[pfx] Re: relay_recipient_maps and aliases

[Viktor Dukhovni via Postfix-users]

On Thu, Mar 27, 2025 at 02:42:30PM -0400, BuzzSaw Code via Postfix-users wrote:

> I'm using relay_recipient_maps on the SMTP host with an LDAP lookup as
> well as transport_maps to tell it to route that email to the internal
> IMAP server.  That all works wonderfully.

I *STRONGLY* recommend avoiding use of LDAP in transport_maps, if the
LDAP service is unreachable or slow the queue manager is unable to
process any mail, including already queued mail, and even when healthy
the lookup latency may still be too high, and can negatively impact
queue manager performance.

It is far better to limit all LDAP lookups to virtual, canonical,
and similar lookups performed only on input.

Use LDAP to rewrite the envelope recipient to a small number of
mailstore domains, that are handled by an essentially static transport
table:

    virtual (LDAP-based):
        user1@external.example   user1@mailstore1.internal.example
        user2@external.example   user2@mailstore2.internal.example
        ...

    transport (indexed file):
        mailstore1.internal.example   relay:[mailstore1.internal.example]
        mailstore2.internal.example   relay:[moved2.internal.example]

Making sure to also configure those mailstore systems to recognise and
deliver the rewritten addresses, so you don't have to rewrite them back
to external form via smtp_generic_maps on output.

> And example is we have a 'mail' attribute in LDAP that says:
> 
> mail: fred.flintst...@domain1.foo.com


Your LDAP schema can/should have additional attributes on account
objects that lists the alternative addresses of a user, *including*
the primary "mail" address, that is used on the RHS of any canonical
map, but not used as the lookup address when routing mail.

    mail: fred.flintst...@domain1.foo.com
    mailAlternateAddress: fred.flintst...@domain1.foo.com
    mailAlternateAddress: dr.fred.flintst...@domain1.foo.com
    mailAlternateAddress: dr.fred.flintst...@domain2.bar.com
    mailAlternateAddress: fred.flintst...@domain2.bar.com
    mailAlternateAddress: f...@domain1.foo.com
    mailAlternateAddress: f...@domain1.foo.com
    maildrop: f...@mailstore1.foo.com

The virtual mapping is then some suitable elaboration of:

        query = mailAlternateAddress = %s
        result_attribute = maildrop

Various "elaborations" are covered in:

    https://www.postfix.org/LDAP_README.html

while the table syntax is in:

    https://www.postfix.org/ldap_table.5.html

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org