LDAP_TABLE(5)                                                    LDAP_TABLE(5)

NAME
       ldap_table - Postfix LDAP client configuration

SYNOPSIS
       postmap -q "string" ldap:/etc/postfix/filename

       postmap -q - ldap:/etc/postfix/filename <inputfile

DESCRIPTION
       The  Postfix  mail system uses optional tables for address rewriting or
       mail routing. These tables are usually in dbm or db format.

       Alternatively, lookup tables can be specified as LDAP databases.

       In order to use LDAP lookups, define an LDAP source as a  lookup  table
       in main.cf, for example:

           alias_maps = ldap:/etc/postfix/ldap-aliases.cf

       The  file /etc/postfix/ldap-aliases.cf has the same format as the Post-
       fix main.cf file, and can specify the parameters  described  below.  An
       example is given at the end of this manual.

       This  configuration  method  is  available with Postfix version 2.1 and
       later.  See the section "OBSOLETE MAIN.CF PARAMETERS" below  for  older
       Postfix versions.

       For  details  about  LDAP  SSL and STARTTLS, see the section on SSL and
       STARTTLS below.

LIST MEMBERSHIP
       When using LDAP to store lists  such  as  $mynetworks,  $mydestination,
       $relay_domains,  $local_recipient_maps, etc., it is important to under-
       stand that the table must store each list member as a separate key. The
       table  lookup  verifies  the *existence* of the key. See "Postfix lists
       versus tables" in the DATABASE_README document for a discussion.

       Do NOT create tables that return the full list of domains in  $mydesti-
       nation or $relay_domains etc., or IP addresses in $mynetworks.

       DO create tables with each matching item as a key and with an arbitrary
       value. With LDAP databases it is not uncommon to return the key itself.

       For example, NEVER do this in a map defining $mydestination:

           query_filter = domain=*
           result_attribute = domain

       Do this instead:

           query_filter = domain=%s
           result_attribute = domain

GENERAL LDAP PARAMETERS
       In  the  text  below,  default  values are given in parentheses.  Note:
       don't use quotes in these variables; at least, not  until  the  Postfix
       configuration routines understand how to deal with quoted strings.

       server_host (default: localhost)
              The name of the host running the LDAP server, e.g.

                  server_host = ldap.example.com

              Depending  on the LDAP client library you're using, it should be
              possible to specify multiple servers here, with the library try-
              ing  them  in order should the first one fail. It should also be
              possible to give each server in the list a different port (over-
              riding server_port below), by naming them like

                  server_host = ldap.example.com:1444

              With OpenLDAP, a (list of) LDAP URLs can be used to specify both
              the hostname(s) and the port(s):

                  server_host = ldap://ldap.example.com:1444
                              ldap://ldap2.example.com:1444

              All LDAP URLs accepted by the OpenLDAP  library  are  supported,
              including  connections  over  UNIX  domain sockets, and LDAP SSL
              (the last one provided that OpenLDAP was compiled  with  support
              for SSL):

                  server_host = ldapi://%2Fsome%2Fpath
                              ldaps://ldap.example.com:636

       server_port (default: 389)
              The port the LDAP server listens on, e.g.

                  server_port = 778

       timeout (default: 10 seconds)
              The  number of seconds a search can take before timing out, e.g.

                  timeout = 5

       search_base (No default; you must configure this)
              The RFC2253 base DN at which to conduct the search, e.g.

                  search_base = dc=your, dc=com

              With Postfix 2.2 and later this parameter supports the following
              '%' expansions:

              %%     This is replaced by a literal '%' character.

              %s     This  is  replaced by the input key.  RFC 2253 quoting is
                     used to make sure that the input key does not  add  unex-
                     pected metacharacters.

              %u     When the input key is an address of the form user@domain,
                     %u is replaced by the (RFC 2253) quoted local part of the
                     address.   Otherwise, %u is replaced by the entire search
                     string.  If the localpart is empty, the  search  is  sup-
                     pressed and returns no results.

              %d     When the input key is an address of the form user@domain,
                     %d is replaced by the (RFC 2253) quoted  domain  part  of
                     the  address.   Otherwise,  the  search is suppressed and
                     returns no results.

              %[SUD] For the search_base parameter, the upper-case equivalents
                     of  the  above  expansions  behave  identically  to their
                     lower-case counter-parts. With the result_format  parame-
                     ter  (previously called result_filter see the COMPATIBIL-
                     ITY section and below), they expand to the  corresponding
                     components of input key rather than the result value.

