mail address-rewritten & redirected to a pipe service faiis to hit the pipe?

[PGNd]

I've setup a Postfix store & forward frontend gateway that forwards all mail 
for valid domains (DDD1.com -> DDDN.com) to a Postfix backend.

-- The frontend serves as an outbound smarthost for all backend domains.
-- Transport, and recipient verification, TO the backend, and all smarthost 
sends FROM the backend, are directed solely a VPN link.
-- The frontend accepts no local delivery; No mail is accepted for the 
canonical domain.
-- A local amavisd instance, configured as a postfix prequeue proxy filter, 
handles SA filtering, teaching a local bayes* instance.

I want to open the frontend canonical domain to receive mail at only @ 2 email 
addresses.  Emails received at those emails do not need to be delivered/stored 
to any accounts -- simply piped to another service.

Currently, mail's not getting to the pipe.  I'd appreciate any help in figuring 
out why not.

In more detail ...

The goal is to provide spam/ham learning addresses on the frontend that valid 
backend users can forward miscategorized mails to, so that I can train the 
bayes instances on the frontend:

        -- any backend domain user, us...@dddn.com, sending from the backend, 
can forward SPAM or HAM to a spam/ham address at the frontend's canonical 
domain - "spam.1...@mail.dddd.com" or "ham.1...@mail.dddd.com"
        -- email accepted at one of those addresses on the frontend is piped to 
a perl scripts to be bayes-learned by the local SA instance

Iiuc, this requires the use of ADDRESS REWRITING, the correct ADDRESS CLASSES, 
and a pipe.

This is the current working config,

        /etc/aliases
                root: postmas...@ddd1.com
                postmaster: root
                mailer-daemon: postmaster

        /main.cf
                myhostname = myhost.DDDD.com
                mydomain = mail.DDDD.com
                myorigin = $mydomain
                mydestination = $myhostname localhost.$mydomain localhost 
$mydomain
                default_transport = smtp-out-ext:
                local_transport = error:5.1.1 local delivery is disabled
                local_recipient_maps =
                transport_maps = 
static:relay-vpn:[internal.mail-backend.DDDD.com]:12345
                ...

To get these spam/ham addresses working, I'm attempting to crib the approach at 
https://gtmp.org/doku.php/publications:sa-postfix-en .

That document deals with all on a single server.  With my frontend/backend 
split I'm unclear on the proper approach, and which specific address class(es) 
(http://www.postfix.org/ADDRESS_CLASS_README.html) I should be implementing.

I've so far made the following changes to the frontend's config

        /etc/aliases
                root: postmas...@dddd1.com
                postmaster: root
                mailer-daemon: postmaster
+               spam.1234: s...@spam.spam
+               ham.1234: h...@ham.ham

        /main.cf
                myhostname    = myhost.DDDD.com
                mydomain      = mail.DDDD.com
                myorigin      = $mydomain
                mydestination = $myhostname localhost.$mydomain localhost 
$mydomain
                default_transport = smtp-out-ext:
                local_transport   = error:5.1.1 local delivery is disabled
                local_recipient_maps =
                unknown_local_recipient_reject_code = 550
-               transport_maps = 
static:relay-vpn:[internal.mail-backend.DDDD.com]:12345
+               transport_maps = lmdb:/usr/local/etc/postfix/salearn_transport
+                                
static:relay-vpn:[internal.mail-backend.DDDD.com]:12345

+       /salearn_transport
+               spam.spam  sa-spam:
+               ham.ham    sa-ham:

        /master.cf
                ...
+               sa-spam        unix   -         n        n        -        -    
   pipe
+                 user=amavisd:amavisd 
argv=/usr/local/etc/spamassassin/scripts/sa-learn-wrapper.pl spam ${sender}
+               sa-ham         unix   -         n        n        -        -    
   pipe
+                 user=amavisd:amavisd 
argv=/usr/local/etc/spamassassin/scripts/sa-learn-wrapper.pl ham  ${sender}

With this config, on send FROM 'us...@ddd1.com' on the backend TO 
'spam.1...@mail.dddd.com' on the frontend, fontend logs show

