[Dovecot] lda+ldap multiple users

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 14 Feb 2014, matthias lay wrote:

> On 02/14/2014 08:27 AM, Steffen Kaiser wrote:
>> On Fri, 7 Feb 2014, matthias lay wrote:
>> 
>>> I experienced that if a Mailaddress matches several users the delivery is 
>>> aborted.
>>> 
>>> ----------------
>>> dovecot: auth: Error: ldap(christian.test at securepoint.de): LDAP search 
>>> returned multiple entries
>>> dovecot: auth: ldap(christian.test at securepoint.de): unknown user
>>> dovecot: lda: Error: user christian.test at securepoint.de: Auth USER lookup 
>>> failed
>>> -----------------
>>> 
>>> now my question, is there a way to have a mail like that delivered to all 
>>> users that matches the lookup?
>>> havent found anything in the docs.
>> 
>> This is a job of your MTA.
>
> MTA is qmail and doesnt know anything about users. dovecot uses usernames for 
> mailboxes. lets say
>
> /var/mail/userA/Maildir
> /var/mail/userB/Maildir
>
> both users have mailaddr XY at example.com mapped in Active Directory. Now when 
> mails arrive lda is called like
>
> dovecot-lda -d XY at example.com <mailto:dafan.zhai at securepoint.de> -m INBOX
>
> and theres my problem.

You have implicitly created mail aliases for your users. qmail has to 
resolve this alias "XY" into the users A and B.

You could wrap your call to the Dovecot LDA by a script resolving the 
aliases somehow, e.g.:

#!/bin/bash

tmpf=/tmp/split.$$.tmp
# save the message in case we have multiple recipients
cat - >$tmpf
ldapsearch "mailtarget=$1" samaccountname | \
  awk '$1 == "sAMAccountName:" { print $2 } ' | \
   while read uid; do
    dovecot-lda -d "$uid" ..... < $tmpf
    rc=$?
    if test $rc -gt 0; then
     rm -f $tmpf
     exit $rc
    fi
   done
rm -f $tmpf

adjust ldap query and attribute names and call to MDA.

This is not really nice, because you cannot handle individual problems, 
e.g. what shall happen if delivery to userB fails? Shall userA get the 
message, shall delivery to userA succeeded, but to retried to userB?
Currently the first error is returned to qmail and probably one user gets 
the same message again and again, because of a problem of another user's 
mailbox. You could return $rc at the very end, then qmail gets the success 
status of the delivery attemp to the last user.

I wouldn't do such stuff in a non-private environment.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUv341HD1/YhP6VMHAQJ+Kgf5ARPwP6QhGJrHfbNhjc901i8eZzmSxRc6
UrmRnc/Z3n2MwepzG4JLaJkI8EYBD2VczKjhOXgZ4uzJEqyGkZeZestqabbs/vCy
ki+FWcL5fnkxQSLEOHdUiop/A+BgWeD8fzOecWTqx4xextwDvbY2Se74Wk1lwBz3
bM2oJtU08hcU7DO+z3E4Au/0HagHddroW7SnCm+HYFcnV8m+laSB77ocgBUNu/a2
tCHe4YUWBOqWIbCiP2LhSfJLiL+OrawZBMGt/JfEfD8SnwBMlBONda0wlUD5MZvs
U/+EKzPJvJn4/Y2k8yWPQjiTiuWzBqT0WlEttbovj9AtiFCu9Dgf2w==
=TKbr
-----END PGP SIGNATURE-----