LDAP_TABLE(5) File Formats Manual LDAP_TABLE(5)
NAME
ldap_table - Postfix LDAP client configuration
SYNOPSIS
postmap -q "string" ldap:/etc/postfix/filename
postmap -q - ldap:/etc/postfix/filename <inputfile
DESCRIPTION
The Postfix mail system uses optional tables for address rewriting or
mail routing. These tables are usually in dbm or db format.
Alternatively, lookup tables can be specified as LDAP databases.
In order to use LDAP lookups, define an LDAP source as a lookup table in
main.cf, for example:
alias_maps = ldap:/etc/postfix/ldap-aliases.cf
The file /etc/postfix/ldap-aliases.cf has the same format as the Postfix
main.cf file, and can specify the parameters described below. An example
is given at the end of this manual.
This configuration method is available with Postfix version 2.1 and
later. See the section "OBSOLETE MAIN.CF PARAMETERS" below for older
Postfix versions.
For details about LDAP SSL and STARTTLS, see the section on SSL and
STARTTLS below.
LIST MEMBERSHIP
When using LDAP to store lists such as $mynetworks, $mydestination, $re-
lay_domains, $local_recipient_maps, etc., it is important to understand
that the table must store each list member as a separate key. The table
lookup verifies the *existence* of the key. See "Postfix lists versus
tables" in the DATABASE_README document for a discussion.
Do NOT create tables that return the full list of domains in $mydestina-
tion or $relay_domains etc., or IP addresses in $mynetworks.
DO create tables with each matching item as a key and with an arbitrary
value. With LDAP databases it is not uncommon to return the key itself.
For example, NEVER do this in a map defining $mydestination:
query_filter = domain=*
result_attribute = domain
Do this instead:
query_filter = domain=%s
result_attribute = domain
GENERAL LDAP PARAMETERS
In the text below, default values are given in parentheses. Note: don't
use quotes in these variables; at least, not until the Postfix configu-
ration routines understand how to deal with quoted strings.
server_host (default: localhost)
The name of the host running the LDAP server, e.g.
server_host = ldap.example.com
Depending on the LDAP client library you're using, it should be
possible to specify multiple servers here, with the library try-
ing them in order should the first one fail. It should also be
possible to give each server in the list a different port (over-
riding server_port below), by naming them like
server_host = ldap.example.com:1444
NOTE: this client will reconnect immediately after a single fail-
ure, and will fail a lookup request after a second attempt also
fails.
With OpenLDAP, a (list of) LDAP URLs can be used to specify both
the hostname(s) and the port(s):
server_host = ldap://ldap.example.com:1444
ldap://ldap2.example.com:1444
All LDAP URLs accepted by the OpenLDAP library are supported, in-
cluding connections over UNIX domain sockets, and LDAP SSL (the
last one provided that OpenLDAP was compiled with support for
SSL):
server_host = ldapi://%2Fsome%2Fpath
ldaps://ldap.example.com:636
server_port (default: 389)
The port the LDAP server listens on, e.g.
server_port = 778
timeout (default: 10 seconds)
The number of seconds a search can take before timing out, e.g.
timeout = 5
search_base (No default; you must configure this)
The RFC2253 base DN at which to conduct the search, e.g.
search_base = dc=your, dc=com
With Postfix 2.2 and later this parameter supports the following
'%' expansions:
%% This is replaced by a literal '%' character.
%s This is replaced by the input key. RFC 2253 quoting is
used to make sure that the input key does not add unex-
pected metacharacters.
%u When the input key is an address of the form user@domain,
%u is replaced by the (RFC 2253) quoted local part of the
address. Otherwise, %u is replaced by the entire search
string. If the localpart is empty, the search is sup-
pressed and returns no results.
%d When the input key is an address of the form user@domain,
%d is replaced by the (RFC 2253) quoted domain part of the
address. Otherwise, the search is suppressed and returns
no results.
%[SUD] For the search_base parameter, the upper-case equivalents
of the above expansions behave identically to their
lower-case counter-parts. With the result_format parameter
(previously called result_filter see the OTHER OBSOLETE
FEATURES section and below), they expand to the corre-
sponding components of input key rather than the result
value.
%[1-9] The patterns %1, %2, ... %9 are replaced by the corre-
sponding most significant component of the input key's do-
main. If the input key is user@mail.example.com, then %1
is com, %2 is example and %3 is mail. If the input key is
unqualified or does not have enough domain components to
satisfy all the specified patterns, the search is sup-
pressed and returns no results.
query_filter (default: mailacceptinggeneralid=%s)
The RFC2254 filter used to search the directory, where %s is a
substitute for the address Postfix is trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
This parameter supports the following '%' expansions:
%% This is replaced by a literal '%' character. (Postfix 2.2
and later).
