Email redirection (also called email forwarding) is a common requirement in enterprise environments. Organizations often need to:

• Redirect emails from an old domain to a new domain
• Maintain legacy addresses during migrations
• Forward specific users’ emails to external mailboxes
• Create alias-based routing policies

In this guide, you will learn how to configure email forwarding in 389 Directory Server (389-DS) and integrate it properly with Postfix using LDAP.

This tutorial is fully anonymized and suitable for production-like environments.

Table of Contents

1. Understanding LDAP-Based Email Forwarding
2. LDAP Attributes Used for Mail Routing
3. Step-by-Step Configuration in 389-DS (Cockpit UI)
4. Example LDAP LDIF Configuration
5. Postfix LDAP Integration
6. Testing and Verification
7. Common Errors and Troubleshooting
8. Security and Best Practices

1️⃣ Understanding LDAP-Based Email Forwarding

LDAP does not send emails by itself.

Instead:

• LDAP stores user metadata (email, aliases, forwarding address).
• Postfix queries LDAP.
• Postfix decides how to route mail based on LDAP attributes.

The flow looks like this:

Incoming email → Postfix → LDAP query → routing decision → final mailbox

So forwarding logic is implemented at the mail server level, not in LDAP itself.

2️⃣ Important LDAP Attributes for Email Routing

Common attributes used in LDAP mail routing setups:

Example scenario:

You want:

old.address@domain.com → new.address@domain.ro

LDAP entry should contain:

mail: new.address@domain.ro
mailAlternateAddress: old.address@domain.com
mailForwardingAddress: new.address@domain.ro

3️⃣ Configuring Email Forwarding in 389 Directory Server (Cockpit UI)

Step 1: Log into Cockpit

Access:

https://your-server:9090

Navigate to:

389 Directory Server → Database → ou=people

Step 2: Open the User Entry

Locate the user, for example:

cn=user.example,ou=people,dc=example,dc=net

Step 3: Add Required Attributes

In Edit Values → Attributes, add:

Add alias address

Attribute: mailAlternateAddress
Value: old.address@domain.com

Add forwarding address

Attribute: mailForwardingAddress
Value: new.address@domain.ro

Save changes.

4️⃣ Example LDIF Configuration (CLI Method)

If you prefer CLI instead of UI:

Example: Add forwarding to existing user

dn: cn=user.example,ou=people,dc=example,dc=net
changetype: modify
add: mailAlternateAddress
mailAlternateAddress: old.address@domain.com
-
add: mailForwardingAddress
mailForwardingAddress: new.address@domain.ro

Apply with:

ldapmodify -x -D "cn=Directory Manager" -W -f forward.ldif

Example: Replace existing forwarding

dn: cn=user.example,ou=people,dc=example,dc=net
changetype: modify
replace: mailForwardingAddress
mailForwardingAddress: new.address@domain.ro

Example: Remove forwarding

dn: cn=user.example,ou=people,dc=example,dc=net
changetype: modify
delete: mailForwardingAddress

5️⃣ Postfix LDAP Integration

LDAP forwarding will NOT work unless Postfix is configured properly.

Postfix LDAP map example

Create file:

/etc/postfix/ldap/virtual_alias_maps.cf

Example configuration:

server_host = 127.0.0.1
search_base = ou=people,dc=example,dc=net
query_filter = (mailAlternateAddress=%s)
result_attribute = mailForwardingAddress
bind = yes
bind_dn = cn=Directory Manager
bind_pw = your_password
version = 3

Then in /etc/postfix/main.cf:

virtual_alias_maps = ldap:/etc/postfix/ldap/virtual_alias_maps.cf

Restart Postfix:

systemctl restart postfix

6️⃣ Testing and Verification

Test LDAP query manually

ldapsearch -x -LLL -D "cn=Directory Manager" -W \
-b "dc=example,dc=net" \
"(mailAlternateAddress=old.address@domain.com)" \
mailForwardingAddress

Expected result:

mailForwardingAddress: new.address@domain.ro

Test Postfix lookup

postmap -q old.address@domain.com ldap:/etc/postfix/ldap/virtual_alias_maps.cf

Expected output:

new.address@domain.ro

Check mail logs

On RHEL / AlmaLinux:

tail -f /var/log/maillog

On Debian / Ubuntu:

tail -f /var/log/mail.log

7️⃣ Common Errors and Troubleshooting

❌ LDAP Error: No such object (32)

Cause:

• Incorrect DN
• Wrong OU
• Wrong base DN

Fix:
Run:

ldapsearch -x -LLL -D "cn=Directory Manager" -W \
-b "dc=example,dc=net" "(uid=*)" dn

❌ Forwarding not working

Check:

1. Does Postfix use LDAP?
2. Is virtual_alias_maps configured?
3. Does postmap -q return expected value?
4. Does mail log show LDAP lookup errors?

❌ Mail loops

If:

mailForwardingAddress = same as mailAlternateAddress

Postfix may generate loops.

Always ensure:

• Forward destination is different
• Domain routing is correct

8️⃣ Security Best Practices

✔️ Use a dedicated LDAP bind user

Instead of using Directory Manager, create:

uid=postfix-ldap,ou=system,dc=example,dc=net

With read-only permissions.

✔️ Use LDAPS or StartTLS

Secure LDAP traffic:

server_host = ldaps://127.0.0.1

✔️ Limit exposed attributes

Do not expose:

• userPassword
• sensitive organizational data

Restrict ACLs properly.

9️⃣ Example Real-World Scenarios

Scenario 1: Domain Migration

user@old-domain.com → user@new-domain.com

LDAP:

mail: user@new-domain.com
mailAlternateAddress: user@old-domain.com
mailForwardingAddress: user@new-domain.com

Scenario 2: External Forward

internal.user@company.com → external.user@gmail.com

LDAP:

mail: internal.user@company.com
mailForwardingAddress: external.user@gmail.com

Scenario 3: Multiple Aliases

sales@company.com
info@company.com
support@company.com
→ central@company.com

LDAP entry:

mail: central@company.com
mailAlternateAddress: sales@company.com
mailAlternateAddress: info@company.com
mailAlternateAddress: support@company.com
mailForwardingAddress: central@company.com

Final Summary

To successfully configure email forwarding in 389 Directory Server:

1. Add mailAlternateAddress
2. Add mailForwardingAddress
3. Configure Postfix LDAP map
4. Test using ldapsearch and postmap
5. Monitor mail logs

LDAP stores the routing metadata.
Postfix executes the routing logic.