We're investigating the possibiliy to migrate our mail system from Sendmail+Cyrus to Sendmail+Dovecot.
The system must use authentication against Windows AD (supposedly using LDAP) and must use virtual hosting.
So far we managed to work around a bug reported in [1], and IMAP/POP3 authentication on LDAP works OK. LDAP auth is set up using binds (Cyrus and Ejabberd authenticate against the same LDAP server without problems). As we use virtual users, userdb is set to be "static" in a standard way:
userdb static { args = uid=10513 gid=10513 home=/var/local/dovecot/%u }
After verifying IMAP/POP3 authentication works, I've set up the Dovecot LDA to deliver mail for domain users. This exposed another problem which I don't understand: the delivery program tries to figure out whether the user exists (which is perfectly sensible), it talks to the "master" authentication process which seemingly uses passdb backend to search LDAP. But this fails with the message "passdb doesn't support lookups, can't verify user's existence".
[2] suggests it's auth binds that prevent this scheme from functioning correctly, but we can't stop using auth binds as Windows AD doesn't store users' passwords in any way sensible for external consumption. This would also pose unnecessary security risk on the domain, as the account used for initial binding should have had rights to read passwords, and its credentials are placed in the Dovecot configuration file in clear text.
I read about "allow_all_users" in [3], but our Sendmail doesn't check whether the target user exists and we don't want to implement this as it logically pertains to the program which actually manages users' mailboxes -- Dovecot in our case.
Is there a way to solve the problem at hand within the specified constraints?