%s This is replaced by the input key. RFC 2254 quoting is
used to make sure that the input key does not add unex-
pected metacharacters.
%u When the input key is an address of the form user@domain,
%u is replaced by the (RFC 2254) quoted local part of the
address. Otherwise, %u is replaced by the entire search
string. If the localpart is empty, the search is sup-
pressed and returns no results.
%d When the input key is an address of the form user@domain,
%d is replaced by the (RFC 2254) quoted domain part of the
address. Otherwise, the search is suppressed and returns
no results.
%[SUD] The upper-case equivalents of the above expansions behave
in the query_filter parameter identically to their
lower-case counter-parts. With the result_format parameter
(previously called result_filter see the OTHER OBSOLETE
FEATURES section and below), they expand to the corre-
sponding components of input key rather than the result
value.
The above %S, %U and %D expansions are available with
Postfix 2.2 and later.
%[1-9] The patterns %1, %2, ... %9 are replaced by the corre-
sponding most significant component of the input key's do-
main. If the input key is user@mail.example.com, then %1
is com, %2 is example and %3 is mail. If the input key is
unqualified or does not have enough domain components to
satisfy all the specified patterns, the search is sup-
pressed and returns no results.
The above %1, ..., %9 expansions are available with Post-
fix 2.2 and later.
The "domain" parameter described below limits the input keys to
addresses in matching domains. When the "domain" parameter is
non-empty, LDAP queries for unqualified addresses or addresses in
non-matching domains are suppressed and return no results.
NOTE: DO NOT put quotes around the query_filter parameter.
result_format (default: %s)
Called result_filter in Postfix releases prior to 2.2. Format
template applied to result attributes. Most commonly used to ap-
pend (or prepend) text to the result. This parameter supports the
following '%' expansions:
%% This is replaced by a literal '%' character. (Postfix 2.2
and later).
%s This is replaced by the value of the result attribute.
When result is empty it is skipped.
%u When the result attribute value is an address of the form
user@domain, %u is replaced by the local part of the ad-
dress. When the result has an empty localpart it is
skipped.
%d When a result attribute value is an address of the form
user@domain, %d is replaced by the domain part of the at-
tribute value. When the result is unqualified it is
skipped.
%[SUD1-9]
The upper-case and decimal digit expansions interpolate
the parts of the input key rather than the result. Their
behavior is identical to that described with query_filter,
and in fact because the input key is known in advance,
lookups whose key does not contain all the information
specified in the result template are suppressed and return
no results.
The above %S, %U, %D and %1, ..., %9 expansions are avail-
able with Postfix 2.2 and later.
For example, using "result_format = smtp:[%s]" allows one to use
a mailHost attribute as the basis of a transport(5) table. After
applying the result format, multiple values are concatenated as
comma separated strings. The expansion_limit and size_limit para-
meters explained below allow one to restrict the number of values
in the result, which is especially useful for maps that should
return a single value.
The default value %s specifies that each attribute value should
be used as is.
This parameter was called result_filter in Postfix releases prior
to 2.2. If no "result_format" is specified, the value of "re-
sult_filter" will be used instead before resorting to the default
value. This provides compatibility with old configuration files.
NOTE: DO NOT put quotes around the result format!
domain (default: no domain list)
This is a list of domain names, paths to files, or "type:table"
databases. When specified, only fully qualified search keys with
a *non-empty* localpart and a matching domain are eligible for
lookup: 'user' lookups, bare domain lookups and "@domain" lookups
are not performed. This can significantly reduce the query load
on the LDAP server.
domain = postfix.org, hash:/etc/postfix/searchdomains
It is best not to use LDAP to store the domains eligible for LDAP
lookups.
NOTE: DO NOT define this parameter for local(8) aliases.
This feature is available in Postfix 1.0 and later.
result_attribute (default: maildrop)
The attribute(s) Postfix will read from any directory entries re-
turned by the lookup, to be resolved to an email address.
result_attribute = mailbox, maildrop
Don't rely on the default value ("maildrop"). Set the result_at-
tribute explicitly in all ldap table configuration files. This is
particularly relevant when no result_attribute is applicable,
e.g. cases in which leaf_result_attribute and/or terminal_re-
sult_attribute are used instead. The default value is harmless if
"maildrop" is also listed as a leaf or terminal result attribute,
but it is best to not leave this to chance.
special_result_attribute (default: empty)
The attribute(s) of directory entries that can contain DNs or RFC
2255 LDAP URLs. If found, a recursive search is performed to re-
trieve the entry referenced by the DN, or the entries matched by
the URL query.
special_result_attribute = memberdn
DN recursion retrieves the same result_attributes as the main
query, including the special attributes for further recursion.
