On Thu, Oct 26, 2023 at 07:11:23PM -0400, Joey J via Postfix-users wrote: > To confirm, I'm creating the list of valid emails to accept and then > forward and if not in that list reject.
No, my advice is to replace the "list" with live LDAP queries to AD, on demand during each SMTP transaction. There is no "list". > My question would be, will postfix send off a process to query every so > often in order to build the multiple lists, or as each mail is about to be > delivered? Live LDAP queries, during the SMTP transaction. The internal domain behind Postfix would then be listed in "relay_domains". Your "relay_recipient_maps" must then be a non-empty setting, pointing at a mostly empty local table: main.cf: indexed = ${default_database_type}:${config_directory}/ relay_recipient_maps = ${indexed}nonad-rcpts nonad-rcpts: postmaster@acme.example <whatever> ... The virtual_alias_maps table is always also considered a valid source of recipient addresses across all address classes, but if you simply set "relay_recipient_maps" (the list of tables, not the table content) empty, then validation of relay recipients would IIRC be entirely disabled. In real production networks with AD that I used to support, I'd actualy use "virtual_alias_domains" not "relay_domains", but this required: - The internal Active Directory domain be different from the public mail domain. For example: - Public mail domain: acme.example - Internal AD domain: exchange.acme.example - The users' proxy addresses include at least both: - smtp:user@acme.example - smtp:u...@exchange.acme.example - The users' "mail" attribute be set to their public address for use a "canonical_maps" table in outgoing mail. - The user's LDAP objects also have another (like "mail") *single-valued* attribute, say "maildrop" or whatever name you choose, that holds their internal mail address: - maildrop: u...@exchange.acme.example You'd then use that attribute as the "result_attribute" for LDAP, instead of "mail". The LDAP driver also has non-trivial support for managing "mail groups", see the description in LDAP_README of - special_result_attribute - leaf_result_attribute - terminal_result_attribute There's perhaps a bunch to learn here, the more advanced settings were used to support a largish corporate user base of ~80k users with multiple internal AD domains, and even some cloud-hosted users on the backend. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org