postmap -q "string" ldap:/etc/postfix/filename postmap -q - ldap:/etc/postfix/filename <inputfile
alias_maps = ldap:/etc/postfix/ldap-aliases.cfThe file /etc/postfix/ldap-aliases.cf has the same format as the Postfix main.cf file, and can specify the parameters described below. An example is given at the end of this manual. This configuration method is available with Postfix version 2.1 and later. See the section "BACKWARDS COMPATIBILITY" below for older Postfix versions. For details about LDAP SSL and STARTTLS, see the section on SSL and STARTTLS below.
query_filter = domain=* result_attribute = domainDo this instead:
query_filter = domain=%s result_attribute = domain
server_host = ldap.example.comDepending on the LDAP client library you're using, it should be possible to specify multiple servers here, with the library trying them in order should the first one fail. It should also be possible to give each server in the list a different port (overriding server_port below), by naming them like
server_host = ldap.example.com:1444With OpenLDAP, a (list of) LDAP URLs can be used to specify both the hostname(s) and the port(s):
server_host = ldap://ldap.example.com:1444 ldap://ldap2.example.com:1444All LDAP URLs accepted by the OpenLDAP library are supported, including connections over UNIX domain sockets, and LDAP SSL (the last one provided that OpenLDAP was compiled with support for SSL):
server_host = ldapi://%2Fsome%2Fpath ldaps://ldap.example.com:636
server_port = 778
search_base = dc=your, dc=com
query_filter = (&(mail=%s)(paid_up=true))This parameter supports the following '%' expansions:
domain = postfix.org, hash:/etc/postfix/searchdomainsIt is best not to use LDAP to store the domains eligible for LDAP lookups. NOTE: DO NOT define this parameter for local(8) aliases. This feature is available in Postfix 1.0 and later.
result_attribute = mailbox, maildrop
special_result_attribute = memberdnDN recursion retrieves the same result_attributes as the main query, including the special attributes for further recursion. URI processing retrieves only those attributes that are included in the URI definition and are *also* listed in "result_attribute". If the URI lists any of the map's special result attributes, these are also retrieved and used recursively.
terminal_result_attribute = maildropThis feature is available with Postfix 2.4 or later.
result_attribute = memberaddr special_result_attribute = memberdn terminal_result_attribute = maildrop leaf_result_attribute = mailThis feature is available with Postfix 2.4 or later.
bind = noIf you do need to bind, you might consider configuring Postfix to connect to the local machine on a port that's an SSL tunnel to your LDAP server. If your LDAP server doesn't natively support SSL, put a tunnel (wrapper, proxy, whatever you want to call it) on that system too. This should prevent the password from traversing the network in the clear.
bind_dn = uid=postfix, dc=your, dc=com
bind_pw = postfixpw
server_host = ldaps://ldap.example.com:636STARTTLS can be turned on with the start_tls parameter:
start_tls = yesBoth forms require LDAP protocol version 3, which has to be set explicitly with:
version = 3If any of the Postfix programs querying the map is configured in master.cf to run chrooted, all the certificates and keys involved have to be copied to the chroot jail. Of course, the private keys should only be readable by the user "postfix". The following parameters are relevant to LDAP SSL and STARTTLS:
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cfand in ldap:/etc/postfix/ldap-aliases.cf you have:
server_host = ldap.example.com search_base = dc=example, dc=comUpon receiving mail for a local address "ldapuser" that isn't found in the /etc/aliases database, Postfix will search the LDAP server listening at port 389 on ldap.example.com. It will bind anonymously, search for any directory entries whose mailacceptinggeneralid attribute is "ldapuser", read the "maildrop" attributes of those found, and build a list of their maildrops, which will be treated as RFC822 addresses to which the message will be delivered.
postmap(1), Postfix lookup table manager postconf(5), configuration parameters mysql_table(5), MySQL lookup tables pgsql_table(5), PostgreSQL lookup tables
DATABASE_README, Postfix lookup table overview LDAP_README, Postfix LDAP client guide