1LDAP_TABLE(5) File Formats Manual LDAP_TABLE(5)
2
3
4
6 ldap_table - Postfix LDAP client configuration
7
9 postmap -q "string" ldap:/etc/postfix/filename
10
11 postmap -q - ldap:/etc/postfix/filename <inputfile
12
14 The Postfix mail system uses optional tables for address rewriting or
15 mail routing. These tables are usually in dbm or db format.
16
17 Alternatively, lookup tables can be specified as LDAP databases.
18
19 In order to use LDAP lookups, define an LDAP source as a lookup table
20 in main.cf, for example:
21
22 alias_maps = ldap:/etc/postfix/ldap-aliases.cf
23
24 The file /etc/postfix/ldap-aliases.cf has the same format as the Post‐
25 fix main.cf file, and can specify the parameters described below. An
26 example is given at the end of this manual.
27
28 This configuration method is available with Postfix version 2.1 and
29 later. See the section "BACKWARDS COMPATIBILITY" below for older Post‐
30 fix versions.
31
32 For details about LDAP SSL and STARTTLS, see the section on SSL and
33 STARTTLS below.
34
36 For backwards compatibility with Postfix version 2.0 and earlier, LDAP
37 parameters can also be defined in main.cf. Specify as LDAP source a
38 name that doesn't begin with a slash or a dot. The LDAP parameters
39 will then be accessible as the name you've given the source in its def‐
40 inition, an underscore, and the name of the parameter. For example, if
41 the map is specified as "ldap:ldapsource", the "server_host" parameter
42 below would be defined in main.cf as "ldapsource_server_host".
43
44 Note: with this form, the passwords for the LDAP sources are written in
45 main.cf, which is normally world-readable. Support for this form will
46 be removed in a future Postfix version.
47
48 For backwards compatibility with the pre 2.2 LDAP clients, result_fil‐
49 ter can for now be used instead of result_format, when the latter
50 parameter is not also set. The new name better reflects the function
51 of the parameter. This compatibility interface may be removed in a
52 future release.
53
55 When using LDAP to store lists such as $mynetworks, $mydestination,
56 $relay_domains, $local_recipient_maps, etc., it is important to under‐
57 stand that the table must store each list member as a separate key. The
58 table lookup verifies the *existence* of the key. See "Postfix lists
59 versus tables" in the DATABASE_README document for a discussion.
60
61 Do NOT create tables that return the full list of domains in $mydesti‐
62 nation or $relay_domains etc., or IP addresses in $mynetworks.
63
64 DO create tables with each matching item as a key and with an arbitrary
65 value. With LDAP databases it is not uncommon to return the key itself.
66
67 For example, NEVER do this in a map defining $mydestination:
68
69 query_filter = domain=*
70 result_attribute = domain
71
72 Do this instead:
73
74 query_filter = domain=%s
75 result_attribute = domain
76
78 In the text below, default values are given in parentheses. Note:
79 don't use quotes in these variables; at least, not until the Postfix
80 configuration routines understand how to deal with quoted strings.
81
82 server_host (default: localhost)
83 The name of the host running the LDAP server, e.g.
84
85 server_host = ldap.example.com
86
87 Depending on the LDAP client library you're using, it should be
88 possible to specify multiple servers here, with the library try‐
89 ing them in order should the first one fail. It should also be
90 possible to give each server in the list a different port (over‐
91 riding server_port below), by naming them like
92
93 server_host = ldap.example.com:1444
94
95 With OpenLDAP, a (list of) LDAP URLs can be used to specify both
96 the hostname(s) and the port(s):
97
98 server_host = ldap://ldap.example.com:1444
99 ldap://ldap2.example.com:1444
100
101 All LDAP URLs accepted by the OpenLDAP library are supported,
102 including connections over UNIX domain sockets, and LDAP SSL
103 (the last one provided that OpenLDAP was compiled with support
104 for SSL):
105
106 server_host = ldapi://%2Fsome%2Fpath
107 ldaps://ldap.example.com:636
108
109 server_port (default: 389)
110 The port the LDAP server listens on, e.g.
111
112 server_port = 778
113
114 timeout (default: 10 seconds)
115 The number of seconds a search can take before timing out, e.g.
116
117 timeout = 5
118
119 search_base (No default; you must configure this)
120 The RFC2253 base DN at which to conduct the search, e.g.
121
122 search_base = dc=your, dc=com
123
124 With Postfix 2.2 and later this parameter supports the following
125 '%' expansions:
126
127 %% This is replaced by a literal '%' character.
