• Last 5 Forum Topics
    Last post

The Web Only This Site



  • MARC

    Mailing list ARChives
    - Search by -


    Computing Dictionary

  • Text Link Ads

  • LINUX man pages
  • Linux Man Page Viewer

    The following form allows you to view linux man pages.





           postmap -q "string" ldap:/etc/postfix/filename
           postmap -q - ldap:/etc/postfix/filename <inputfile


           The  Postfix  mail system uses optional tables for address rewriting or
           mail routing. These tables are usually in dbm or db format.
           Alternatively, lookup tables can be specified as LDAP databases.
           In order to use LDAP lookups, define an LDAP source as a  lookup  table
           in, for example:
               alias_maps = ldap:/etc/postfix/
           The  file /etc/postfix/ has the same format as the Post-
           fix file, and can specify the parameters  described  below.  An
           example is given at the end of this manual.
           This  configuration  method  is  available with Postfix version 2.1 and
           later.  See the section "BACKWARDS COMPATIBILITY" below for older Post-
           fix versions.
           For  details  about  LDAP  SSL and STARTTLS, see the section on SSL and
           STARTTLS below.


           For backwards compatibility with Postfix version 2.0 and earlier,  LDAP
           parameters  can  also  be defined in  Specify as LDAP source a
           name that doesn't begin with a slash or a  dot.   The  LDAP  parameters
           will then be accessible as the name you've given the source in its def-
           inition, an underscore, and the name of the parameter.  For example, if
           the  map is specified as "ldap:ldapsource", the "server_host" parameter
           below would be defined in as "ldapsource_server_host".
           Note: with this form, the passwords for the LDAP sources are written in
 ,  which is normally world-readable.  Support for this form will
           be removed in a future Postfix version.
           Postfix 2.2 has enhanced query interfaces  for  MySQL  and  PostgreSQL.
           These include features that were previously available only in the Post-
           fix LDAP client. This work also created an opportunity for improvements
           in  the  LDAP  interface.  The  primary  compatibility  issue  is  that
           result_filter (a name that has caused some confusion as to its  meaning
           in the past) has been renamed to result_format.  For backwards compati-
           bility with the pre 2.2 LDAP client, result_filter can for now be  used
           instead  of  result_format,  when the latter parameter is not also set.
           The new name better reflects the function of the parameter.  This  com-
           patibility interface may be removed in a future release.


               query_filter = domain=*
               result_attribute = domain
           Do this instead:
               query_filter = domain=%s
               result_attribute = domain


