I have a Postfix instance using SASL with Dovecot for authentication. I am using virtual_alias_maps for some address rewriting, but I'm unable to use a catch all definition (@domain newaddress) as Postfix matches that before doing any sort of authentication with Dovecot.

Dovecot and Postfix are using my AD server as a backend for users/groups/etc.

I've been through all of the relevant Postfix documentation for virtual aliases, maps, etc. and I can't figure this out. Does anyone know how I can implement a catch-all address for emails sent to my domain for which I don't have an account/group in AD for Dovecot to match against?

EDIT:

CONFIGURATION EXCERPTS:

proxy_read_maps = $local_recipient_maps, $mydestination, $virtual_alias_maps, $virtual_mailbox_maps, $virtual_mailbox_domains, $relay_recipient_maps, $relay_domains, $canonical_maps, $sender_canonical_maps, $recipient_canonical_maps, $relocated_maps, $transport_maps, $my networks, $virtual_sender_maps, $admins_only, $protected_destinations
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
virtual_sender_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf,hash:/etc/postfix/virtual

#SASL Stuff
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = DOMAIN.COM
smtpd_client_restrictions = permit_mynetworks,permit
smtpd_recipient_restrictions = check_recipient_access $protected_destinations permit_mynetworks permit_auth_destination permit_sasl_authenticated reject_unauth_destination
smtpd_sender_login_maps = $virtual_sender_maps

I guess what I want to know, is there either 1) an accepted way of doing this, or 2) a way to change the order in which postfix checks the maps?