              %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
                     sponding most significant component of  the  input  key's
                     domain.  If  the input key is user@mail.example.com, then
                     %1 is com, %2 is example and %3 is mail. If the input key
                     is  unqualified or does not have enough domain components
                     to satisfy all the specified patterns, the search is sup-
                     pressed and returns no results.

       query_filter (default: mailacceptinggeneralid=%s)
              The  RFC2254  filter used to search the directory, where %s is a
              substitute for the address Postfix is trying to resolve, e.g.

                  query_filter = (&(mail=%s)(paid_up=true))

              This parameter supports the following '%' expansions:

              %%     This is replaced by a literal '%' character. (Postfix 2.2
                     and later).

              %s     This  is  replaced by the input key.  RFC 2254 quoting is
                     used to make sure that the input key does not  add  unex-
                     pected metacharacters.

              %u     When the input key is an address of the form user@domain,
                     %u is replaced by the (RFC 2254) quoted local part of the
                     address.   Otherwise, %u is replaced by the entire search
                     string.  If the localpart is empty, the  search  is  sup-
                     pressed and returns no results.

              %d     When the input key is an address of the form user@domain,
                     %d is replaced by the (RFC 2254) quoted  domain  part  of
                     the  address.   Otherwise,  the  search is suppressed and
                     returns no results.

              %[SUD] The upper-case equivalents of the above expansions behave
                     in   the  query_filter  parameter  identically  to  their
                     lower-case counter-parts. With the result_format  parame-
                     ter  (previously called result_filter see the COMPATIBIL-
                     ITY section and below), they expand to the  corresponding
                     components of input key rather than the result value.

                     The  above  %S,  %U  and %D expansions are available with
                     Postfix 2.2 and later.

              %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
                     sponding  most  significant  component of the input key's
                     domain. If the input key is  user@mail.example.com,  then
                     %1 is com, %2 is example and %3 is mail. If the input key
                     is unqualified or does not have enough domain  components
                     to satisfy all the specified patterns, the search is sup-
                     pressed and returns no results.

                     The above %1, ..., %9 expansions are available with Post-
                     fix 2.2 and later.

              The  "domain" parameter described below limits the input keys to
              addresses in matching domains. When the  "domain"  parameter  is
              non-empty,  LDAP  queries for unqualified addresses or addresses
              in non-matching domains are suppressed and return no results.

              NOTE: DO NOT put quotes around the query_filter parameter.

       result_format (default: %s)
              Called result_filter in Postfix releases prior to  2.2.   Format
              template  applied  to  result  attributes. Most commonly used to
              append (or prepend) text to the result. This parameter  supports
              the following '%' expansions:

              %%     This is replaced by a literal '%' character. (Postfix 2.2
                     and later).

              %s     This is replaced by the value of  the  result  attribute.
                     When result is empty it is skipped.

              %u     When the result attribute value is an address of the form
                     user@domain, %u is replaced by  the  local  part  of  the
                     address.  When  the  result  has an empty localpart it is
                     skipped.

              %d     When a result attribute value is an address of  the  form
                     user@domain,  %d  is  replaced  by the domain part of the
                     attribute value. When the result  is  unqualified  it  is
                     skipped.

              %[SUD1-9]
                     The  upper-case  and decimal digit expansions interpolate
                     the parts of the input key rather than the result.  Their
                     behavior  is  identical to that described with query_fil-
                     ter, and in fact  because  the  input  key  is  known  in
                     advance,  lookups  whose  key  does  not  contain all the
                     information specified in the  result  template  are  sup-
                     pressed and return no results.

                     The  above  %S,  %U,  %D  and  %1, ..., %9 expansions are
                     available with Postfix 2.2 and later.

              For example, using "result_format = smtp:[%s]" allows one to use
              a mailHost attribute as the basis of a transport(5) table. After
              applying the result format, multiple values are concatenated  as
              comma  separated  strings.  The  expansion_limit  and size_limit
              parameters explained below allow one to restrict the  number  of
              values  in  the result, which is especially useful for maps that
              should return a single value.

              The default value %s specifies that each attribute value  should
              be used as is.