           In  the  text  below,  default  values are given in parentheses.  Note:
           don't use quotes in these variables; at least, not  until  the  Postfix
           configuration routines understand how to deal with quoted strings.
           server_host (default: localhost)
                  The name of the host running the LDAP server, e.g.
                      server_host =
                  Depending  on the LDAP client library you're using, it should be
                  possible to specify multiple servers here, with the library try-
                  ing  them  in order should the first one fail. It should also be
                  possible to give each server in the list a different port (over-
                  riding server_port below), by naming them like
                      server_host =
                  With OpenLDAP, a (list of) LDAP URLs can be used to specify both
                  the hostname(s) and the port(s):
                      server_host = ldap://
                  All LDAP URLs accepted by the OpenLDAP  library  are  supported,
                  including  connections  over  UNIX  domain sockets, and LDAP SSL
                  (the last one provided that OpenLDAP was compiled  with  support
                  for SSL):
                      server_host = ldapi://%2Fsome%2Fpath
           server_port (default: 389)
                  The port the LDAP server listens on, e.g.
                      server_port = 778
           timeout (default: 10 seconds)
                  The  number of seconds a search can take before timing out, e.g.
                      timeout = 5
           search_base (No default; you must configure this)
                  The RFC2253 base DN at which to conduct the search, e.g.
                         address.   Otherwise, %u is replaced by the entire search
                         string.  If the localpart is empty, the  search  is  sup-
                         pressed and returns no results.
                  %d     When the input key is an address of the form user@domain,
                         %d is replaced by the (RFC 2253) quoted  domain  part  of
                         the  address.   Otherwise,  the  search is suppressed and
                         returns no results.
                  %[SUD] For the search_base parameter, the upper-case equivalents
                         of  the  above  expansions  behave  identically  to their
                         lower-case counter-parts. With the result_format  parame-
                         ter  (previously called result_filter see the COMPATIBIL-
                         ITY section and below), they expand to the  corresponding
                         components of input key rather than the result value.
                  %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
                         sponding most significant component of  the  input  key's
                         domain.  If  the input key is, then
                         %1 is com, %2 is example and %3 is mail. If the input key
                         is  unqualified or does not have enough domain components
                         to satisfy all the specified patterns, the search is sup-
                         pressed and returns no results.
           query_filter (default: mailacceptinggeneralid=%s)
                  The  RFC2254  filter used to search the directory, where %s is a
                  substitute for the address Postfix is trying to resolve, e.g.
                      query_filter = (&(mail=%s)(paid_up=true))
                  This parameter supports the following '%' expansions:
                  %%     This is replaced by a literal '%' character. (Postfix 2.2
                         and later).
                  %s     This  is  replaced by the input key.  RFC 2254 quoting is
                         used to make sure that the input key does not  add  unex-
                         pected metacharacters.
                  %u     When the input key is an address of the form user@domain,
                         %u is replaced by the (RFC 2254) quoted local part of the
                         address.   Otherwise, %u is replaced by the entire search
                         string.  If the localpart is empty, the  search  is  sup-
                         pressed and returns no results.
                  %d     When the input key is an address of the form user@domain,
                         %d is replaced by the (RFC 2254) quoted  domain  part  of
                         the  address.   Otherwise,  the  search is suppressed and
                         returns no results.
                  %[SUD] The upper-case equivalents of the above expansions behave
                         in the query_filter parameter identically to their lower-
                         pressed and returns no results.
                         The above %1, ..., %9 expansions are available with Post-
                         fix 2.2 and later.
                  The  "domain" parameter described below limits the input keys to
                  addresses in matching domains. When the  "domain"  parameter  is
                  non-empty,  LDAP  queries for unqualified addresses or addresses
                  in non-matching domains are suppressed and return no results.
                  NOTE: DO NOT put quotes around the query_filter parameter.
           result_format (default: %s)
                  Called result_filter in Postfix releases prior to  2.2.   Format
                  template  applied  to  result  attributes. Most commonly used to
                  append (or prepend) text to the result. This parameter  supports
                  the following '%' expansions:
                  %%     This is replaced by a literal '%' character. (Postfix 2.2
                         and later).
                  %s     This is replaced by the value of  the  result  attribute.
                         When result is empty it is skipped.
                  %u     When the result attribute value is an address of the form
                         user@domain, %u is replaced by  the  local  part  of  the
                         address.  When  the  result  has an empty localpart it is
                  %d     When a result attribute value is an address of  the  form
                         user@domain,  %d  is  replaced  by the domain part of the
                         attribute value. When the result  is  unqualified  it  is
                         The  upper-case  and decimal digit expansions interpolate
                         the parts of the input key rather than the result.  Their
                         behavior  is  identical to that described with query_fil-
                         ter, and in fact  because  the  input  key  is  known  in
                         advance,  lookups  whose  key  does  not  contain all the
                         information specified in the  result  template  are  sup-
                         pressed and return no results.
                         The  above  %S,  %U,  %D  and  %1, ..., %9 expansions are
                         available with Postfix 2.2 and later.
                  For example, using "result_format = smtp:[%s]" allows one to use
                  a mailHost attribute as the basis of a transport(5) table. After
                  applying the result format, multiple values are concatenated  as
                  comma  separated  strings.  The  expansion_limit  and size_limit
                  parameters explained below allow one to restrict the  number  of
                  values  in  the result, which is especially useful for maps that
                  This is a list of domain names, paths to files, or dictionaries.
                  When specified, only fully qualified search keys  with  a  *non-
                  empty*  localpart and a matching domain are eligible for lookup:
                  'user' lookups, bare domain lookups and  "@domain"  lookups  are
                  not  performed.  This can significantly reduce the query load on
                  the LDAP server.
                      domain =, hash:/etc/postfix/searchdomains
                  It is best not to use LDAP to store  the  domains  eligible  for
                  LDAP lookups.
                  NOTE: DO NOT define this parameter for local(8) aliases.
                  This feature is available in Postfix 1.0 and later.
           result_attribute (default: maildrop)
                  The  attribute(s)  Postfix  will read from any directory entries
                  returned by the lookup, to be resolved to an email address.
                      result_attribute = mailbox, maildrop
           special_result_attribute (default: empty)
                  The attribute(s) of directory entries that can  contain  DNs  or
                  URLs.  If  found,  a  recursive  subsequent search is done using
                  their values.
                      special_result_attribute = memberdn
                  DN recursion retrieves the same result_attributes  as  the  main
                  query,  including  the special attributes for further recursion.
                  URI processing retrieves only those attributes that are included
                  in    the    URI   definition   and   are   *also*   listed   in
                  "result_attribute". If the URI lists any of  the  map's  special
                  result  attributes,  these  are  also  retrieved and used recur-
           terminal_result_attribute (default: empty)
                  When one or more terminal result attributes are found in an LDAP
                  entry, all other result attributes are ignored and only the ter-
                  minal result attributes are returned. This is useful  for  dele-
                  gating expansion of group members to a particular host, by using
                  an optional "maildrop" attribute on selected groups to route the
                  group  to a specific host, where the group is expanded, possibly
                  via mailing-list manager or other special processing.
                      terminal_result_attribute = maildrop
                  This feature is available with Postfix 2.4 or later.
           leaf_result_attribute (default: empty)
                  When one or more special result attributes are found in  a  non-
                  addresses  of  objects  referenced  via a DN (or LDAP URI) go in
                      result_attribute = memberaddr
                      special_result_attribute = memberdn
                      terminal_result_attribute = maildrop
                      leaf_result_attribute = mail
                  This feature is available with Postfix 2.4 or later.
           scope (default: sub)
                  The LDAP search scope: sub, base, or one.  These translate  into
           bind (default: yes)
                  Whether  or not to bind to the LDAP server. Newer LDAP implemen-
                  tations don't require clients to bind, which saves  time.  Exam-
                      bind = no
                  If  you  do need to bind, you might consider configuring Postfix
                  to connect to the local machine on a port that's an  SSL  tunnel
                  to  your  LDAP server. If your LDAP server doesn't natively sup-
                  port SSL, put a tunnel (wrapper, proxy,  whatever  you  want  to
                  call  it)  on  that system too. This should prevent the password
                  from traversing the network in the clear.
           bind_dn (default: empty)
                  If you do have to bind, do  it  with  this  distinguished  name.
                      bind_dn = uid=postfix, dc=your, dc=com
           bind_pw (default: empty)
                  The  password  for  the distinguished name above. If you have to
                  use this, you probably want to make the map  configuration  file
                  readable  only  by  the  Postfix  user.  When using the obsolete
                  ldap:ldapsource syntax, with map parameters in,  it  is
                  not  possible  to  securely  store  the  bind  password. This is
                  because needs  to  be  world  readable  to  allow  local
                  accounts to submit mail via the sendmail command. Example:
                      bind_pw = postfixpw
           cache (IGNORED with a warning)
           cache_expiry (IGNORED with a warning)
           cache_size (IGNORED with a warning)
                  The  above parameters are NO LONGER SUPPORTED by Postfix.  Cache
                  support has been dropped from OpenLDAP as of release 2.1.13.
                  A limit on the number of LDAP entries  returned  by  any  single
                  LDAP  search  performed  as  part  of the lookup. A setting of 0
                  disables the limit.  Expansion of DN and URL references involves
                  nested  LDAP  queries,  each of which is separately subjected to
                  this limit.
                  Note: even a single LDAP  entry  can  generate  multiple  lookup
                  results,  via  multiple  result  attributes  and/or multi-valued
                  result attributes. This limit caps the per search resource  uti-
                  lization  on  the LDAP server, not the final multiplicity of the
                  lookup  result.  It  is  analogous  to  the   "-z"   option   of
           dereference (default: 0)
                  When to dereference LDAP aliases. (Note that this has nothing do
                  with Postfix aliases.) The permitted values are those legal  for
                  the OpenLDAP/UM LDAP implementations:
                  0      never
                  1      when searching
                  2      when locating the base object for the search
                  3      always
                  See  ldap.h  or  the ldap_open(3) or ldapsearch(1) man pages for
                  more information. And if you're using an LDAP package  that  has
                  other  possible  values, please bring it to the attention of the
         mailing list.
           chase_referrals (default: 0)
                  Sets (or clears) LDAP_OPT_REFERRALS  (requires  LDAP  version  3
           version (default: 2)
                  Specifies the LDAP protocol version to use.
           debuglevel (default: 0)
                  What level to set for debugging in the OpenLDAP libraries.


