Postfix routing and rewriting of addresses based on LDAP attributes
Note: This has been tested on RHEL6 and Postfix 2.6.6 from RHEL repositories and version 2.10 from postfix.org. RHEL6 version contains a nasty bug, I recommend you use Postfix.org RPMS.
We want to route emails thanks to rewriting capabilities of Postfix.
An LDAP directory will provide us with an attribute.
We will use the "mailstop" attribute here. Different values can be defined: "brussels" or "stockholm".
An email would be relayed through this Postfix instance.
Attribute = "brussels": email@example.com would get rewritten firstname.lastname@example.org Attribute = "stockholm": email@example.com would get rewritten firstname.lastname@example.org No attribute or email address not present in LDAP : no rewriting
The LDAP configuration would be:
server_host = ldap.example.org search_base = ou=some,ou=population,o=directory query_filter = (&(mail=%s)) result_attribute = mailstop result_format = %U@%s.%D bind_dn = cn=login,ou=TechObjects,o=SYSTEM bind_pw = password
We are taking the email address as input (%s). The value returned as output would be stored in the %s variable in result_format. We would construct the rewriten email address with the %U and %D variables (see postfix doc for details)
From now on, we can query the LDAP server and expect something like this:
# postmap -q email@example.com ldap://etc/postfix/ldap.cf firstname.lastname@example.org
Now, we are going to configure Postfix to actually rewrite addresses, using recipient_canonical_maps which is an option of the cleanup process.
recipient_canonical_maps = ldap:/etc/postfix/ldap.cf
Then send an email to email@example.com through that relay:
Apr 29 12:55:17 mx.intra.example.org postfix/smtpd: disconnect from mxin.example.org[192.168.96.200] Apr 29 12:55:17 mx.intra.example.org postfix/smtp: 3A59580370: to=<firstname.lastname@example.org>, orig_to=<email@example.com>, relay=mx.brussels.example.org[192.168.96.4]:25, delay=0.08, delays=0.05/0.01/0.01/0.02, dsn=2.0.0, status=sent (250 Message queued)
We can see the address has been rewritten.
If the LDAP server is down, emails will be waiting in the maildrop queue.
If the LDAP gives several replies, Postfix will rewrite to the first result.