On Thu, Feb 18, 2021 at 07:52:07AM +0100, Ralph Seichter wrote:
> In a new server setup, I use two consecutive transport lookups:
>
> transport_maps = ldap:/etc/postfix/foo.cf ldap:/etc/postfix/bar.cf
I strongly do not recommend using LDAP for per-user transport lookups.
Instead:
- Use virtual(5) LDAP tables to *rewrite* recipient addresses
to transport-specific domains
- Resolve these domains via a stable (ideally indexed table)
domain -> transport mapping
- Where needed, use smtp_generic_maps to rewrite the
transport-specific recipient domain back to the original
address (something similar to canonical_maps, but on output).
The definitions of smtp_generic_maps can transport-specific,
via master.cf overrides.
Yes, this is more complex, but:
- Your single-threaded queue manager is no longer blocked waiting
on potentially rather expensive LDAP lookups.
- Postfix can continue to process already queued mail even when
LDAP is down, it just won't take in new mail.
- Logically, your configuration is more modular, rewrite users
from (typically) virtual_alias domains to mailstore domains,
leaving the transport to be defined indirectly.
Then separately from asigning the user to a mailstore domain,
configure Postfix to route each domain to an appropriate
transport (or just send to the MX host of that domain).
> However, this does not resolve the issue, even if I use changing
> recipient addresses in an attempt to flush the qmgr in-memory status
> cache.
The queue_manager has a one elemen transport lookup cache, when
a stream of back-to-back messages (usually when testing, rather
than in real life) all go to the same recipient, there's only
one transport lookup.
> I have two questions which I hope you guys can answer:
>
> 1. How do I force Postfix to perform an LDAP lookup every time a new
> inbound message arrives (i.e., how to disable caching lookup results)?
You can't the built-in transport-resolution cache is not dictionary
specific.
> 2. Can I configure a single LDAP lookup instead of two sequential ones,
> which behaves according to the following pseudocode:
>
> x = ldap_lookup_recipient_record(envelope_to_address)
> if x.has_attribute(alpha)
> return x.value_of_attribute(alpha)
> else
> return x.value_of_attribute(beta)
Possibly, yes, via a suitable combination of leaf_result_attribute,
terminal_result_attribute and result_attribute. See ldap_table(5).
terminal_result_attribute = alpha
result_attribute = beta
But this will not change your original issue. Again, DO NOT
burden the queue manager with LDAP lookups. Make transport
lookups purely local and largely static.
--
Viktor.