           If you're using the OpenLDAP libraries compiled with SSL support, Post-
           fix can connect to LDAP SSL servers and can issue the STARTTLS command.
           LDAP  SSL  service  can  be  requested  by  using a LDAP SSL URL in the
           server_host parameter:
               server_host = ldaps://
           STARTTLS can be turned on with the start_tls parameter:
           start_tls (default: no)
                  Whether or not to issue STARTTLS upon connection to the  server.
                  Don't set this with LDAP SSL (the SSL session is setup automati-
                  cally when the TCP connection is opened).
           tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
                  Directory containing X509 Certificate Authority certificates  in
                  PEM  format  which are to be recognized by the client in SSL/TLS
                  connections. The files each contain  one  CA  certificate.   The
                  files  are  looked  up  by the CA subject name hash value, which
                  must hence be available. If more than one  CA  certificate  with
                  the  same name hash value exist, the extension must be different
                  (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search  is  performed  in
                  the  ordering of the extension number, regardless of other prop-
                  erties of the certificates. Use the c_rehash utility  (from  the
                  OpenSSL distribution) to create the necessary links.
           tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
                  File  containing  the X509 Certificate Authority certificates in
                  PEM format which are to be recognized by the client  in  SSL/TLS
                  connections. This setting takes precedence over tls_ca_cert_dir.
           tls_cert (No default; you must set this)
                  File containing client's X509 certificate  to  be  used  by  the
                  client in SSL/ TLS connections.
           tls_key (No default; you must set this)
                  File  containing  the  private  key  corresponding  to the above
           tls_require_cert (default: no)
                  Whether or not to request server's X509  certificate  and  check
                  its  validity  when  establishing SSL/TLS connections.  The sup-
                  ported values are no and yes.
                  With no, the server certificate trust chain is not checked,  but
                  with  OpenLDAP  prior to 2.1.13, the name in the server certifi-
                  cate must still match the LDAP server name. With OpenLDAP  2.0.0
                  to 2.0.11 the server name is not necessarily what you specified,
                  rather it is determined (by reverse lookup) from the IP  address
                  of  the  LDAP  server connection. With OpenLDAP prior to 2.0.13,
                  subjectAlternativeName extensions in the LDAP server certificate
                  are  ignored: the server name must match the subject CommonName.
                  The no setting corresponds to the never value of TLS_REQCERT  in
                  LDAP client configuration files.
                  Don't  use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
                  if you can avoid it.
                  With yes, the server certificate must be issued by a trusted CA,
                  and  not  be expired. The LDAP server name must match one of the
                  name(s) found in the certificate (see above for OpenLDAP library
                  Path of a file to obtain random bits from when /dev/[u]random is
                  not available, to be used by the client in SSL/TLS  connections.
           tls_cipher_suite (No default)
                  Cipher suite to use in SSL/TLS negotiations.


