Different realm for different listeners?
I see this has been asked a few times over the years (but not in several years), and the response was along the lines of "maybe someday", so I figured I'd see if someday was here yet...
I have a need to have a different default realm for different listeners. Basically, I've a bunch of different domains, and a few of them insist their users not be required to authenticate with "user@domain" and just use "user", and I'm trying to make this work without separate daemons and/or VMs.
I'll be using Dovecot 2.2 (most likely 2.2.10 as provided by RHEL/CentOS 7).
Thanks. If there's not a way to do this directly in Dovecot, does anybody have any suggestion that doesn't require several different VMs?
Chris Adams <cma@cmadams.net>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 10-03-15 18:20, Chris Adams wrote:
I see this has been asked a few times over the years (but not in several years), and the response was along the lines of "maybe someday", so I figured I'd see if someday was here yet...
I have a need to have a different default realm for different listeners. Basically, I've a bunch of different domains, and a few of them insist their users not be required to authenticate with "user@domain" and just use "user", and I'm trying to make this work without separate daemons and/or VMs.
I'll be using Dovecot 2.2 (most likely 2.2.10 as provided by RHEL/CentOS 7).
Thanks. If there's not a way to do this directly in Dovecot, does anybody have any suggestion that doesn't require several different VMs?
You could drop the default realm completely, and create a second passdb lookup which uses only the username part to lookup credentials. This means that, as long as you have no conflicts as usernames 'john@foo.com' vs 'john@bar.com', you'd be able to support username 'john'.
When you're able to use the password in your sql WHERE statement [1] too, you could even work around that, because you'd only have mismatches when 'john@foo.com' and 'john@bar.com' have the same passphrase.
[1] http://wiki2.dovecot.org/AuthDatabase/SQL#Password_verification_by_SQL_serve...
Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCAAGBQJU/ywgAAoJEJPfMZ19VO/1mzQP/Anz44a5c7J6ir8mUgTVZEOn bFOrkXHkntLSruOZ9FHrMJX4RYXTSbZTe9fUUx1zDXiU7Aj2VQ6LqueXt7LFUW2Z jmPsxaHXBL8fSR8suwpzZ06/blz563Qi06HEZb2ixjITyvd3iVJCSPzVu3NLdsSH oxAE50I2vzuFHqfN9JbXD98HuEdGedhOldjlw9MsXmUFthfAYN8N4AhCgzm7G1C8 wk0909pvUAjfDuY7mJU6Q9smDBRdvP4i/aZtKrs/G1ZGq8SPbClbjwLedQy88q76 F/5DcY0M+Z2hYHEZrBQimfUByANY0YvMlQubqQ/s/lsUSD2IdDX6K3lvYKIuKNSe SHgnt9p6/yTAmX3gbsnB7fbbYQQNRrTHM8Uk8KWJhkxhWZpKt3BOoPMphMa5TCKR 9sBRZqIdN1vSd31Gu/QylKv0+zDeIXay7T+HVCf82KPHq/+zFzSZ1iR14V4TdOyz SXNprdxRik49tiAHRTSMQwRmOHDel9+guhozSJVj0ISnTCeRAC5vSvGActA3Gl8l 8aMBLDf/VyS7B+Ss0aWOs8MwIrre9oAxMa937lLc3sNh48A7uw38wJmIB6L20q2n QPlsYCm39wMgWvWi84rEhi663jBdRsZKBq+/Ou7oFHXkQmVmt1ToXw0mC5Bst9Ew y832vTrhtp1Sl2Siv1RV =KWRg -----END PGP SIGNATURE-----
On Tuesday 10 March 2015 18:38:40 Tom Hendrikx wrote:
On 10-03-15 18:20, Chris Adams wrote:
I see this has been asked a few times over the years (but not in several years), and the response was along the lines of "maybe someday", so I figured I'd see if someday was here yet...
I have a need to have a different default realm for different listeners. Basically, I've a bunch of different domains, and a few of them insist their users not be required to authenticate with "user@domain" and just use "user", and I'm trying to make this work without separate daemons and/or VMs.
I'll be using Dovecot 2.2 (most likely 2.2.10 as provided by RHEL/CentOS 7).
Thanks. If there's not a way to do this directly in Dovecot, does anybody have any suggestion that doesn't require several different VMs?
You could drop the default realm completely, and create a second passdb lookup which uses only the username part to lookup credentials. This means that, as long as you have no conflicts as usernames 'john@foo.com' vs 'john@bar.com', you'd be able to support username 'john'.
Well, I think "conflict" is the keyword here. Everybody want an e-mail address called "contact" or "office" :)
When you're able to use the password in your sql WHERE statement [1] too, you could even work around that, because you'd only have mismatches when 'john@foo.com' and 'john@bar.com' have the same passphrase.
[1] http://wiki2.dovecot.org/AuthDatabase/SQL#Password_verification_by_SQL_serve r
Tom
-- Mihai Bădici http://mihai.badici.ro
Once upon a time, Tom Hendrikx <tom@whyscream.net> said:
You could drop the default realm completely, and create a second passdb lookup which uses only the username part to lookup credentials. This means that, as long as you have no conflicts as usernames 'john@foo.com' vs 'john@bar.com', you'd be able to support username 'john'.
The domains I need to handle are separate telephone company ISPs, so they all want common things like "sales", so that won't work.
All my users are in MySQL. Reading the docs, I see that "%l" expands to the local IP address "almost everywhere". If that's available in the userdb SQL expansion, I could write a (somewhat convoluted) SQL statement that adds a domain based on the local IP. Does that sound like it'll work? Not quite as "elegant" as just setting auth_default_realm in separate listeners, but should work I guess.
-- Chris Adams <cma@cmadams.net>
Once upon a time, Chris Adams <cma@cmadams.net> said:
All my users are in MySQL. Reading the docs, I see that "%l" expands to the local IP address "almost everywhere". If that's available in the userdb SQL expansion, I could write a (somewhat convoluted) SQL statement that adds a domain based on the local IP. Does that sound like it'll work? Not quite as "elegant" as just setting auth_default_realm in separate listeners, but should work I guess.
Just a follow-up for the archives: this worked. This is my MySQL password_query:
password_query =
SELECT username AS user, password,
concat('/srv/mail/',maildir) AS userdb_home, 1000 AS userdb_uid,
1000 AS userdb_gid
FROM mailbox WHERE active = 1 AND username = case
when '%d' <> '' then '%u'
when '%l' = '10.0.9.73' then '%u@domain1.com'
when '%l' = '10.0.9.74' then '%u@domain2.net'
else '%u' end
-- Chris Adams <cma@cmadams.net>
participants (3)
-
Chris Adams
-
Mihai Badici
-
Tom Hendrikx