On Thu, Oct 26, 2023 at 07:11:23PM -0400, Joey J via Postfix-users wrote:
> To confirm, I'm creating the list of valid emails to accept and then
> forward and if not in that list reject.
No, my advice is to replace the "list" with live LDAP queries to AD,
on demand during each SMTP transaction. There is no "list".
> My question would be, will postfix send off a process to query every so
> often in order to build the multiple lists, or as each mail is about to be
> delivered?
Live LDAP queries, during the SMTP transaction. The internal domain
behind Postfix would then be listed in "relay_domains". Your
"relay_recipient_maps" must then be a non-empty setting, pointing at
a mostly empty local table:
main.cf:
indexed = ${default_database_type}:${config_directory}/
relay_recipient_maps = ${indexed}nonad-rcpts
nonad-rcpts:
postmaster@acme.example <whatever>
...
The virtual_alias_maps table is always also considered a valid source of
recipient addresses across all address classes, but if you simply set
"relay_recipient_maps" (the list of tables, not the table content)
empty, then validation of relay recipients would IIRC be entirely disabled.
In real production networks with AD that I used to support, I'd actualy
use "virtual_alias_domains" not "relay_domains", but this required:
- The internal Active Directory domain be different from the public
mail domain. For example:
- Public mail domain: acme.example
- Internal AD domain: exchange.acme.example
- The users' proxy addresses include at least both:
- smtp:user@acme.example
- smtp:u...@exchange.acme.example
- The users' "mail" attribute be set to their public address
for use a "canonical_maps" table in outgoing mail.
- The user's LDAP objects also have another (like "mail")
*single-valued* attribute, say "maildrop" or whatever name you choose,
that holds their internal mail address:
- maildrop: u...@exchange.acme.example
You'd then use that attribute as the "result_attribute" for
LDAP, instead of "mail".
The LDAP driver also has non-trivial support for managing
"mail groups", see the description in LDAP_README of
- special_result_attribute
- leaf_result_attribute
- terminal_result_attribute
There's perhaps a bunch to learn here, the more advanced settings were
used to support a largish corporate user base of ~80k users with
multiple internal AD domains, and even some cloud-hosted users on the
backend.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
