[Dovecot] how to separate virtual delivery and authentication?

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Tue Jan 7 10:00:15 EET 2014

Hash: SHA1

On Mon, 30 Dec 2013, Mihai Badici wrote:

> I have a "pure ldap" setting with postfix and dovecot.
> When using  dovecot delivery, the recipient is checked via ldap.
> The same ldap query is used when authenticate.
> So, if I want to authenticate with the uid , I can't use a filter like uid=%u
> because the delivery will fail. I don't want to use %nor something else
> because I could use multiple e-mail addresses on a single account.
> I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex
> situations  should  be better to have two separate filters, one for
> authentication and the other for the delivery. What is your oppinion?

There are two filters already:

1) the passdb filter
which is used to find users during authentication

2) the userdb filter
which is used to get the information about users, e.g. after auth and for 

The responses of both queries are cached, too.

Where / how would you like to have another filter? What is to get better?

If you want to make the LDAP search more efficient, you could add another 
LDAP attribute, index it,& add all writings of the users there, e.g.:

dn: uid=user, ....
uid: user
mail: forename.surname at example.com
maildrop: user
maildrop: user at host.sub.example.org
maildrop: forename.surname at example.com
maildrop: forename.surname at example2.com
maildrop: forename.oldsurname at example.com
maildrop: alias at part.aliasdomain.net

However, the values of maildrop must be unique among all users.

The passdb filter uses uid only, userdb uses maildrop only.

- -- 
Steffen Kaiser
Version: GnuPG v1.4.11 (GNU/Linux)


More information about the dovecot mailing list