In the text below, default values are given in parentheses. Note: don't use quotes in these variables; at least, not until the Postfix configuration routines understand how to deal with quoted strings.
server_host (default: localhost)
The name of the host running the LDAP server, e.g.
server_host = ldap.example.com
Depending on the LDAP client library you're using, it should be possible to specify multiple servers here, with the library trying them in order should the first one fail. It should also be possible to give each server in the list a different port (overriding server_port below), by naming them like
server_host = ldap.example.com:1444
With OpenLDAP, a (list of) LDAP URLs can be used to specify both the hostname(s) and the port(s):
server_host = ldap://ldap.example.com:1444
ldap://ldap2.example.com:1444
All LDAP URLs accepted by the OpenLDAP library are supported, including connections over UNIX domain sockets, and LDAP SSL (the last one provided that OpenLDAP was compiled with support for SSL):
server_host = ldapi://%2Fsome%2Fpath
ldaps://ldap.example.com:636
server_port (default: 389)
The port the LDAP server listens on, e.g.
server_port = 778
timeout (default: 10 seconds)
The number of seconds a search can take before timing out, e.g. timeout = 5
search_base (No default; you must configure this)
The RFC2253 base DN at which to conduct the search, e.g.
search_base = dc=your, dc=com
With Postfix 2.2 and later this parameter supports the following '%' expansions:
%%
This is replaced by a literal '%' character.
%s
This is replaced by the input key. RFC 2253 quoting is used to make sure that the input key does not add unexpected metacharacters.
%u
When the input key is an address of the form user@domain, %u is replaced by the (RFC 2253) quoted local part of the address. Otherwise, %u is replaced by the entire search string. If the localpart is empty, the search is suppressed and returns no results.
%d
When the input key is an address of the form user@domain, %d is replaced by the (RFC 2253) quoted domain part of the address. Otherwise, the search is suppressed and returns no results.
%[SUD]
For the search_base parameter, the upper-case equivalents of the above expansions behave identically to their lower-case counter-parts. With the result_format parameter (previously called result_filter see the COMPATIBILITY section and below), they expand to the corresponding components of input key rather than the result value.
%[1-9]
The patterns %1, %2, ... %9 are replaced by the corresponding most significant component of the input key's domain. If the input key is user@mail.example.com, then %1 is com, %2 is example and %3 is mail. If the input key is unqualified or does not have enough domain components to satisfy all the specified patterns, the search is suppressed and returns no results.
query_filter (default: mailacceptinggeneralid=%s)
The RFC2254 filter used to search the directory, where %s is a substitute for the address Postfix is trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
This parameter supports the following '%' expansions:
%%
This is replaced by a literal '%' character. (Postfix 2.2 and later).
%s
This is replaced by the input key. RFC 2254 quoting is used to make sure that the input key does not add unexpected metacharacters.
%u
When the input key is an address of the form user@domain, %u is replaced by the (RFC 2254) quoted local part of the address. Otherwise, %u is replaced by the entire search string. If the localpart is empty, the search is suppressed and returns no results.
%d
When the input key is an address of the form user@domain, %d is replaced by the (RFC 2254) quoted domain part of the address. Otherwise, the search is suppressed and returns no results.
%[SUD]
The upper-case equivalents of the above expansions behave in the query_filter parameter identically to their lower-case counter-parts. With the result_format parameter (previously called result_filter see the COMPATIBILITY section and below), they expand to the corresponding components of input key rather than the result value.
The above %S, %U and %D expansions are available with Postfix 2.2 and later.
%[1-9]
The patterns %1, %2, ... %9 are replaced by the corresponding most significant component of the input key's domain. If the input key is user@mail.example.com, then %1 is com, %2 is example and %3 is mail. If the input key is unqualified or does not have enough domain components to satisfy all the specified patterns, the search is suppressed and returns no results.
The above %1, ..., %9 expansions are available with Postfix 2.2 and later.
The "domain" parameter described below limits the input keys to addresses in matching domains. When the "domain" parameter is non-empty, LDAP queries for unqualified addresses or addresses in non-matching domains are suppressed and return no results. NOTE: DO NOT put quotes around the query_filter parameter.
result_format (default: %s)
Called result_filter in Postfix releases prior to 2.2. Format template applied to result attributes. Most commonly used to append (or prepend) text to the result. This parameter supports the following '%' expansions:
%%
This is replaced by a literal '%' character. (Postfix 2.2 and later).
%s
This is replaced by the value of the result attribute. When result is empty it is skipped.
%u
When the result attribute value is an address of the form user@domain, %u is replaced by the local part of the address. When the result has an empty localpart it is skipped.
%d
When a result attribute value is an address of the form user@domain, %d is replaced by the domain part of the attribute value. When the result is unqualified it is skipped.
%[SUD1-9]
The upper-case and decimal digit expansions interpolate the parts of the input key rather than the result. Their behavior is identical to that described with query_filter, and in fact because the input key is known in advance, lookups whose key does not contain all the information specified in the result template are suppressed and return no results.
The above %S, %U, %D and %1, ..., %9 expansions are available with Postfix 2.2 and later.
