Hi, our postfix mail server is FreeIPA client. What this means is that user accounts are kept on a separate FreeIPA server, but they are real linux accounts on the mail server. "id" and "getent passwd" commands work on mail server and return user id and group membership information. (FreeIPA is RedHat implementation of identity management, http://www.freeipa.org/page/About) FreeIPA server also has LDAP service, and so far it has been used for virtual address expansion. For example, if a message is sent to test.u...@example.net, then postfix does LDAP lookup for mail attribute "test.u...@example.net" and deliver to "uid" result attribute “testuser". If LDAP lookup fails, then postfix attempts to deliver to local user "testuser” mailbox anyway. To say otherwise, LDAP lookup failure is not a fatal error and postfix still attempts to deliver locally. Now I would like to change this and include a check for account validity (and/or group membership). Say, if account is disabled (LDAP attribute nsAccountLock=TRUE) and LDAP lookup fails, then postfix should not attempt to deliver locally and reject message instead. Is it possible to achive this and keep current configuration relatively intact? (i.e., keep local_transport=local:$myhostname) I understand that I can change local_transport to "local_transport=virtual", but this brings in many other changes. I appreciate your time spent on this. Thank you. “postconf -nf” output and ldap-virtual.cf file attached. Kind regards, Ivars |
ldap-virtual.cf
Description: Binary data
main.cf
Description: Binary data