The connection from the backend to the frontend

        Jun 18 20:11:44 myhost postfix/smarthost/smtpd[17508]: connect from 
internal.mail-backend.DDDD.com[10.13.1.16]
        Jun 18 20:11:45 myhost postfix/smarthost/smtpd[17508]: Trusted TLS 
connection established from internal.mail-backend.DDDD.com[10.13.1.16]: TLSv1.2 
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
        Jun 18 20:11:45 myhost postfix/smarthost/smtpd[17508]: 266FB6450E: 
client=internal.mail-backend.DDDD.com[10.13.1.16]
        Jun 18 20:11:45 myhost postfix/cleanup[17510]: 266FB6450E: 
message-id=<5583886f.5040...@ddd1.com>
        Jun 18 20:11:45 myhost postfix/qmgr[15826]: 266FB6450E: 
from=<us...@ddd1.com>, size=2700, nrcpt=1 (queue active)
        Jun 18 20:11:45 myhost postfix/smarthost/smtpd[17508]: disconnect from 
internal.mail-backend.DDDD.com[10.13.1.16] ehlo=2 starttls=1 mail=1 rcpt=1 
data=1 quit=1 commands=7
        Jun 18 20:11:45 myhost postfix/smtpd[17514]: connect from 
localhost[127.0.0.1]
        Jun 18 20:11:46 myhost postfix/smtpd[17514]: 49A856450F: 
client=localhost[127.0.0.1]
        Jun 18 20:11:46 myhost postfix/cleanup[17510]: 49A856450F: 
message-id=<5583886f.5040...@ddd1.com>
        Jun 18 20:11:46 myhost postfix/smtpd[17514]: disconnect from 
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
        Jun 18 20:11:46 myhost postfix/qmgr[15826]: 49A856450F: 
from=<us...@ddd1.com>, size=3899, nrcpt=1 (queue active)
>>      Jun 18 20:11:46 myhost postfix/smtp-out-ext/smtp[17515]: 49A856450F: 
>> to=<postmas...@ddd1.com>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, 
>> status=bounced (mail for DDD1.com loops back to myself)
        Jun 18 20:11:46 myhost postfix/cleanup[17510]: 4ACD964511: 
message-id=<20150619031146.4acd964...@myhost.dddd.com>
>>      Jun 18 20:11:46 myhost postfix/bounce[17516]: 49A856450F: sender 
>> non-delivery notification: 4ACD964511
        Jun 18 20:11:46 myhost postfix/qmgr[15826]: 4ACD964511: from=<>, 
size=5875, nrcpt=1 (queue active)
        Jun 18 20:11:46 myhost postfix/qmgr[15826]: 49A856450F: removed
        Jun 18 20:11:46 myhost postfix/amavis-feed/smtp[17511]: 266FB6450E: 
to=<postmas...@ddd1.com>, orig_to=<spam.1...@mail.dddd.com>, 
relay=127.0.0.1[127.0.0.1]:20003, delay=1.2, delays=0.04/0/0/1.1, dsn=2.0.0, 
status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:11032): 250 2.0.0 Ok: queued 
as 49A856450F)
        Jun 18 20:11:46 myhost postfix/qmgr[15826]: 266FB6450E: removed
        Jun 18 20:11:46 myhost postfix/relay-vpn/smtp[17517]: Verified TLS 
connection established to internal.mail-backend.DDDD.com[10.13.1.16]:41443: 
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
        Jun 18 20:11:46 myhost postfix/relay-vpn/smtp[17517]: 4ACD964511: 
to=<us...@ddd1.com>, relay=internal.mail-backend.DDDD.com[10.13.1.16]:41443, 
delay=0.4, delays=0/0/0.24/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued 
as 9050610277D)
        Jun 18 20:11:46 myhost postfix/qmgr[15826]: 4ACD964511: removed

a non-delivery failure, due to a loopback

        Jun 18 20:11:46 myhost postfix/smtp-out-ext/smtp[17515]: 49A856450F: 
to=<postmas...@ddd1.com>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, 
status=bounced (mail for DDD1.com loops back to myself)

although I don't _think_ that's the reason behind the actual problem -- which 
is that the inbound, to-spam.1234@ email is not hitting the 'sa-spam' service 
pipe.

Why is that email not getting to the pipe?  I suspect incorrect ADDRESS CLASS 
mapping/usage.  IIUC, since I'm not storing the email locally, I don't need 
local delivery to a unix account with a home folder.  Is virtual called for 
here?