              This  parameter  was  called  result_filter  in Postfix releases
              prior to 2.2. If no "result_format" is specified, the  value  of
              "result_filter"  will  be  used  instead before resorting to the
              default value. This provides compatibility with  old  configura-
              tion files.

              NOTE: DO NOT put quotes around the result format!

       domain (default: no domain list)
              This is a list of domain names, paths to files, or dictionaries.
              When  specified,  only  fully  qualified  search  keys  with   a
              *non-empty*  localpart  and  a  matching domain are eligible for
              lookup:  'user'  lookups,  bare  domain  lookups  and  "@domain"
              lookups  are  not  performed.  This can significantly reduce the
              query load on the LDAP server.

                  domain = postfix.org, hash:/etc/postfix/searchdomains

              It is best not to use LDAP to store  the  domains  eligible  for
              LDAP lookups.

              NOTE: DO NOT define this parameter for local(8) aliases.

              This feature is available in Postfix 1.0 and later.

       result_attribute (default: maildrop)
              The  attribute(s)  Postfix  will read from any directory entries
              returned by the lookup, to be resolved to an email address.

                  result_attribute = mailbox, maildrop

              Don't  rely  on  the  default  value   ("maildrop").   Set   the
              result_attribute  explicitly  in  all  ldap  table configuration
              files. This is particularly relevant when no result_attribute is
              applicable,  e.g.  cases  in  which leaf_result_attribute and/or
              terminal_result_attribute are used instead. The default value is
              harmless  if  "maildrop"  is  also  listed as a leaf or terminal
              result attribute, but it is best to not leave this to chance.

       special_result_attribute (default: empty)
              The attribute(s) of directory entries that can  contain  DNs  or
              RFC 2255 LDAP URLs. If found, a recursive search is performed to
              retrieve the entry referenced by the DN, or the entries  matched
              by the URL query.

                  special_result_attribute = memberdn

              DN  recursion  retrieves  the same result_attributes as the main
              query, including the special attributes for further recursion.

              URL processing retrieves only those attributes that are included
              in  both  the URL definition and as result attributes (ordinary,
              special, leaf or terminal) in the Postfix table definition.   If
              the  URL  lists  any  of  the table's special result attributes,
              these are retrieved and used recursively. A URL  that  does  not
              specify  any  attribute selection, is equivalent (RFC 2255) to a
              URL that selects all attributes,  in  which  case  the  selected
              attributes  will  be  the  full  set of result attributes in the
              Postfix table.

              If an LDAP URL attribute-descriptor or the corresponding Postfix
              LDAP  table  result  attribute  (but  not  both)  uses  RFC 2255
              sub-type options ("attr;option"), the attribute  requested  from
              the  LDAP  server will include the sub-type option. In all other
              cases, the URL attribute and  the  table  attribute  must  match
              exactly. Attributes with options in both the URL and the Postfix
              table are requested only when the options  are  identical.  LDAP
              attribute-descriptor  options  are  very  rarely used, most LDAP
              users will not need to concern themselves  with  this  level  of
              nuanced detail.

       terminal_result_attribute (default: empty)
              When one or more terminal result attributes are found in an LDAP
              entry, all other result attributes are ignored and only the ter-
              minal  result  attributes are returned. This is useful for dele-
              gating expansion of group members to a particular host, by using
              an optional "maildrop" attribute on selected groups to route the
              group to a specific host, where the group is expanded,  possibly
              via mailing-list manager or other special processing.

                  result_attribute =
                  terminal_result_attribute = maildrop

              When   using   terminal   and/or  leaf  result  attributes,  the
              result_attribute is best set to an empty value when  it  is  not
              used, or else explicitly set to the desired value, even if it is
              the default value "maildrop".

              This feature is available with Postfix 2.4 or later.

       leaf_result_attribute (default: empty)
              When one or more  special  result  attributes  are  found  in  a
              non-terminal  (see above) LDAP entry, leaf result attributes are
              excluded from the expansion of that entry. This is  useful  when
              expanding  groups  and  the desired mail address attribute(s) of
              the member objects obtained via DN or  URI  recursion  are  also
              present in the group object. To only return the attribute values
              from the leaf objects and not  the  containing  group,  add  the
              attribute   to  the  leaf_result_attribute  list,  and  not  the
              result_attribute list,  which  is  always  expanded.  Note,  the
              default  value  of "result_attribute" is not empty, you may want
              to set it explicitly empty when using "leaf_result_attribute" to
              expand  the  group  to  a list of member DN addresses. If groups
              have both member DN references AND attributes that hold multiple
              string valued rfc822 addresses, then the string attributes go in
              "result_attribute".  The attributes  that  represent  the  email
              addresses  of  objects  referenced  via a DN (or LDAP URI) go in
              "leaf_result_attribute".