128
129 %s This is replaced by the input key. RFC 2253 quoting is
130 used to make sure that the input key does not add unex‐
131 pected metacharacters.
132
133 %u When the input key is an address of the form user@domain,
134 %u is replaced by the (RFC 2253) quoted local part of the
135 address. Otherwise, %u is replaced by the entire search
136 string. If the localpart is empty, the search is sup‐
137 pressed and returns no results.
138
139 %d When the input key is an address of the form user@domain,
140 %d is replaced by the (RFC 2253) quoted domain part of
141 the address. Otherwise, the search is suppressed and
142 returns no results.
143
144 %[SUD] For the search_base parameter, the upper-case equivalents
145 of the above expansions behave identically to their
146 lower-case counter-parts. With the result_format parame‐
147 ter (previously called result_filter see the COMPATIBIL‐
148 ITY section and below), they expand to the corresponding
149 components of input key rather than the result value.
150
151 %[1-9] The patterns %1, %2, ... %9 are replaced by the corre‐
152 sponding most significant component of the input key's
153 domain. If the input key is user@mail.example.com, then
154 %1 is com, %2 is example and %3 is mail. If the input key
155 is unqualified or does not have enough domain components
156 to satisfy all the specified patterns, the search is sup‐
157 pressed and returns no results.
158
159 query_filter (default: mailacceptinggeneralid=%s)
160 The RFC2254 filter used to search the directory, where %s is a
161 substitute for the address Postfix is trying to resolve, e.g.
162
163 query_filter = (&(mail=%s)(paid_up=true))
164
165 This parameter supports the following '%' expansions:
166
167 %% This is replaced by a literal '%' character. (Postfix 2.2
168 and later).
169
170 %s This is replaced by the input key. RFC 2254 quoting is
171 used to make sure that the input key does not add unex‐
172 pected metacharacters.
173
174 %u When the input key is an address of the form user@domain,
175 %u is replaced by the (RFC 2254) quoted local part of the
176 address. Otherwise, %u is replaced by the entire search
177 string. If the localpart is empty, the search is sup‐
178 pressed and returns no results.
179
180 %d When the input key is an address of the form user@domain,
181 %d is replaced by the (RFC 2254) quoted domain part of
182 the address. Otherwise, the search is suppressed and
183 returns no results.
184
185 %[SUD] The upper-case equivalents of the above expansions behave
186 in the query_filter parameter identically to their lower-
187 case counter-parts. With the result_format parameter
188 (previously called result_filter see the COMPATIBILITY
189 section and below), they expand to the corresponding com‐
190 ponents of input key rather than the result value.
191
192 The above %S, %U and %D expansions are available with
193 Postfix 2.2 and later.
194
195 %[1-9] The patterns %1, %2, ... %9 are replaced by the corre‐
196 sponding most significant component of the input key's
197 domain. If the input key is user@mail.example.com, then
198 %1 is com, %2 is example and %3 is mail. If the input key
199 is unqualified or does not have enough domain components
200 to satisfy all the specified patterns, the search is sup‐
201 pressed and returns no results.
202
203 The above %1, ..., %9 expansions are available with Post‐
204 fix 2.2 and later.
205
206 The "domain" parameter described below limits the input keys to
207 addresses in matching domains. When the "domain" parameter is
208 non-empty, LDAP queries for unqualified addresses or addresses
209 in non-matching domains are suppressed and return no results.
210
211 NOTE: DO NOT put quotes around the query_filter parameter.
212
213 result_format (default: %s)
214 Called result_filter in Postfix releases prior to 2.2. Format
215 template applied to result attributes. Most commonly used to
216 append (or prepend) text to the result. This parameter supports
217 the following '%' expansions:
218
219 %% This is replaced by a literal '%' character. (Postfix 2.2
220 and later).
221
222 %s This is replaced by the value of the result attribute.
223 When result is empty it is skipped.
224
225 %u When the result attribute value is an address of the form
226 user@domain, %u is replaced by the local part of the
227 address. When the result has an empty localpart it is
228 skipped.
