For case 1, if I want to allow the email address to all maillist, I need to add the email from phpldap?  Am I correct?

For case 2, can you provide an example for me.  As I have no idea how to apply this to the system.  Thanks.

For all domaina.com users,  receipent != domaina.com and domainb.com, REJECT

I have no idea how to apply on this?  where to put domaina.com? where to put domaina.com and domainb.com as allow.  And how to apply?  Please advice.

#!/usr/bin/env python
# encoding: utf-8

# Author: Zhang Huangbin <michaelbibby (at) gmail.com>

import sys

ACTION_REJECT = 'REJECT Not Authorized'

def __get_allowed_senders(ldapConn, ldapBaseDn, listDn, sender, recipient, polic
y,):
    """return search_result_list_based_on_access_policy"""

    # Set search base dn, scope, filter and attribute list based on access polic
y.
    if policy == 'membersonly':
        basedn = ldapBaseDn
        searchScope = 2     # ldap.SCOPE_SUBTREE
        # Filter used to get domain members.
        searchFilter = "(&(|(objectclass=mailUser)(objectclass=mailExternalUser)
)(accountStatus=active)(memberOfGroup=%s))" % (recipient, )
        searchAttr = 'mail'
    else:
        basedn = listDn
        searchScope = 0     # Use SCOPE_BASE to improve performance.
        # Filter used to get domain moderators.
        searchFilter = "(&(objectclass=mailList)(mail=%s))" % (recipient, )
        searchAttr = 'listAllowedUser'

    try:
        result = ldapConn.search_s(basedn, searchScope, searchFilter, [searchAtt
r])
        userList = []
        for obj in result:
            if obj[1].has_key(searchAttr):
                # Example of result data:
                # [('dn', {'listAllowedUser': ['user@domain.ltd']})]
                # [('dn', {'listAllowedUser': ['user@domain.ltd']})]
                userList += obj[1][searchAttr]
            else:
                pass
        return userList

    except Exception, e:
        return []

def restriction(ldapConn, ldapBaseDn, ldapRecipientDn, ldapRecipientLdif, smtpSe
ssionData, **kargs):
    # Return if recipient is not a mail list object.
    if 'maillist' not in [ v.lower() for v in ldapRecipientLdif['objectClass']]:
        return 'DUNNO'

    sender = smtpSessionData['sender'].lower()
    recipient = smtpSessionData['recipient'].lower()
    policy = ldapRecipientLdif.get('accessPolicy', ['public'])[0].lower()

    if policy == "public": return 'DUNNO'   # No restriction.
    elif policy == "domain":
        # Bypass all users under the same domain.
        if sender.split('@')[1] == recipient.split('@')[1]: return 'DUNNO'
        else: return ACTION_REJECT
    else:
        # Handle other access policies: membersOnly, allowedOnly.
        allowedSenders = __get_allowed_senders(
                ldapConn=ldapConn,
                ldapBaseDn=ldapBaseDn,
                listDn=ldapRecipientDn,
                sender=sender,
                recipient=recipient,
                policy=policy,
                )

        if sender.lower() in [ v.lower() for v in allowedSenders ]:
            return 'DUNNO'
        else:
            return ACTION_REJECT

I have no idea about the plugin?  Also I don't know how to apply even write this?  So I think it's not easy and not possible to make it by ourselves?

I found a way to do on the postfix directly using restrict_sender.  But I would like to know how to get the a domain user list from ldap?  Any script or way to do on shell?  As I need to generate a script to apply the setting.