In case this helps others, here's what I ended up doing. Disclaimer: Sendmail LDAP configuration is notoriously tricky and loosely documented. Please comment if you know a better way (ahem, adding Sendmail LDAP alias maps would make the partial solution complete).
We run Zimbra behind a Sendmail edge MTA. Sendmail is the mail exchanger and relays all mail to/from the internet.
To configure Sendmail on the edge MTA to verify email addresses against Zimbra's LDAP directory.
I solved this using Sendmail's "LDAP Routing" feature with custom LDAP map definitions. See below for why this is only a partial solution.
Add the following lines to Sendmail's sendmail.mc:
dnl LDAP ROUTING
define(`confLDAP_DEFAULT_SPEC', ` -w 3 -h zimbra.example.com -b ou=people,dc=example,dc=com')dnl
dnl ---> There's LDAP trickery here in the -v return value... Users have the zimbraMailHost attribute,
dnl ---> while distribution lists and aliases have the zimbraMailAlias attribute.
FEATURE(`ldap_routing',`ldap -1 -T<TMPF> -v zimbraMailHost -k (|(zimbraMailAlias=%0)(mail=%0))',`ldap -1 -T<TMPF> -v zimbraMailAlias -k (|(zimbraMailAlias=%0)(mail=%0))',`bounce',`preserve',`tempfail')dnl
I've discovered one scenario in which this solution fails. Multiple aliases for a given Zimbra account will not be visible to sendmail using the above configuration and will generate a "User unknown" response from Sendmail. For example, if a Zimbra account "JohnDoe@example.com" exists and has two or more mail aliases, say "firstname.lastname@example.org" and "email@example.com", external email to either jd or johnny will be rejected by the Sendmail edge MTA as "user unknown". Mail to JohnDoe will be accepted as normal.
On the other hand, if user "JaneDoe@example.com" has only one mail alias, say "firstname.lastname@example.org", external mail to the alias will be accepted correctly.
WHY THE FAILURE?
Sendmail expects the ldap query to return only one value for a given attribute. When a user has multiple aliases, the LDAP attribute zimbraMailAlias has multiple values, causing the sendmail ldap map to return "false". This behavior is supposed to be controlled by the "-1" flag to ldap (shown above as "ldap -1 -T..."). However, removing the -1 flag did not fix this problem in my tests.
Use distribution lists instead of mail aliases in Zimbra.
I'm not sure.... maybe configure Sendmail LDAP aliases?