229
230 %d When a result attribute value is an address of the form
231 user@domain, %d is replaced by the domain part of the
232 attribute value. When the result is unqualified it is
233 skipped.
234
235 %[SUD1-9]
236 The upper-case and decimal digit expansions interpolate
237 the parts of the input key rather than the result. Their
238 behavior is identical to that described with query_fil‐
239 ter, and in fact because the input key is known in
240 advance, lookups whose key does not contain all the
241 information specified in the result template are sup‐
242 pressed and return no results.
243
244 The above %S, %U, %D and %1, ..., %9 expansions are
245 available with Postfix 2.2 and later.
246
247 For example, using "result_format = smtp:[%s]" allows one to use
248 a mailHost attribute as the basis of a transport(5) table. After
249 applying the result format, multiple values are concatenated as
250 comma separated strings. The expansion_limit and size_limit
251 parameters explained below allow one to restrict the number of
252 values in the result, which is especially useful for maps that
253 should return a single value.
254
255 The default value %s specifies that each attribute value should
256 be used as is.
257
258 This parameter was called result_filter in Postfix releases
259 prior to 2.2. If no "result_format" is specified, the value of
260 "result_filter" will be used instead before resorting to the
261 default value. This provides compatibility with old configura‐
262 tion files.
263
264 NOTE: DO NOT put quotes around the result format!
265
266 domain (default: no domain list)
267 This is a list of domain names, paths to files, or dictionaries.
268 When specified, only fully qualified search keys with a *non-
269 empty* localpart and a matching domain are eligible for lookup:
270 'user' lookups, bare domain lookups and "@domain" lookups are
271 not performed. This can significantly reduce the query load on
272 the LDAP server.
273
274 domain = postfix.org, hash:/etc/postfix/searchdomains
275
276 It is best not to use LDAP to store the domains eligible for
277 LDAP lookups.
278
279 NOTE: DO NOT define this parameter for local(8) aliases.
280
281 This feature is available in Postfix 1.0 and later.
282
283 result_attribute (default: maildrop)
284 The attribute(s) Postfix will read from any directory entries
285 returned by the lookup, to be resolved to an email address.
286
287 result_attribute = mailbox, maildrop
288
289 Don't rely on the default value ("maildrop"). Set the
290 result_attribute explicitly in all ldap table configuration
291 files. This is particularly relevant when no result_attribute is
292 applicable, e.g. cases in which leaf_result_attribute and/or
293 terminal_result_attribute are used instead. The default value is
294 harmless if "maildrop" is also listed as a leaf or terminal
295 result attribute, but it is best to not leave this to chance.
296
297 special_result_attribute (default: empty)
298 The attribute(s) of directory entries that can contain DNs or
299 RFC 2255 LDAP URLs. If found, a recursive search is performed to
300 retrieve the entry referenced by the DN, or the entries matched
301 by the URL query.
302
303 special_result_attribute = memberdn
304
305 DN recursion retrieves the same result_attributes as the main
306 query, including the special attributes for further recursion.
307
308 URL processing retrieves only those attributes that are included
309 in both the URL definition and as result attributes (ordinary,
310 special, leaf or terminal) in the Postfix table definition. If
311 the URL lists any of the table's special result attributes,
312 these are retrieved and used recursively. A URL that does not
313 specify any attribute selection, is equivalent (RFC 2255) to a
314 URL that selects all attributes, in which case the selected
315 attributes will be the full set of result attributes in the
316 Postfix table.
317
318 If an LDAP URL attribute-descriptor or the corresponding Postfix
319 LDAP table result attribute (but not both) uses RFC 2255 sub-
320 type options ("attr;option"), the attribute requested from the
321 LDAP server will include the sub-type option. In all other
322 cases, the URL attribute and the table attribute must match
323 exactly. Attributes with options in both the URL and the Postfix
324 table are requested only when the options are identical. LDAP
325 attribute-descriptor options are very rarely used, most LDAP
326 users will not need to concern themselves with this level of
327 nuanced detail.
328
329 terminal_result_attribute (default: empty)
330 When one or more terminal result attributes are found in an LDAP
331 entry, all other result attributes are ignored and only the ter‐
332 minal result attributes are returned. This is useful for dele‐
333 gating expansion of group members to a particular host, by using
334 an optional "maildrop" attribute on selected groups to route the
335 group to a specific host, where the group is expanded, possibly
336 via mailing-list manager or other special processing.
