My only concern is if there is as an example a recipient that has literally 2K email addresses with LDAP/AD, which associates with how much inbound mail wont that slow down delivery a good amount, and potentially create a lot of overhead?
On Thu, Oct 26, 2023 at 7:42 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Thu, Oct 26, 2023 at 07:11:23PM -0400, Joey J via Postfix-users wrote: > > > To confirm, I'm creating the list of valid emails to accept and then > > forward and if not in that list reject. > > No, my advice is to replace the "list" with live LDAP queries to AD, > on demand during each SMTP transaction. There is no "list". > > > My question would be, will postfix send off a process to query every so > > often in order to build the multiple lists, or as each mail is about to > be > > delivered? > > Live LDAP queries, during the SMTP transaction. The internal domain > behind Postfix would then be listed in "relay_domains". Your > "relay_recipient_maps" must then be a non-empty setting, pointing at > a mostly empty local table: > > main.cf: > indexed = ${default_database_type}:${config_directory}/ > relay_recipient_maps = ${indexed}nonad-rcpts > > nonad-rcpts: > postmaster@acme.example <whatever> > ... > > The virtual_alias_maps table is always also considered a valid source of > recipient addresses across all address classes, but if you simply set > "relay_recipient_maps" (the list of tables, not the table content) > empty, then validation of relay recipients would IIRC be entirely disabled. > > In real production networks with AD that I used to support, I'd actualy > use "virtual_alias_domains" not "relay_domains", but this required: > > - The internal Active Directory domain be different from the public > mail domain. For example: > > - Public mail domain: acme.example > - Internal AD domain: exchange.acme.example > > - The users' proxy addresses include at least both: > > - smtp:user@acme.example > - smtp:u...@exchange.acme.example > > - The users' "mail" attribute be set to their public address > for use a "canonical_maps" table in outgoing mail. > > - The user's LDAP objects also have another (like "mail") > *single-valued* attribute, say "maildrop" or whatever name you choose, > that holds their internal mail address: > > - maildrop: u...@exchange.acme.example > > You'd then use that attribute as the "result_attribute" for > LDAP, instead of "mail". > > The LDAP driver also has non-trivial support for managing > "mail groups", see the description in LDAP_README of > > - special_result_attribute > - leaf_result_attribute > - terminal_result_attribute > > There's perhaps a bunch to learn here, the more advanced settings were > used to support a largish corporate user base of ~80k users with > multiple internal AD domains, and even some cloud-hosted users on the > backend. > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > -- Thanks! Joey
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org