For example, using "result_format = smtp:[%s]" allows one to use a mailHost attribute as the basis of a transport(5) table. After applying the result format, multiple values are concatenated as comma separated strings. The expansion_limit and size_limit parameters explained below allow one to restrict the number of values in the result, which is especially useful for maps that should return a single value. The default value %s specifies that each attribute value should be used as is. This parameter was called result_filter in Postfix releases prior to 2.2. If no "result_format" is specified, the value of "result_filter" will be used instead before resorting to the default value. This provides compatibility with old configuration files. NOTE: DO NOT put quotes around the result format!
domain (default: no domain list)
This is a list of domain names, paths to files, or dictionaries. When specified, only fully qualified search keys with a *non-empty* localpart and a matching domain are eligible for lookup: 'user' lookups, bare domain lookups and "@domain" lookups are not performed. This can significantly reduce the query load on the LDAP server.
domain = postfix.org, hash:/etc/postfix/searchdomains
It is best not to use LDAP to store the domains eligible for LDAP lookups. NOTE: DO NOT define this parameter for local(8) aliases. This feature is available in Postfix 1.0 and later.
result_attribute (default: maildrop)
The attribute(s) Postfix will read from any directory entries returned by the lookup, to be resolved to an email address.
result_attribute = mailbox, maildrop
special_result_attribute (default: empty)
The attribute(s) of directory entries that can contain DNs or URLs. If found, a recursive subsequent search is done using their values.
special_result_attribute = memberdn
DN recursion retrieves the same result_attributes as the main query, including the special attributes for further recursion. URI processing retrieves only those attributes that are included in the URI definition and are *also* listed in "result_attribute". If the URI lists any of the map's special result attributes, these are also retrieved and used recursively.
terminal_result_attribute (default: empty)
When one or more terminal result attributes are found in an LDAP entry, all other result attributes are ignored and only the terminal result attributes are returned. This is useful for delegating expansion of group members to a particular host, by using an optional "maildrop" attribute on selected groups to route the group to a specific host, where the group is expanded, possibly via mailing-list manager or other special processing.
terminal_result_attribute = maildrop
This feature is available with Postfix 2.4 or later.
leaf_result_attribute (default: empty)
When one or more special result attributes are found in a non-terminal (see above) LDAP entry, leaf result attributes are excluded from the expansion of that entry. This is useful when expanding groups and the desired mail address attribute(s) of the member objects obtained via DN or URI recursion are also present in the group object. To only return the attribute values from the leaf objects and not the containing group, add the attribute to the leaf_result_attribute list, and not the result_attribute list, which is always expanded. Note, the default value of "result_attribute" is not empty, you may want to set it explicitly empty when using "leaf_result_attribute" to expand the group to a list of member DN addresses. If groups have both member DN references AND attributes that hold multiple string valued rfc822 addresses, then the string attributes go in "result_attribute". The attributes that represent the email addresses of objects referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
result_attribute = memberaddr
special_result_attribute = memberdn
terminal_result_attribute = maildrop
leaf_result_attribute = mail
This feature is available with Postfix 2.4 or later.
scope (default: sub)
The LDAP search scope: sub, base, or one. These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
bind (default: yes)
Whether or not to bind to the LDAP server. Newer LDAP implementations don't require clients to bind, which saves time. Example:
bind = no
If you do need to bind, you might consider configuring Postfix to connect to the local machine on a port that's an SSL tunnel to your LDAP server. If your LDAP server doesn't natively support SSL, put a tunnel (wrapper, proxy, whatever you want to call it) on that system too. This should prevent the password from traversing the network in the clear.
bind_dn (default: empty)
If you do have to bind, do it with this distinguished name. Example:
bind_dn = uid=postfix, dc=your, dc=com
bind_pw (default: empty)
The password for the distinguished name above. If you have to use this, you probably want to make the map configuration file readable only by the Postfix user. When using the obsolete ldap:ldapsource syntax, with map parameters in main.cf, it is not possible to securely store the bind password. This is because main.cf needs to be world readable to allow local accounts to submit mail via the sendmail command. Example:
bind_pw = postfixpw
cache (IGNORED with a warning)
cache_expiry (IGNORED with a warning)
cache_size (IGNORED with a warning)
The above parameters are NO LONGER SUPPORTED by Postfix. Cache support has been dropped from OpenLDAP as of release 2.1.13.
recursion_limit (default: 1000)
A limit on the nesting depth of DN and URL special result attribute evaluation. The limit must be a non-zero positive number.
expansion_limit (default: 0)
A limit on the total number of result elements returned (as a comma separated list) by a lookup against the map. A setting of zero disables the limit. Lookups fail with a temporary error if the limit is exceeded. Setting the limit to 1 ensures that lookups do not return multiple values.
size_limit (default: $expansion_limit)
A limit on the number of LDAP entries returned by any single LDAP search performed as part of the lookup. A setting of 0 disables the limit. Expansion of DN and URL references involves nested LDAP queries, each of which is separately subjected to this limit. Note: even a single LDAP entry can generate multiple lookup results, via multiple result attributes and/or multi-valued result attributes. This limit caps the per search resource utilization on the LDAP server, not the final multiplicity of the lookup result. It is analogous to the "-z" option of "ldapsearch".
dereference (default: 0)
When to dereference LDAP aliases. (Note that this has nothing do with Postfix aliases.) The permitted values are those legal for the OpenLDAP/UM LDAP implementations:
2
when locating the base object for the search
See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for more information. And if you're using an LDAP package that has other possible values, please bring it to the attention of the postfix-users@postfix.org mailing list.
chase_referrals (default: 0)
Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 support).
version (default: 2)
Specifies the LDAP protocol version to use.
debuglevel (default: 0)
What level to set for debugging in the OpenLDAP libraries.