                  result_attribute = memberaddr
                  special_result_attribute = memberdn
                  terminal_result_attribute = maildrop
                  leaf_result_attribute = mail

              When  using  terminal  and/or  leaf   result   attributes,   the
              result_attribute  is  best  set to an empty value when it is not
              used, or else explicitly set to the desired value, even if it is
              the default value "maildrop".

              This feature is available with Postfix 2.4 or later.

       scope (default: sub)
              The  LDAP search scope: sub, base, or one.  These translate into
              LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.

       bind (default: yes)
              Whether or how to bind to the LDAP server. Newer LDAP  implemen-
              tations  don't  require clients to bind, which saves time. Exam-
              ple:

                  # Don't bind
                  bind = no
                  # Use SIMPLE bind
                  bind = yes
                  # Use SASL bind
                  bind = sasl

              Postfix versions prior to 2.8 only support  "bind  =  no"  which
              means don't bind, and "bind = yes" which means do a SIMPLE bind.
              Postfix 2.8 and later also supports "bind = SASL" when  compiled
              with LDAP SASL support as described in LDAP_README, it also adds
              the synonyms "bind = none" and "bind = simple" for "bind  =  no"
              and  "bind  =  yes" respectively. See the SASL section below for
              additional parameters available with "bind = sasl".

              If you do need to bind, you might consider  configuring  Postfix
              to  connect  to the local machine on a port that's an SSL tunnel
              to your LDAP server. If your LDAP server doesn't  natively  sup-
              port  SSL,  put  a  tunnel (wrapper, proxy, whatever you want to
              call it) on that system too. This should  prevent  the  password
              from traversing the network in the clear.

       bind_dn (default: empty)
              If  you  do  have  to  bind, do it with this distinguished name.
              Example:

                  bind_dn = uid=postfix, dc=your, dc=com
              With "bind = sasl" (see above) the DN may be optional  for  some
              SASL mechanisms, don't specify a DN if not needed.

       bind_pw (default: empty)
              The  password  for  the distinguished name above. If you have to
              use this, you probably want to make the map  configuration  file
              readable  only  by  the  Postfix  user.  When using the obsolete
              ldap:ldapsource syntax, with map parameters in  main.cf,  it  is
              not  possible  to  securely  store  the  bind  password. This is
              because main.cf needs  to  be  world  readable  to  allow  local
              accounts to submit mail via the sendmail command. Example:

                  bind_pw = postfixpw
              With  "bind = sasl" (see above) the password may be optional for
              some SASL mechanisms, don't specify a password if not needed.

       cache (IGNORED with a warning)

       cache_expiry (IGNORED with a warning)

       cache_size (IGNORED with a warning)
              The above parameters are NO LONGER SUPPORTED by Postfix.   Cache
              support has been dropped from OpenLDAP as of release 2.1.13.

       recursion_limit (default: 1000)
              A  limit  on  the  nesting  depth  of  DN and URL special result
              attribute evaluation. The limit must be a non-zero positive num-
              ber.

       expansion_limit (default: 0)
              A  limit  on  the total number of result elements returned (as a
              comma separated list) by a lookup against the map.  A setting of
              zero  disables the limit. Lookups fail with a temporary error if
              the limit is exceeded.  Setting the  limit  to  1  ensures  that
              lookups do not return multiple values.

       size_limit (default: $expansion_limit)
              A  limit  on  the  number of LDAP entries returned by any single
              LDAP search performed as part of the lookup. A setting of 0 dis-
              ables  the  limit.   Expansion of DN and URL references involves
              nested LDAP queries, each of which is  separately  subjected  to
              this limit.