           Here's  a  basic  example  for  using LDAP to look up local(8) aliases.
           Assume that in, you have:
               alias_maps = hash:/etc/aliases,
           and in ldap:/etc/postfix/ you have:
               server_host =
               search_base = dc=example, dc=com
           Upon receiving mail for a local address "ldapuser" that isn't found  in
           the  /etc/aliases database, Postfix will search the LDAP server listen-
           ing at port 389 on  It will bind anonymously,  search
           for  any  directory  entries  whose mailacceptinggeneralid attribute is
           "ldapuser", read the "maildrop" attributes of those found, and build  a
           list  of  their maildrops, which will be treated as RFC822 addresses to
           which the message will be delivered.


           postmap(1), Postfix lookup table manager
           postconf(5), configuration parameters
           mysql_table(5), MySQL lookup tables
           pgsql_table(5), PostgreSQL lookup tables


           Use "postconf readme_directory" or "postconf html_directory" to  locate
           this information.
           DATABASE_README, Postfix lookup table overview
           LDAP_README, Postfix LDAP client guide


           The Secure Mailer license must be distributed with this software.


           Carsten  Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
           ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat  K  Singh,
           Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.

  • Linux

    The Distributions


    The Software


    The News


  • Toll Free
Copyright © 1999 - 2016 by LinuxGuruz