Am 2012-09-19 21:41, schrieb Viktor Dukhovni:
On Wed, Sep 19, 2012 at 07:13:49PM +0200, Michael Storz wrote:
The consistency check requires that a user object is first
(correctly) defined in OpenLDAP. Only then the second check looks
for the correct definition in Active Directory. If it is not then we
defer the email (we do not reject the recipient like I specified in
the example) until the event queue for the driver is empty (manual
check) or a resync of the object in meta directory is needed (there
seems to be some software errors in the driver, which are not fixed
yet). We are running with this check for some months now and it has
helped a lot to find the entries which have not been correctly
synced to Exchange.
If a new user is created the user object appears instantly in the
OpenLDAP directory. The transport of the event from the application
over the meta directory to the directory is fast and without any
problem. Therefore if the user/address is not in the OpenLDAP
directory I can savely reject such an address.
This is an account provisioning problem, not an MTA routing problem.
The best solution is to not send email to the user until the
provisioning is complete.
Unfortunately we can't tackle the account provisioning problem
(interworking of Microsoft software with Novell software), which makes
it a MTA routing problem, which I have to resolve.
Waiting to send the email until the user is fully provisioned is not
possible.
The sending application has no knowledge about the status of the
provisioning.
There is an organizational boundary and a meta directory between 2 IDMs
in
between.
You could simply route all mail for recently added users to an MTA
with soft_bounce=yes. Then when provisioning is complete, remove
the transport override.
Well, provisioning never stops. There is a peak at the beginning of a
new
semester, because of new students. But new employees are provisioned
nearly every day. The defer has to be automatically for each affected
email.
This not a good case for making complex changes to Postfix tables.
I just tried to show a real world example. For the general case see my
next email.
Thanks,
Michael
