Martin Kellermann put forth on 12/1/2010 9:19 AM: > we need to set up postfix as an incoming relay which forwards > messages via transport to a protected exchange 2007 server. > to do this without getting backscatter, we need to check the > recipients for validity on exchange server side in AD/LDAP. > > this howto from 2003 describes pretty well, what i want to achieve: > http://postfix.state-of-mind.de/patrick.koetter/mailrelay/ > > so, is it still (seven years later) "The right thing™ to do" ? > will it work proper with exchange 2007/2010 ? > since the usage of "script-generated map-files" will never show > a real-time picture of the valid exchange-recipients to postfix, > isn't it nicer to do "online LDAP requests" from postfix? > maybe this is possible with a LDAP-SASL plugin...?
If you have very few users, say 1-100, and your organization doesn't have frequent personnel changes, I recommend using relay_recipient_maps and manually editing the table when needed. If more than that, for many reasons, I recommend using recipient address verification instead of LDAP lookups, assuming you have decent spam filtering techniques on your Postfix gateway, which is a requirement in today's world anyway. http://www.postfix.org/ADDRESS_VERIFICATION_README.html http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient The main reasons I recommend this over LDAP are: 1. These probes are typically faster than LDAP queries 2. Recipient verification caches probe results reducing query load and increasing performance. AFAIK LDAP results aren't cached. 3. _VASTLY_ simpler configuration compared to LDAP 4. Doesn't require LDAP support be compiled into your Postfix package 5. You get a _realtime_ answer regarding SMTP mailbox availability. An LDAP response may differ from an Exchange SMTP response due to a number of reasons, such as AD synchronization, etc. This is probably rare, but it can happen. -- Stan
