On Fri, Aug 23, 2013 at 03:01:52PM +0100, Rowland Penny wrote:
> dn: CN=albert,CN=Users,DC=example,DC=com
> otherMailbox: alb...@example.com
> otherMailbox: alb...@domain1.com
> otherMailbox: alb...@domain2.com
>
> The only problem that I have found is, any LDAP search with
> 'result_attribute = otherMailbox' fails, in that it returns with all
> of the 'otherMailbox' attributes, so postfix would then try to
> deliver the email to all the mail addresses.
This is correct behaviour, Postfix works as designed, and many
other users of LDAP rely on this behaviour.
> Now I know that assumed wisdom is to use a single-value attribute
> such as 'mail' but this would mean that any mail for a user would
> end up in just one mailbox and sort of defeats the object of having
> multiple email addresses.
Correct, mail for a user goes to a fixed mailbox or set of mailboxes.
You decide whether you want one or many.
> Can I please propose a solution ;-) or in otherwords, can I please
> ask for an enhancement.
The meaning of multi-valued attributes in LDAP searches is unlikely
to change.
> The LDAP search works but it is returning with any 'otherMailbox'
> attributes it find, even if most of them have nothing to do with the
> domain that was included in the search (%d).
The search was looking up a group with a particular address. It
is a mistake to impute any other meaning to the domain part of the
group email address.
> So my suggestion would be to add another switch to 'result_format',
> 'AD' for instance, if this switch is turned on (result_format = %AD)
> then any result the LDAP search returns is passed through another
> filter which removes any addresses where the domain does not match
> the original search domain.
Sorry, this is a an-hoc hack to support a misguided interpretation
of group membership. No such feature is remotely likely. I suggest
you rethink your design.
--
Viktor.
