Postfix routing and rewriting of addresses based on LDAP attributes

Date: 2015-04-29

Note: This has been tested on RHEL6 and Postfix 2.6.6 from RHEL repositories and version 2.10 from RHEL6 version contains a nasty bug, I recommend you use RPMS.

We want to route emails thanks to rewriting capabilities of Postfix.

An LDAP directory will provide us with an attribute.

We will use the "mailstop" attribute here. Different values can be defined: "brussels" or "stockholm".

An email would be relayed through this Postfix instance.


Attribute = "brussels": would get rewritten
Attribute = "stockholm": would get rewritten
No attribute or email address not present in LDAP : no rewriting

The LDAP configuration would be:

server_host =
search_base = ou=some,ou=population,o=directory
query_filter = (&(mail=%s))
result_attribute = mailstop
result_format = %U@%s.%D
bind_dn = cn=login,ou=TechObjects,o=SYSTEM
bind_pw = password

We are taking the email address as input (%s). The value returned as output would be stored in the %s variable in result_format. We would construct the rewriten email address with the %U and %D variables (see postfix doc for details)

From now on, we can query the LDAP server and expect something like this:

# postmap -q ldap://etc/postfix/

Now, we are going to configure Postfix to actually rewrite addresses, using recipient_canonical_maps which is an option of the cleanup process.

recipient_canonical_maps = ldap:/etc/postfix/

Then send an email to through that relay:

Apr 29 12:55:17 postfix/smtpd[20276]: disconnect from[]
Apr 29 12:55:17 postfix/smtp[20280]: 3A59580370: to=<>, orig_to=<>,[]:25, delay=0.08, delays=0.05/0.01/0.01/0.02, dsn=2.0.0, status=sent (250 Message queued)

We can see the address has been rewritten.

If the LDAP server is down, emails will be waiting in the maildrop queue.

If the LDAP gives several replies, Postfix will rewrite to the first result.