[Dovecot] Virtual users, local delivery via LDA and LDAP troubles

Konstantin Khomoutov flatworm at users.sourceforge.net
Tue May 19 20:31:44 EEST 2009


We're investigating the possibiliy to migrate our mail system from 
Sendmail+Cyrus to Sendmail+Dovecot.

The system must use authentication against Windows AD (supposedly using 
LDAP) and must use virtual hosting.

So far we managed to work around a bug reported in [1], and IMAP/POP3 
authentication on LDAP works OK.
LDAP auth is set up using binds (Cyrus and Ejabberd authenticate against 
the same LDAP server without problems).
As we use virtual users, userdb is set to be "static" in a standard way:

userdb static {
   args = uid=10513 gid=10513 home=/var/local/dovecot/%u
}

After verifying IMAP/POP3 authentication works, I've set up the Dovecot 
LDA to deliver mail for domain users.
This exposed another problem which I don't understand: the delivery 
program tries to figure out whether the user exists (which is perfectly 
sensible), it talks to the "master" authentication process which 
seemingly uses passdb backend to search LDAP. But this fails with the 
message "passdb doesn't support lookups, can't verify user's existence".

[2] suggests it's auth binds that prevent this scheme from functioning 
correctly, but we can't stop using auth binds as Windows AD doesn't 
store users' passwords in any way sensible for external consumption. 
This would also pose unnecessary security risk on the domain, as the 
account used for initial binding should have had rights to read 
passwords, and its credentials are placed in the Dovecot configuration 
file in clear text.

I read about "allow_all_users" in [3], but our Sendmail doesn't check 
whether the target user exists and we don't want to implement this as it 
logically pertains to the program which actually manages users' 
mailboxes -- Dovecot in our case.

Is there a way to solve the problem at hand within the specified 
constraints?

1. http://dovecot.org/pipermail/dovecot/2009-May/039540.html
2. http://www.mail-archive.com/dovecot@dovecot.org/msg09449.html
3. http://www.mail-archive.com/dovecot@dovecot.org/msg08848.html



More information about the dovecot mailing list