[Dovecot] different userdb and/or passdb for lmtp and pop3/imap?

Wed Sep 5 13:20:26 EEST 2012

Dear All,

I have a bit complex question about ldap based user/passdb with some twists
caused by the LDAP schema I have to use. It's complex for me at least, since
it's my first time to try to setup any dovecot install which is more than a
"trivial" thing eg for some unix system users.

What I'd like to do:

Users are stored in LDAP with the following schema:

storageMailUid:

  contains user's uid in x at z format, and it CAN be different than
  mail address. This value is used to login (pop3/imap) and to
  get the maildir path (well, home) in the form of /mailstorage/z/x/ regardless
  of the value of the "mail" attribute. If @z part is missing (I mean
  the user supplied login, not the LDAP!), some default value (example.com)
  should be treated (I guess that's easy: auth_default_realm may be
  enough, isn't it). It is NOT possible to login via pop3/imap with mail,
  only with storageMailUid! This storageMailUid can specify a string
  which is not even an existing mail address, of course.

mail:    

  contains user's mail address, or even mail addresses (there
  can be more mail addresses - more mail ldap attributes - for
  a single ldap entry). This attribute cannot be used
  for pop3/imap login, neither it counts to resolve the maildir path,
  it only counts when a mail is received: the location of the
  user's maildir must be got from storageMailUid.

storageMailQuota: 

  it contains the quota value (in bytes) for the given user, which
  should be enforced on receiving mail, or by using IMAP (not
  counting the Trash folder which is a fixed size for all users
  and it must be handled outside of this).

All user maildirs have the same fixed unix UID/GID, which is not stored
in LDAP, but must be configured statically. "Home directory" of the user
is also not stored in LDAP, it must be got from storageMailUid LDAP parameter.

Mails are received via LMTP only.

I'd like to use prefetchdb to minimalize the amount of LDAP lookups (however
I can live without that).  I am unsure if auth_bind is OK, or it should not
be used, currently I'd like to play with auth_bind, since it worked before
on other servers well.

I'm totally lost with the user_attrs/pass_attrs to create this kind of configuration.
In case of static userdb, it was easy to set up:

passdb {
        args = /etc/dovecot/dovecot-ldap-passdb.conf
        driver = ldap
}
userdb {
        args = uid=vmail gid=vmail home=/mailstorage/%Ld/%Ln
        driver = static
}

With this, pop3/imap worked (quota was not of the scope yet, though),
however lmtp is not ("passdb doesn't support lookups, can't verify user's
existence" which is odd for me, as userdb does not support it in my
opinion).

Please, give some suggestion how to set up userdb and passdb to support
this configuration which works with the described scenario. I should also
set iterate_filter and iterate_attrs I guess, so some doveadm commands
can work then (-A stuffs, I guess).

I am also not sure if auth service should be used or not (I mean extra
configuration related): since I want LMTP not LDA, I guessed I don't need
it, but I am not sure.

I am also confused, because on receiving a mail (via LMTP) different
kind of LDAP lookup is needed: then mail must be searched, but it's
storageMailUid based lookup in case of pop3 or imap login ... Is it
possible to give different userdb/passdb for lmtp and pop3/imap?

In theory it's even possible to have x at example.com as mail and y at example.com
as storageMailUid for one user, and the opposite for the another, so lookups
cannot be done together for mail and storageMailUid.

The LDAP schema/rest of the system works this way, not an option to change.

Any help is greatly welcomed.

Thanks a lot in advance,

Gábor