ldap: allow local accounts and aliases with ldap enabled

In conflicts between local addresses and LDAP addresses the local one
will always take priority in mail routing.

This is something we now document and guarantee through tests.

docs/ldap.rst

@@ -40,15 +40,25 @@ follow best practices to simplify maintenance.
 Limitations
 ~~~~~~~~~~~
 
-We have various assertions in place, that prevent using LDAP together with
-other features. Most of them are not technical limitations per se, but instead
-lack configuration or validation.
+Design choices
+^^^^^^^^^^^^^^
 
-- Local users (:option:`mailserver.loginAccounts`) and aliases
-  (:option:`mailserver.extraVirtualAliases`) are not currently allowed with
-  :option:`mailserver.ldap.enable` enabled
-- Aliases based on LDAP attributes are currently not implemented
-- Quotas based on LDAP attributes are currently not implemented
+These are intentional choices in how the mail server operates that affect the
+LDAP integration.
+
+- For mail address routing local accounts always take priority over LDAP accounts.
+
+Planned
+^^^^^^^
+
+These are features we are interested in but require implementation,
+documentation and tests.
+
+- Aliases based on LDAP attributes
+- Quotas based on LDAP attributes
+
+Avoided
+^^^^^^^
 
 The following features will likely never be implemented, since they would
 complicate the setup significantly.
@@ -58,7 +68,9 @@ complicate the setup significantly.
 - Use of ``homeDirectory``, ``uid``, ``gid`` LDAP attributes (we are
   committed to a virtual setup with one vmail user/uid/gid and UUID based home
   directories)
-
+- Declarative aliases through :option:`mailserver.extraVirtualAliases`. These
+  are limited to local accounts, because Postfix enforces sender ownership based
+  on login identity and does not consult virtual aliases for authorization.
 
 Enabling LDAP support
 ~~~~~~~~~~~~~~~~~~~~~