>>>>> "Ganael" == Ganael Laplanche <ganael.laplan...@centralesupelec.fr> writes:
Ganael> On Tuesday, January 19, 2021 1:59:42 PM CET Wietse Venema wrote: Ganael> Hello Wietse, Ganael> Thanks for your reply, >> > Ignoring errors would result in misdelivery of email. You may have >> expectations that it is OK for software to randomly misdeliver >> email, but that is not how Postfix works. Ganael> Well, I don't expect mail to be misdelivered, of course :) Ganael> Misdelivery would not happen if next dictionary(ies) have similar contents Ganael> (and this is sysadmin's work to ensure it is the case). Having such a Ganael> possibility could allow several tries on different remote backends before Ganael> finally falling back on a local one. >> If LDAP cannot handle many concurrent connections, use proxymap >> like everyone does with mysql and the like, or hide it under >> a memcache_table. [...] Ganael> Proxymap won't help here as our concern here is not related to LDAP server Ganael> overload. Ganael> Let me explain : our LDAP servers are populated by 3rd party Ganael> tools (and team) that might (in theory) fail and disable Ganael> accounts by mistake. Of course, this is not Postfix' problem Ganael> *but* we would like to avoid such a situation where many Ganael> accounts have disappeared from the directory and where we Ganael> would refuse mail by mistake. So why not run your own LDAP servers, which pull from those upstream LDAP servers, and then you can do your own retention rules as you like? This way if you don't find <address> in upstream, you can start your 7 day countdown clock and keep accepting email as you want. If the name comes back (hopefully not for a different new user!!!) you can just push/restore the email then. Ganael> Our idea was to use our LDAP directory as a first dictionary Ganael> to quickly handle address change and new accounts but always Ganael> have a local fallback (a verified dump produced every week) as Ganael> a last resort to continue accepting mail for accounts that Ganael> would have been disabled by mistake (in fact, for any disabled Ganael> account, for 7 days). You've got some funky requirements, you must have been burned before by this other group making random changes which lost email. Not fun.
