Thank you!
The only thing that's a little odd is that the embedded-space construct:
static:{reject 5.1.1 user unknown} doesn't seem to work in this context. I
get:
... postfix/smtpd[31453]: generic_checks: name={reject
... postfix/smtpd[31453]: warning: unknown smtpd restriction: "{reject"
Changing this to static:reject works well enough for my purposes here, so
that's excellent. Thanks again.
On Thu, 4 Jun 2020 at 14:36, Wietse Venema <[email protected]> wrote:
> Jonathan Engbrecht:
> > I route mail for a number of relay_domains - recipient addresses are
> > validated using verify via address_verify_transport
> >
> > For *one* of these domains, I'd like to validate addresses using an ldap
> > map configured with relay_recipient_maps rather than smtp lookahead.
> >
> > I have the ldap connection working based on postmap -q ..., but I'm not
> > sure how to configure to make some domains work using the lookahead, and
> > one to work using relay_recipient_maps.
>
> This should be easier, but 1) relay_recipient_maps is global, so you
> have to leave that 'empty' and use check_recipient_access instead
> (*); and 2) restriction_classes is needed for a nested table lookup.
>
> Untested example!
>
> restriction_classes = verify_with_lookup
> verify_with_lookup =
> check_recipient_access ldap:/some/file static:{reject 5.1.1 user
> unknown}
> # Where the LDAP returns 'permit' or 'ok' for a user that exists.
>
> smtpd_recipient_restrictions =
> ...
> reject_unauth_destination
> ...
> # Needs to go last, because verify_with_lookup returns permit or
> reject.
> check_recipient_access pcre:/etc/postfix/rcpt_access
>
> /etc/postfix/rcpt_access:
> /@example\.com$/ verify_with_lookup
> /./ reject_unverified_recipient
>
> More at http://www.postfix.org/RESTRICTION_CLASS_README.html
>
> (*) relay_recipient_maps can be changed to be not global,
> but doing that would complicate other things.
>
> Wietse
>