337
338 result_attribute =
339 terminal_result_attribute = maildrop
340
341 When using terminal and/or leaf result attributes, the
342 result_attribute is best set to an empty value when it is not
343 used, or else explicitly set to the desired value, even if it is
344 the default value "maildrop".
345
346 This feature is available with Postfix 2.4 or later.
347
348 leaf_result_attribute (default: empty)
349 When one or more special result attributes are found in a non-
350 terminal (see above) LDAP entry, leaf result attributes are
351 excluded from the expansion of that entry. This is useful when
352 expanding groups and the desired mail address attribute(s) of
353 the member objects obtained via DN or URI recursion are also
354 present in the group object. To only return the attribute values
355 from the leaf objects and not the containing group, add the
356 attribute to the leaf_result_attribute list, and not the
357 result_attribute list, which is always expanded. Note, the
358 default value of "result_attribute" is not empty, you may want
359 to set it explicitly empty when using "leaf_result_attribute" to
360 expand the group to a list of member DN addresses. If groups
361 have both member DN references AND attributes that hold multiple
362 string valued rfc822 addresses, then the string attributes go in
363 "result_attribute". The attributes that represent the email
364 addresses of objects referenced via a DN (or LDAP URI) go in
365 "leaf_result_attribute".
366
367 result_attribute = memberaddr
368 special_result_attribute = memberdn
369 terminal_result_attribute = maildrop
370 leaf_result_attribute = mail
371
372 When using terminal and/or leaf result attributes, the
373 result_attribute is best set to an empty value when it is not
374 used, or else explicitly set to the desired value, even if it is
375 the default value "maildrop".
376
377 This feature is available with Postfix 2.4 or later.
378
379 scope (default: sub)
380 The LDAP search scope: sub, base, or one. These translate into
381 LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
382
383 bind (default: yes)
384 Whether or how to bind to the LDAP server. Newer LDAP implemen‐
385 tations don't require clients to bind, which saves time. Exam‐
386 ple:
387
388 # Don't bind
389 bind = no
390 # Use SIMPLE bind
391 bind = yes
392 # Use SASL bind
393 bind = sasl
394
395 Postfix versions prior to 2.8 only support "bind = no" which
396 means don't bind, and "bind = yes" which means do a SIMPLE bind.
397 Postfix 2.8 and later also supports "bind = SASL" when compiled
398 with LDAP SASL support as described in LDAP_README, it also adds
399 the synonyms "bind = none" and "bind = simple" for "bind = no"
400 and "bind = yes" respectively. See the SASL section below for
401 additional parameters available with "bind = sasl".
402
403 If you do need to bind, you might consider configuring Postfix
404 to connect to the local machine on a port that's an SSL tunnel
405 to your LDAP server. If your LDAP server doesn't natively sup‐
406 port SSL, put a tunnel (wrapper, proxy, whatever you want to
407 call it) on that system too. This should prevent the password
408 from traversing the network in the clear.
409
410 bind_dn (default: empty)
411 If you do have to bind, do it with this distinguished name.
412 Example:
413
414 bind_dn = uid=postfix, dc=your, dc=com
415 With "bind = sasl" (see above) the DN may be optional for some
416 SASL mechanisms, don't specify a DN if not needed.
417
418 bind_pw (default: empty)
419 The password for the distinguished name above. If you have to
420 use this, you probably want to make the map configuration file
421 readable only by the Postfix user. When using the obsolete
422 ldap:ldapsource syntax, with map parameters in main.cf, it is
423 not possible to securely store the bind password. This is
424 because main.cf needs to be world readable to allow local
425 accounts to submit mail via the sendmail command. Example:
426
427 bind_pw = postfixpw
428 With "bind = sasl" (see above) the password may be optional for
429 some SASL mechanisms, don't specify a password if not needed.
430
431 cache (IGNORED with a warning)
432
433 cache_expiry (IGNORED with a warning)
434
435 cache_size (IGNORED with a warning)
436 The above parameters are NO LONGER SUPPORTED by Postfix. Cache
437 support has been dropped from OpenLDAP as of release 2.1.13.
438
439 recursion_limit (default: 1000)
440 A limit on the nesting depth of DN and URL special result
441 attribute evaluation. The limit must be a non-zero positive num‐
442 ber.
