Can anyone advise ?

Do we require any cert on postfix ? or just use ldaps://<ldaphost>:636 ?

kimba_yun@hotmail.com wrote:
> Can anyone advise ?
>
> Do we require any cert on postfix ? or just use ldaps://<ldaphost>:636 ?


Most Postfix distributions don't even come with LDAP support. The way to
verify is to run the command "postconf -m", and see if the word "ldap" is listed.

Another way is to examine your smtpd program to see if it was linked with libssl and libldap.
On my system that command is: ldd /usr/libexec/postfix/smtpd

If ldap isn't there, then you need to compile the Postfix source code with OpenLDAP and OpenSSL
package support. Once this is done, encrypted LDAP uses a common dummy cert provided by the OpenSSL package.

If you want to use TLS for encrypted communications between SMTP servers, then support for it generally
needs to be compiled in too. For TLS, the Postfix configs need to know where your cert files are located. You
can use a dummy cert, but if you also require authentication, then you need a real cert.

All this can be very complicated. A good reference on how to do it is available from
www.amazon.com books:
"The Book of Postfix", by Hildebrandt and Koetter, ISBN 1-59327-001-1

--
Greg

Hi

there is already a SunOne LDAP directory server with SSL enabled. The
question is how does postfix able to authenticate ? Is configuration of
ldaps://<ldaphost:636> will do ?

kimba_yun@hotmail.com wrote:
> Hi
>
> there is already a SunOne LDAP directory server with SSL enabled. The
> question is how does postfix able to authenticate ? Is configuration of
> ldaps://<ldaphost:636> will do ?

SSL is encryption, not authentication. Yes, "ldaps" in the URL will try to
force an SSL connection, providing that your version of Postfix has been compiled with
LDAP & SSL support. You do not need to manually specify port 636, since that it the default SSL port.

If you need to authenticate (bind) to the LDAP server, refer to:

http://www.postfix.org/LDAP_README.html

--
Greg