Index: trunk/server/fedora/config/etc/postfix/main.cf
===================================================================
--- trunk/server/fedora/config/etc/postfix/main.cf	(revision 1442)
+++ trunk/server/fedora/config/etc/postfix/main.cf	(revision 1443)
@@ -29,5 +29,6 @@
 queue_directory = /var/spool/postfix
 mail_owner = postfix
-virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re
+virtual_alias_domains = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-domains-ldap.cf
+virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual_re, ldap:/etc/postfix/virtual-alias-maps-ldap.cf
 data_directory = /var/lib/postfix
 authorized_submit_users = !/etc/postfix/blocked_users, static:all
Index: trunk/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf
===================================================================
--- trunk/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf	(revision 1443)
+++ trunk/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf	(revision 1443)
@@ -0,0 +1,21 @@
+# Find any vhost with a name or alias matching the domain of the e-mail
+# address.  We're queried with only the domain portion to determine whether
+# we accept mail at all for a given domain.  If we have no matching vhost
+# and return no records, Postfix will reject mail with a "Relay access denied"
+# error, unless the domain is configured in $mydestination.  We don't match
+# the scripts.mit.edu vhost here because otherwise it'll be treated as a
+# virtual alias domain and once we resolve an address to a scripts account,
+# we'll end up resolving the locker@scripts.mit.edu address to go to the
+# owners of the scripts.mit.edu vhost.  The value we return (if we return
+# anything at all) is supposedly arbitrary.  We choose to return the same
+# value we were queried with (the domain whose mail we host).  Protocol
+# version 3 is necessary to use ldapi.
+
+server_host = ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
+search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu)))
+result_attribute = scriptsVhostName
+result_format = %S
+bind = no
+version = 3
+
Index: trunk/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf
===================================================================
--- trunk/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf	(revision 1443)
+++ trunk/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf	(revision 1443)
@@ -0,0 +1,22 @@
+# Find any vhost with a name or alias matching the domain of the e-mail
+# address.  We're queried with an entire e-mail address, but are only
+# interested in checking whether the domain portion corresponds to a
+# vhost; we'll simply deliver any mail for the vhost to its owner, regardless
+# of the lefthand side of the address.  %d extracts only the domain.
+# We don't match the scripts.mit.edu vhost here because we don't want
+# to first resolve an arbitrary address to a scripts account, and then
+# end up sending their mail to the owners of the scripts.mit.edu vhost.
+# Once we've found the scriptsVhost object corresponding to the domain
+# the e-mail is for, we recursively search the suffix for the vhost's
+# scriptsVhostAccount, and take the uid from that object.  This uid is
+# the name of the locker that owns the vhost.  Protocol version 3 is
+# necessary to use ldapi.
+
+server_host = ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
+search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu
+query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu)))
+result_attribute = uid
+special_result_attribute = scriptsVhostAccount
+bind = no
+version = 3
+