443
444 expansion_limit (default: 0)
445 A limit on the total number of result elements returned (as a
446 comma separated list) by a lookup against the map. A setting of
447 zero disables the limit. Lookups fail with a temporary error if
448 the limit is exceeded. Setting the limit to 1 ensures that
449 lookups do not return multiple values.
450
451 size_limit (default: $expansion_limit)
452 A limit on the number of LDAP entries returned by any single
453 LDAP search performed as part of the lookup. A setting of 0 dis‐
454 ables the limit. Expansion of DN and URL references involves
455 nested LDAP queries, each of which is separately subjected to
456 this limit.
457
458 Note: even a single LDAP entry can generate multiple lookup
459 results, via multiple result attributes and/or multi-valued
460 result attributes. This limit caps the per search resource uti‐
461 lization on the LDAP server, not the final multiplicity of the
462 lookup result. It is analogous to the "-z" option of
463 "ldapsearch".
464
465 dereference (default: 0)
466 When to dereference LDAP aliases. (Note that this has nothing do
467 with Postfix aliases.) The permitted values are those legal for
468 the OpenLDAP/UM LDAP implementations:
469
470 0 never
471
472 1 when searching
473
474 2 when locating the base object for the search
475
476 3 always
477
478 See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for
479 more information. And if you're using an LDAP package that has
480 other possible values, please bring it to the attention of the
481 postfix-users@postfix.org mailing list.
482
483 chase_referrals (default: 0)
484 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3
485 support).
486
487 version (default: 2)
488 Specifies the LDAP protocol version to use.
489
490 debuglevel (default: 0)
491 What level to set for debugging in the OpenLDAP libraries.
492
494 If you're using the OpenLDAP libraries compiled with SASL support,
495 Postfix 2.8 and later built with LDAP SASL support as described in
496 LDAP_README can authenticate to LDAP servers via SASL.
497
498 This enables authentication to the LDAP server via mechanisms other
499 than a simple password. The added flexibility has a cost: it is no
500 longer practical to set an explicit timeout on the duration of an LDAP
501 bind operation. Under adverse conditions, whether a SASL bind times
502 out, or if it does, the duration of the timeout is determined by the
503 LDAP and SASL libraries.
504
505 It is best to use tables that use SASL binds via proxymap(8), this way
506 the requesting process can time-out the proxymap request. This also
507 lets you tailer the process environment by overriding the proxymap(8)
508 import_environment setting in master.cf(5). Special environment set‐
509 tings may be needed to configure GSSAPI credential caches or other SASL
510 mechanism specific options. The GSSAPI credentials used for LDAP
511 lookups may need to be different than say those used for the Postfix
512 SMTP client to authenticate to remote servers.
513
514 Using SASL mechanisms requires LDAP protocol version 3, the default
515 protocol version is 2 for backwards compatibility. You must set "ver‐
516 sion = 3" in addition to "bind = sasl".
517
518 The following parameters are relevant to using LDAP with SASL
519
520 sasl_mechs (default: empty)
521 Space separated list of SASL mechanism(s) to try.
522
523 sasl_realm (default: empty)
524 SASL Realm to use, if applicable.
525
526 sasl_authz_id (default: empty)
527 The SASL authorization identity to assert, if applicable.
528
529 sasl_minssf (default: 0)
530 The minimum required sasl security factor required to establish
531 a connection.
532
534 If you're using the OpenLDAP libraries compiled with SSL support, Post‐
535 fix can connect to LDAP SSL servers and can issue the STARTTLS command.
536
537 LDAP SSL service can be requested by using a LDAP SSL URL in the
538 server_host parameter:
539
540 server_host = ldaps://ldap.example.com:636
541
542 STARTTLS can be turned on with the start_tls parameter:
543
544 start_tls = yes
545
546 Both forms require LDAP protocol version 3, which has to be set explic‐
547 itly with:
548
549 version = 3
550
551 If any of the Postfix programs querying the map is configured in mas‐
552 ter.cf to run chrooted, all the certificates and keys involved have to
553 be copied to the chroot jail. Of course, the private keys should only
554 be readable by the user "postfix".
555
556 The following parameters are relevant to LDAP SSL and STARTTLS:
557
558 start_tls (default: no)
559 Whether or not to issue STARTTLS upon connection to the server.
560 Don't set this with LDAP SSL (the SSL session is setup automati‐
561 cally when the TCP connection is opened).
