My only concern is if there is as an example a recipient that has literally
2K email addresses with LDAP/AD, which associates with how much inbound
mail wont that slow down delivery a good amount, and potentially create a
lot of overhead?
On Thu, Oct 26, 2023 at 7:42 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Thu, Oct 26, 2023 at 07:11:23PM -0400, Joey J via Postfix-users wrote:
>
> > To confirm, I'm creating the list of valid emails to accept and then
> > forward and if not in that list reject.
>
> No, my advice is to replace the "list" with live LDAP queries to AD,
> on demand during each SMTP transaction. There is no "list".
>
> > My question would be, will postfix send off a process to query every so
> > often in order to build the multiple lists, or as each mail is about to
> be
> > delivered?
>
> Live LDAP queries, during the SMTP transaction. The internal domain
> behind Postfix would then be listed in "relay_domains". Your
> "relay_recipient_maps" must then be a non-empty setting, pointing at
> a mostly empty local table:
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> relay_recipient_maps = ${indexed}nonad-rcpts
>
> nonad-rcpts:
> postmaster@acme.example <whatever>
> ...
>
> The virtual_alias_maps table is always also considered a valid source of
> recipient addresses across all address classes, but if you simply set
> "relay_recipient_maps" (the list of tables, not the table content)
> empty, then validation of relay recipients would IIRC be entirely disabled.
>
> In real production networks with AD that I used to support, I'd actualy
> use "virtual_alias_domains" not "relay_domains", but this required:
>
> - The internal Active Directory domain be different from the public
> mail domain. For example:
>
> - Public mail domain: acme.example
> - Internal AD domain: exchange.acme.example
>
> - The users' proxy addresses include at least both:
>
> - smtp:user@acme.example
> - smtp:u...@exchange.acme.example
>
> - The users' "mail" attribute be set to their public address
> for use a "canonical_maps" table in outgoing mail.
>
> - The user's LDAP objects also have another (like "mail")
> *single-valued* attribute, say "maildrop" or whatever name you choose,
> that holds their internal mail address:
>
> - maildrop: u...@exchange.acme.example
>
> You'd then use that attribute as the "result_attribute" for
> LDAP, instead of "mail".
>
> The LDAP driver also has non-trivial support for managing
> "mail groups", see the description in LDAP_README of
>
> - special_result_attribute
> - leaf_result_attribute
> - terminal_result_attribute
>
> There's perhaps a bunch to learn here, the more advanced settings were
> used to support a largish corporate user base of ~80k users with
> multiple internal AD domains, and even some cloud-hosted users on the
> backend.
>
> --
> Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
--
Thanks!
Joey
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