              Note:  even  a  single  LDAP  entry can generate multiple lookup
              results, via  multiple  result  attributes  and/or  multi-valued
              result  attributes. This limit caps the per search resource uti-
              lization on the LDAP server, not the final multiplicity  of  the
              lookup   result.   It   is  analogous  to  the  "-z"  option  of
              "ldapsearch".

       dereference (default: 0)
              When to dereference LDAP aliases. (Note that this has nothing do
              with  Postfix aliases.) The permitted values are those legal for
              the OpenLDAP/UM LDAP implementations:

              0      never

              1      when searching

              2      when locating the base object for the search

              3      always

              See ldap.h or the ldap_open(3) or ldapsearch(1)  man  pages  for
              more  information.  And if you're using an LDAP package that has
              other possible values, please bring it to the attention  of  the
              postfix-users@postfix.org mailing list.

       chase_referrals (default: 0)
              Sets  (or  clears)  LDAP_OPT_REFERRALS  (requires LDAP version 3
              support).

       version (default: 2)
              Specifies the LDAP protocol version to use.

       debuglevel (default: 0)
              What level to set for debugging in the OpenLDAP libraries.

LDAP SASL PARAMETERS
       If you're using the OpenLDAP  libraries  compiled  with  SASL  support,
       Postfix  2.8  and  later  built  with LDAP SASL support as described in
       LDAP_README can authenticate to LDAP servers via SASL.

       This enables authentication to the LDAP  server  via  mechanisms  other
       than  a  simple  password.  The  added flexibility has a cost: it is no
       longer practical to set an explicit timeout on the duration of an  LDAP
       bind  operation.  Under  adverse  conditions, whether a SASL bind times
       out, or if it does, the duration of the timeout is  determined  by  the
       LDAP and SASL libraries.

       It  is best to use tables that use SASL binds via proxymap(8), this way
       the requesting process can time-out the  proxymap  request.  This  also
       lets  you  tailer the process environment by overriding the proxymap(8)
       import_environment setting in master.cf(5).  Special  environment  set-
       tings may be needed to configure GSSAPI credential caches or other SASL
       mechanism specific  options.  The  GSSAPI  credentials  used  for  LDAP
       lookups  may  need  to be different than say those used for the Postfix
       SMTP client to authenticate to remote servers.

       Using SASL mechanisms requires LDAP protocol  version  3,  the  default
       protocol  version  is 2 for backwards compatibility. You must set "ver-
       sion = 3" in addition to "bind = sasl".

       The following parameters are relevant to using LDAP with SASL

       sasl_mechs (default: empty)
              Space separated list of SASL mechanism(s) to try.

       sasl_realm (default: empty)
              SASL Realm to use, if applicable.

       sasl_authz_id (default: empty)
              The SASL authorization identity to assert, if applicable.

       sasl_minssf (default: 0)
              The minimum required sasl security factor required to  establish
              a connection.

LDAP SSL AND STARTTLS PARAMETERS
       If you're using the OpenLDAP libraries compiled with SSL support, Post-
       fix can connect to LDAP SSL servers and can issue the STARTTLS command.

       LDAP  SSL  service  can  be  requested  by  using a LDAP SSL URL in the
       server_host parameter:

           server_host = ldaps://ldap.example.com:636

       STARTTLS can be turned on with the start_tls parameter:

           start_tls = yes

       Both forms require LDAP protocol version 3, which has to be set explic-
       itly with:

           version = 3

       If  any  of the Postfix programs querying the map is configured in mas-
       ter.cf to run chrooted, all the certificates and keys involved have  to
       be  copied  to the chroot jail. Of course, the private keys should only
       be readable by the user "postfix".

       The following parameters are relevant to LDAP SSL and STARTTLS:

       start_tls (default: no)
              Whether or not to issue STARTTLS upon connection to the  server.
              Don't set this with LDAP SSL (the SSL session is setup automati-
              cally when the TCP connection is opened).

       tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
              Directory containing X509 Certification  Authority  certificates
              in  PEM  format  which  are  to  be  recognized by the client in
              SSL/TLS connections. The files each contain one CA  certificate.
              The files are looked up by the CA subject name hash value, which
              must hence be available. If more than one  CA  certificate  with
              the  same name hash value exist, the extension must be different
              (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search  is  performed  in
              the  ordering of the extension number, regardless of other prop-
              erties of the certificates. Use the c_rehash utility  (from  the
              OpenSSL distribution) to create the necessary links.

       tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
              File containing the X509 Certification Authority certificates in
              PEM format which are to be recognized by the client  in  SSL/TLS
              connections. This setting takes precedence over tls_ca_cert_dir.

       tls_cert (No default; you must set this)
              File containing client's X509 certificate  to  be  used  by  the
              client in SSL/ TLS connections.

       tls_key (No default; you must set this)
              File  containing  the  private  key  corresponding  to the above
              tls_cert.

       tls_require_cert (default: no)
              Whether or not to request server's X509  certificate  and  check
              its  validity  when  establishing SSL/TLS connections.  The sup-
              ported values are no and yes.

