This will require further research. If case canonicalization is as complex as you describe then the "correct" result is likely to differ from what real people expect. That is a security hole.
That was the case in the nineties, but by now the case folding algorithms in unicode have won. They've been used to much that people have come to expect that they're right. There are problems, but lowercase() escapes all but ı/i.
But ı is nasty. I have even found two domains that differ only in ı/i, so Postfix cannot treat them as equal.
Composition (the other part of canonicalization) is worse matter. You're right, that might lead to security problems. It can lead to table lookup misses, and I'm sure that table misses can lead to several kinds of security problems. For example forgetting mandatory TLS.
The safest alternative is to fully compose table lookup keys. (Or fully decompose, but fully compose is usually faster.) I'll provide a patch to do the 2a alternative. It'll take a few days.
Arnt
