in any case have
561#	questionable security properties. Either you want TLS verified LDAP
562#	connections, or you don't.
563# .sp
564#	The \fByes\fR value only works correctly with Postfix 2.5 and later,
565#	or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
566#	releases don't work together with this setting. Support for LDAP
567#	over TLS was added to Postfix based on the OpenLDAP 2.0 API.
568# .IP "\fBtls_random_file (No default)\fR"
569#	Path of a file to obtain random bits from when /dev/[u]random
570#	is not available, to be used by the client in SSL/TLS
571#	connections.
572# .IP "\fBtls_cipher_suite (No default)\fR"
573#	Cipher suite to use in SSL/TLS negotiations.
574# EXAMPLE
575# .ad
576# .fi
577#	Here's a basic example for using LDAP to look up local(8)
578#	aliases.
579#	Assume that in main.cf, you have:
580#
581# .nf
582#	    alias_maps = hash:/etc/aliases,
583#	            ldap:/etc/postfix/ldap-aliases.cf
584# .fi
585#
586#	and in ldap:/etc/postfix/ldap-aliases.cf you have:
587#
588# .nf
589#	    server_host = ldap.example.com
590#	    search_base = dc=example, dc=com
591# .fi
592#
593#	Upon receiving mail for a local address "ldapuser" that
594#	isn't found in the /etc/aliases database, Postfix will
595#	search the LDAP server listening at port 389 on ldap.example.com.
596#	It will bind anonymously, search for any directory entries
597#	whose mailacceptinggeneralid attribute is "ldapuser", read
598#	the "maildrop" attributes of those found, and build a list
599#	of their maildrops, which will be treated as RFC822 addresses
600#	to which the message will be delivered.
601# SEE ALSO
602#	postmap(1), Postfix lookup table manager
603#	postconf(5), configuration parameters
604#	mysql_table(5), MySQL lookup tables
605#	pgsql_table(5), PostgreSQL lookup tables
606# README FILES
607# .ad
608# .fi
609#	Use "\fBpostconf readme_directory\fR" or
610#	"\fBpostconf html_directory\fR" to locate this information.
611# .na
612# .nf
613#	DATABASE_README, Postfix lookup table overview
614#	LDAP_README, Postfix LDAP client guide
615# LICENSE
616# .ad
617# .fi
618#	The Secure Mailer license must be distributed with this software.
619# AUTHOR(S)
620# .ad
621# .fi
622#	Carsten Hoeger,
623#	Hery Rakotoarisoa,
624#	John Hensley,
625#	Keith Stevenson,
626#	LaMont Jones,
627#	Liviu Daia,
628#	Manuel Guesdon,
629#	Mike Mattice,
630#	Prabhat K Singh,
631#	Sami Haahtinen,
632#	Samuel Tardieu,
633#	Victor Duchovni,
634#	and many others.
635#--
636