URL processing retrieves only those attributes that are included
in both the URL definition and as result attributes (ordinary,
special, leaf or terminal) in the Postfix table definition. If
the URL lists any of the table's special result attributes, these
are retrieved and used recursively. A URL that does not specify
any attribute selection, is equivalent (RFC 2255) to a URL that
selects all attributes, in which case the selected attributes
will be the full set of result attributes in the Postfix table.
If an LDAP URL attribute-descriptor or the corresponding Postfix
LDAP table result attribute (but not both) uses RFC 2255 sub-type
options ("attr;option"), the attribute requested from the LDAP
server will include the sub-type option. In all other cases, the
URL attribute and the table attribute must match exactly. Attrib-
utes with options in both the URL and the Postfix table are re-
quested only when the options are identical. LDAP attribute-de-
scriptor options are very rarely used, most LDAP users will not
need to concern themselves with this level of nuanced detail.
terminal_result_attribute (default: empty)
When one or more terminal result attributes are found in an LDAP
entry, all other result attributes are ignored and only the ter-
minal result attributes are returned. This is useful for delegat-
ing expansion of group members to a particular host, by using an
optional "maildrop" attribute on selected groups to route the
group to a specific host, where the group is expanded, possibly
via mailing-list manager or other special processing.
result_attribute =
terminal_result_attribute = maildrop
When using terminal and/or leaf result attributes, the result_at-
tribute is best set to an empty value when it is not used, or
else explicitly set to the desired value, even if it is the de-
fault value "maildrop".
This feature is available with Postfix 2.4 or later.
leaf_result_attribute (default: empty)
When one or more special result attributes are found in a
non-terminal (see above) LDAP entry, leaf result attributes are
excluded from the expansion of that entry. This is useful when
expanding groups and the desired mail address attribute(s) of the
member objects obtained via DN or URI recursion are also present
in the group object. To only return the attribute values from the
leaf objects and not the containing group, add the attribute to
the leaf_result_attribute list, and not the result_attribute
list, which is always expanded. Note, the default value of "re-
sult_attribute" is not empty, you may want to set it explicitly
empty when using "leaf_result_attribute" to expand the group to a
list of member DN addresses. If groups have both member DN refer-
ences AND attributes that hold multiple string valued rfc822 ad-
dresses, then the string attributes go in "result_attribute".
The attributes that represent the email addresses of objects ref-
erenced via a DN (or LDAP URI) go in "leaf_result_attribute".
result_attribute = memberaddr
special_result_attribute = memberdn
terminal_result_attribute = maildrop
leaf_result_attribute = mail
When using terminal and/or leaf result attributes, the result_at-
tribute is best set to an empty value when it is not used, or
else explicitly set to the desired value, even if it is the de-
fault value "maildrop".
This feature is available with Postfix 2.4 or later.
scope (default: sub)
The LDAP search scope: sub, base, or one. These translate into
LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
bind (default: yes)
Whether or how to bind to the LDAP server. Newer LDAP implementa-
tions don't require clients to bind, which saves time. Example:
# Don't bind
bind = no
# Use SIMPLE bind
bind = yes
# Use SASL bind
bind = sasl
Postfix versions prior to 2.8 only support "bind = no" which
means don't bind, and "bind = yes" which means do a SIMPLE bind.
Postfix 2.8 and later also supports "bind = SASL" when compiled
with LDAP SASL support as described in LDAP_README, it also adds
the synonyms "bind = none" and "bind = simple" for "bind = no"
and "bind = yes" respectively. See the SASL section below for ad-
ditional parameters available with "bind = sasl".
If you do need to bind, you might consider configuring Postfix to
connect to the local machine on a port that's an SSL tunnel to
your LDAP server. If your LDAP server doesn't natively support
SSL, put a tunnel (wrapper, proxy, whatever you want to call it)
on that system too. This should prevent the password from tra-
versing the network in the clear.
bind_dn (default: empty)
If you do have to bind, do it with this distinguished name. Exam-
ple:
bind_dn = uid=postfix, dc=your, dc=com
With "bind = sasl" (see above) the DN may be optional for some
SASL mechanisms, don't specify a DN if not needed.
