[Dovecot] different userdb and/or passdb for lmtp and pop3/imap?
Dear All,
I have a bit complex question about ldap based user/passdb with some twists caused by the LDAP schema I have to use. It's complex for me at least, since it's my first time to try to setup any dovecot install which is more than a "trivial" thing eg for some unix system users.
What I'd like to do:
Users are stored in LDAP with the following schema:
storageMailUid:
contains user's uid in x@z format, and it CAN be different than mail address. This value is used to login (pop3/imap) and to get the maildir path (well, home) in the form of /mailstorage/z/x/ regardless of the value of the "mail" attribute. If @z part is missing (I mean the user supplied login, not the LDAP!), some default value (example.com) should be treated (I guess that's easy: auth_default_realm may be enough, isn't it). It is NOT possible to login via pop3/imap with mail, only with storageMailUid! This storageMailUid can specify a string which is not even an existing mail address, of course.
mail:
contains user's mail address, or even mail addresses (there can be more mail addresses - more mail ldap attributes - for a single ldap entry). This attribute cannot be used for pop3/imap login, neither it counts to resolve the maildir path, it only counts when a mail is received: the location of the user's maildir must be got from storageMailUid.
storageMailQuota:
it contains the quota value (in bytes) for the given user, which should be enforced on receiving mail, or by using IMAP (not counting the Trash folder which is a fixed size for all users and it must be handled outside of this).
All user maildirs have the same fixed unix UID/GID, which is not stored in LDAP, but must be configured statically. "Home directory" of the user is also not stored in LDAP, it must be got from storageMailUid LDAP parameter.
Mails are received via LMTP only.
I'd like to use prefetchdb to minimalize the amount of LDAP lookups (however I can live without that). I am unsure if auth_bind is OK, or it should not be used, currently I'd like to play with auth_bind, since it worked before on other servers well.
I'm totally lost with the user_attrs/pass_attrs to create this kind of configuration. In case of static userdb, it was easy to set up:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf driver = ldap } userdb { args = uid=vmail gid=vmail home=/mailstorage/%Ld/%Ln driver = static }
With this, pop3/imap worked (quota was not of the scope yet, though), however lmtp is not ("passdb doesn't support lookups, can't verify user's existence" which is odd for me, as userdb does not support it in my opinion).
Please, give some suggestion how to set up userdb and passdb to support this configuration which works with the described scenario. I should also set iterate_filter and iterate_attrs I guess, so some doveadm commands can work then (-A stuffs, I guess).
I am also not sure if auth service should be used or not (I mean extra configuration related): since I want LMTP not LDA, I guessed I don't need it, but I am not sure.
I am also confused, because on receiving a mail (via LMTP) different kind of LDAP lookup is needed: then mail must be searched, but it's storageMailUid based lookup in case of pop3 or imap login ... Is it possible to give different userdb/passdb for lmtp and pop3/imap?
In theory it's even possible to have x@example.com as mail and y@example.com as storageMailUid for one user, and the opposite for the another, so lookups cannot be done together for mail and storageMailUid.
The LDAP schema/rest of the system works this way, not an option to change.
Any help is greatly welcomed.
Thanks a lot in advance,
Gábor
Hi Again,
On Wed, Sep 05, 2012 at 12:20:26PM +0200, Gábor Lénárt wrote: [...]
I am also confused, because on receiving a mail (via LMTP) different kind of LDAP lookup is needed: then mail must be searched, but it's storageMailUid based lookup in case of pop3 or imap login ... Is it possible to give different userdb/passdb for lmtp and pop3/imap?
Ok, after some "serious" google usage, I found a message in the mail list archive, that it helps to put userdb/passdb section inside the protocol specific part of the configuration. So I have something now like this:
protocol pop3 { [...] } protocol imap { [...] } protocol lmtp { [...] passdb { [...] } userdb { [...] } } passdb { [...] } userdb { [...] }
I have the idea, that in this way, lmtp should use dbs specified in the lmtp specific protocol settings, any other stuffs will use the settings at the "root level" of the configuration (this also includes iteration specific filter).
However eg if I try to deliver a mail through lmtp in this way to a non-existing mail user, I can see in the logs, that lmtp after trying the specific dbs, it will also try the "global" ones, which is not good for me, as it can cause mis-deliveries instead of rejecting (as I have "some@thing" formatted %u for both of uid and mail but often they are not the same for the same user).
I would be able to put db specifications into pop3 and imap (so not "global" configuration for them) but I guess in this case other services may (?) fail, like doveadm stuffs with CLI swtich -A (or am I wrong here?). Also it's not as nice, since then I must duplicate the same db specifications in both of imap and pop3 protocol specification parts of the configuration even they are the very same.
Is there any idea to fix this little problem and/or a suggestion to solve my problem in a more elegant way than I tried to do?
Thanks a lot in advance.
- Gábor
participants (1)
-
Gábor Lénárt