562
563 tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
564 Directory containing X509 Certificate Authority certificates in
565 PEM format which are to be recognized by the client in SSL/TLS
566 connections. The files each contain one CA certificate. The
567 files are looked up by the CA subject name hash value, which
568 must hence be available. If more than one CA certificate with
569 the same name hash value exist, the extension must be different
570 (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in
571 the ordering of the extension number, regardless of other prop‐
572 erties of the certificates. Use the c_rehash utility (from the
573 OpenSSL distribution) to create the necessary links.
574
575 tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
576 File containing the X509 Certificate Authority certificates in
577 PEM format which are to be recognized by the client in SSL/TLS
578 connections. This setting takes precedence over tls_ca_cert_dir.
579
580 tls_cert (No default; you must set this)
581 File containing client's X509 certificate to be used by the
582 client in SSL/ TLS connections.
583
584 tls_key (No default; you must set this)
585 File containing the private key corresponding to the above
586 tls_cert.
587
588 tls_require_cert (default: no)
589 Whether or not to request server's X509 certificate and check
590 its validity when establishing SSL/TLS connections. The sup‐
591 ported values are no and yes.
592
593 With no, the server certificate trust chain is not checked, but
594 with OpenLDAP prior to 2.1.13, the name in the server certifi‐
595 cate must still match the LDAP server name. With OpenLDAP 2.0.0
596 to 2.0.11 the server name is not necessarily what you specified,
597 rather it is determined (by reverse lookup) from the IP address
598 of the LDAP server connection. With OpenLDAP prior to 2.0.13,
599 subjectAlternativeName extensions in the LDAP server certificate
600 are ignored: the server name must match the subject CommonName.
601 The no setting corresponds to the never value of TLS_REQCERT in
602 LDAP client configuration files.
603
604 Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
605 if you can avoid it.
606
607 With yes, the server certificate must be issued by a trusted CA,
608 and not be expired. The LDAP server name must match one of the
609 name(s) found in the certificate (see above for OpenLDAP library
610 version dependent behavior). The yes setting corresponds to the
611 demand value of TLS_REQCERT in LDAP client configuration files.
612
613 The "try" and "never" values of TLS_REQCERT have no equivalents
614 here. They are not available with OpenLDAP 2.0, and in any case
615 have questionable security properties. Either you want TLS veri‐
616 fied LDAP connections, or you don't.
617
618 The yes value only works correctly with Postfix 2.5 and later,
619 or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
620 releases don't work together with this setting. Support for LDAP
621 over TLS was added to Postfix based on the OpenLDAP 2.0 API.
622
623 tls_random_file (No default)
624 Path of a file to obtain random bits from when /dev/[u]random is
625 not available, to be used by the client in SSL/TLS connections.
626
627 tls_cipher_suite (No default)
628 Cipher suite to use in SSL/TLS negotiations.
629
631 Here's a basic example for using LDAP to look up local(8) aliases.
632 Assume that in main.cf, you have:
633
634 alias_maps = hash:/etc/aliases,
635 ldap:/etc/postfix/ldap-aliases.cf
636
637 and in ldap:/etc/postfix/ldap-aliases.cf you have:
638
639 server_host = ldap.example.com
640 search_base = dc=example, dc=com
641
642 Upon receiving mail for a local address "ldapuser" that isn't found in
643 the /etc/aliases database, Postfix will search the LDAP server listen‐
644 ing at port 389 on ldap.example.com. It will bind anonymously, search
645 for any directory entries whose mailacceptinggeneralid attribute is
646 "ldapuser", read the "maildrop" attributes of those found, and build a
647 list of their maildrops, which will be treated as RFC822 addresses to
648 which the message will be delivered.
649
651 postmap(1), Postfix lookup table manager
652 postconf(5), configuration parameters
653 mysql_table(5), MySQL lookup tables
654 pgsql_table(5), PostgreSQL lookup tables
655
657 Use "postconf readme_directory" or "postconf html_directory" to locate
658 this information.
659 DATABASE_README, Postfix lookup table overview
660 LDAP_README, Postfix LDAP client guide
661
663 The Secure Mailer license must be distributed with this software.
664
666 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM‐
667 ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh,
668 Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
669
670
671
672 LDAP_TABLE(5)