bind_pw (default: empty)
The password for the distinguished name above. If you have to use
this, you probably want to make the map configuration file read-
able only by the Postfix user. When using the obsolete ldap:ldap-
source syntax, with map parameters in main.cf, it is not possible
to securely store the bind password. This is because main.cf
needs to be world readable to allow local accounts to submit mail
via the sendmail command. Example:
bind_pw = postfixpw
With "bind = sasl" (see above) the password may be optional for
some SASL mechanisms, don't specify a password if not needed.
cache (IGNORED with a warning)
cache_expiry (IGNORED with a warning)
cache_size (IGNORED with a warning)
The above parameters are NO LONGER SUPPORTED by Postfix. Cache
support has been dropped from OpenLDAP as of release 2.1.13.
recursion_limit (default: 1000)
A limit on the nesting depth of DN and URL special result at-
tribute evaluation. The limit must be a non-zero positive number.
expansion_limit (default: 0)
A limit on the total number of result elements returned (as a
comma separated list) by a lookup against the map. A setting of
zero disables the limit. Lookups fail with a temporary error if
the limit is exceeded. Setting the limit to 1 ensures that
lookups do not return multiple values.
size_limit (default: $expansion_limit)
A limit on the number of LDAP entries returned by any single LDAP
search performed as part of the lookup. A setting of 0 disables
the limit. Expansion of DN and URL references involves nested
LDAP queries, each of which is separately subjected to this
limit.
Note: even a single LDAP entry can generate multiple lookup re-
sults, via multiple result attributes and/or multi-valued result
attributes. This limit caps the per search resource utilization
on the LDAP server, not the final multiplicity of the lookup re-
sult. It is analogous to the "-z" option of "ldapsearch".
dereference (default: 0)
When to dereference LDAP aliases. (Note that this has nothing do
with Postfix aliases.) The permitted values are those legal for
the OpenLDAP/UM LDAP implementations:
0 never
1 when searching
2 when locating the base object for the search
3 always
See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for
more information. And if you're using an LDAP package that has
other possible values, please bring it to the attention of the
postfix-users@postfix.org mailing list.
chase_referrals (default: 0)
Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 sup-
port).
version (default: 2)
Specifies the LDAP protocol version to use.
debuglevel (default: 0)
What level to set for debugging in the OpenLDAP libraries.
LDAP SASL PARAMETERS
If you're using the OpenLDAP libraries compiled with SASL support, Post-
fix 2.8 and later built with LDAP SASL support as described in
LDAP_README can authenticate to LDAP servers via SASL.
This enables authentication to the LDAP server via mechanisms other than
a simple password. The added flexibility has a cost: it is no longer
practical to set an explicit timeout on the duration of an LDAP bind op-
eration. Under adverse conditions, whether a SASL bind times out, or if
it does, the duration of the timeout is determined by the LDAP and SASL
libraries.
It is best to use tables that use SASL binds via proxymap(8), this way
the requesting process can time-out the proxymap request. This also lets
you tailer the process environment by overriding the proxymap(8) im-
port_environment setting in master.cf(5). Special environment settings
may be needed to configure GSSAPI credential caches or other SASL mecha-
nism specific options. The GSSAPI credentials used for LDAP lookups may
need to be different than say those used for the Postfix SMTP client to
authenticate to remote servers.
Using SASL mechanisms requires LDAP protocol version 3, the default pro-
tocol version is 2 for backwards compatibility. You must set "version =
3" in addition to "bind = sasl".
The following parameters are relevant to using LDAP with SASL
sasl_mechs (default: empty)
Space separated list of SASL mechanism(s) to try.
sasl_realm (default: empty)
SASL Realm to use, if applicable.
sasl_authz_id (default: empty)
The SASL authorization identity to assert, if applicable.
sasl_minssf (default: 0)
The minimum required sasl security factor required to establish a
connection.
LDAP SSL AND STARTTLS PARAMETERS
If you're using the OpenLDAP libraries compiled with SSL support, Post-
fix can connect to LDAP SSL servers and can issue the STARTTLS command.
LDAP SSL service can be requested by using a LDAP SSL URL in the
server_host parameter:
server_host = ldaps://ldap.example.com:636
STARTTLS can be turned on with the start_tls parameter:
start_tls = yes
Both forms require LDAP protocol version 3, which has to be set explic-
itly with:
version = 3
If any of the Postfix programs querying the map is configured in mas-
ter.cf to run chrooted, all the certificates and keys involved have to
be copied to the chroot jail. Of course, the private keys should only be
readable by the user "postfix".
The following parameters are relevant to LDAP SSL and STARTTLS:
start_tls (default: no)
Whether or not to issue STARTTLS upon connection to the server.