              With no, the server certificate trust chain is not checked,  but
              with  OpenLDAP  prior to 2.1.13, the name in the server certifi-
              cate must still match the LDAP server name. With OpenLDAP  2.0.0
              to 2.0.11 the server name is not necessarily what you specified,
              rather it is determined (by reverse lookup) from the IP  address
              of  the  LDAP  server connection. With OpenLDAP prior to 2.0.13,
              subjectAlternativeName extensions in the LDAP server certificate
              are  ignored: the server name must match the subject CommonName.
              The no setting corresponds to the never value of TLS_REQCERT  in
              LDAP client configuration files.

              Don't  use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
              if you can avoid it.

              With yes, the server certificate must be issued by a trusted CA,
              and  not  be expired. The LDAP server name must match one of the
              name(s) found in the certificate (see above for OpenLDAP library
              version  dependent behavior). The yes setting corresponds to the
              demand value of TLS_REQCERT in LDAP client configuration  files.

              The  "try" and "allow" values of TLS_REQCERT have no equivalents
              here. They are not available with OpenLDAP 2.0, and in any  case
              have questionable security properties. Either you want TLS veri-
              fied LDAP connections, or you don't.

              The yes value only works correctly with Postfix 2.5  and  later,
              or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
              releases don't work together with this setting. Support for LDAP
              over TLS was added to Postfix based on the OpenLDAP 2.0 API.

       tls_random_file (No default)
              Path of a file to obtain random bits from when /dev/[u]random is
              not available, to be used by the client in SSL/TLS  connections.

       tls_cipher_suite (No default)
              Cipher suite to use in SSL/TLS negotiations.

EXAMPLE
       Here's  a  basic  example  for  using LDAP to look up local(8) aliases.
       Assume that in main.cf, you have:

           alias_maps = hash:/etc/aliases,
                   ldap:/etc/postfix/ldap-aliases.cf

       and in ldap:/etc/postfix/ldap-aliases.cf you have:

           server_host = ldap.example.com
           search_base = dc=example, dc=com

       Upon receiving mail for a local address "ldapuser" that isn't found  in
       the  /etc/aliases database, Postfix will search the LDAP server listen-
       ing at port 389 on ldap.example.com.  It will bind anonymously,  search
       for  any  directory  entries  whose mailacceptinggeneralid attribute is
       "ldapuser", read the "maildrop" attributes of those found, and build  a
       list  of  their maildrops, which will be treated as RFC822 addresses to
       which the message will be delivered.

OBSOLETE MAIN.CF PARAMETERS
       For backwards compatibility with Postfix version 2.0 and earlier,  LDAP
       parameters  can  also  be defined in main.cf.  Specify as LDAP source a
       name that doesn't begin with a slash or a  dot.   The  LDAP  parameters
       will then be accessible as the name you've given the source in its def-
       inition, an underscore, and the name of the parameter.  For example, if
       the  map is specified as "ldap:ldapsource", the "server_host" parameter
       below would be defined in main.cf as "ldapsource_server_host".

       Note: with this form, the passwords for the LDAP sources are written in
       main.cf,  which is normally world-readable.  Support for this form will
       be removed in a future Postfix version.

OTHER OBSOLETE FEATURES
       For backwards compatibility with the pre 2.2 LDAP clients,  result_fil-
       ter  can  for  now  be  used  instead of result_format, when the latter
       parameter is not also set.  The new name better reflects  the  function
       of  the  parameter.  This  compatibility  interface may be removed in a
       future release.

SEE ALSO
       postmap(1), Postfix lookup table manager
       postconf(5), configuration parameters
       mysql_table(5), MySQL lookup tables
       pgsql_table(5), PostgreSQL lookup tables

README FILES
       DATABASE_README, Postfix lookup table overview
       LDAP_README, Postfix LDAP client guide

LICENSE
       The Secure Mailer license must be distributed with this software.

AUTHOR(S)
       Carsten  Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
       ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat  K  Singh,
       Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.

                                                                 LDAP_TABLE(5)