Don't set this with LDAP SSL (the SSL session is setup automati-
cally when the TCP connection is opened).
tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
Directory containing X509 Certification Authority certificates in
PEM format which are to be recognized by the client in SSL/TLS
connections. The files each contain one CA certificate. The
files are looked up by the CA subject name hash value, which must
hence be available. If more than one CA certificate with the same
name hash value exist, the extension must be different (e.g.
9d66eef0.0, 9d66eef0.1 etc). The search is performed in the or-
dering of the extension number, regardless of other properties of
the certificates. Use the c_rehash utility (from the OpenSSL dis-
tribution) to create the necessary links.
tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
File containing the X509 Certification Authority certificates in
PEM format which are to be recognized by the client in SSL/TLS
connections. This setting takes precedence over tls_ca_cert_dir.
tls_cert (No default; you must set this)
File containing client's X509 certificate to be used by the
client in SSL/ TLS connections.
tls_key (No default; you must set this)
File containing the private key corresponding to the above
tls_cert.
tls_require_cert (default: no)
Whether or not to request server's X509 certificate and check its
validity when establishing SSL/TLS connections. The supported
values are no and yes.
With no, the server certificate trust chain is not checked, but
with OpenLDAP prior to 2.1.13, the name in the server certificate
must still match the LDAP server name. With OpenLDAP 2.0.0 to
2.0.11 the server name is not necessarily what you specified,
rather it is determined (by reverse lookup) from the IP address
of the LDAP server connection. With OpenLDAP prior to 2.0.13,
subjectAlternativeName extensions in the LDAP server certificate
are ignored: the server name must match the subject CommonName.
The no setting corresponds to the never value of TLS_REQCERT in
LDAP client configuration files.
Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
if you can avoid it.
With yes, the server certificate must be issued by a trusted CA,
and not be expired. The LDAP server name must match one of the
name(s) found in the certificate (see above for OpenLDAP library
version dependent behavior). The yes setting corresponds to the
demand value of TLS_REQCERT in LDAP client configuration files.
The "try" and "allow" values of TLS_REQCERT have no equivalents
here. They are not available with OpenLDAP 2.0, and in any case
have questionable security properties. Either you want TLS veri-
fied LDAP connections, or you don't.
The yes value only works correctly with Postfix 2.5 and later, or
with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP re-
leases don't work together with this setting. Support for LDAP
over TLS was added to Postfix based on the OpenLDAP 2.0 API.
tls_random_file (No default)
Path of a file to obtain random bits from when /dev/[u]random is
not available, to be used by the client in SSL/TLS connections.
tls_cipher_suite (No default)
Cipher suite to use in SSL/TLS negotiations.
EXAMPLE
Here's a basic example for using LDAP to look up local(8) aliases. As-
sume that in main.cf, you have:
alias_maps = hash:/etc/aliases,
ldap:/etc/postfix/ldap-aliases.cf
and in ldap:/etc/postfix/ldap-aliases.cf you have:
server_host = ldap.example.com
search_base = dc=example, dc=com
Upon receiving mail for a local address "ldapuser" that isn't found in
the /etc/aliases database, Postfix will search the LDAP server listening
at port 389 on ldap.example.com. It will bind anonymously, search for
any directory entries whose mailacceptinggeneralid attribute is "lda-
puser", read the "maildrop" attributes of those found, and build a list
of their maildrops, which will be treated as RFC822 addresses to which
the message will be delivered.
OBSOLETE MAIN.CF PARAMETERS
For backwards compatibility with Postfix version 2.0 and earlier, LDAP
parameters can also be defined in main.cf. Specify as LDAP source a
name that doesn't begin with a slash or a dot. The LDAP parameters will
then be accessible as the name you've given the source in its defini-
tion, an underscore, and the name of the parameter. For example, if the
map is specified as "ldap:ldapsource", the "server_host" parameter below
would be defined in main.cf as "ldapsource_server_host".
Note: with this form, the passwords for the LDAP sources are written in
main.cf, which is normally world-readable. Support for this form will
be removed in a future Postfix version.
OTHER OBSOLETE FEATURES
result_filter (No default)
For backwards compatibility with the pre 2.2 LDAP clients, re-
sult_filter can for now be used instead of result_format, when
the latter parameter is not also set. The new name better re-
flects the function of the parameter. This compatibility inter-
face may be removed in a future release.
SEE ALSO
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
mysql_table(5), MySQL lookup tables
pgsql_table(5), PostgreSQL lookup tables
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate
this information.
DATABASE_README, Postfix lookup table overview
LDAP_README, Postfix LDAP client guide
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaMont
Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh, Sami
Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
LDAP_TABLE(5)
Generated by dwww version 1.16 on Tue Dec 16 04:33:08 CET 2025.