[Dovecot] lda+ldap multiple users

Bob Miller bob at computerisms.ca
Fri Feb 14 18:36:57 UTC 2014 

Hi,

Integrating qmail and active directory pretty much requires you to use
qmail-ldap.  without it you need to much bubblegum and band aids for it
to be suitable for a (publicly accessible) production environment.  And
I can't see how you wouldn't eventually run into problems without each
user having a unique email address.

In a pure qmail environment, I might work around the problem by giving
each user a unique mailaddress, then create a user XY and use a .qmail
file to override the LDA defaultdelivery and have it forward to the
various users, and not deliver to its own maildir.  But you still miss
important features like validrcptto and smtpauth if qmail can't talk to
AD.

But with qmail-ldap for sure you can set up multiple users with the same
alias and it works.  ie the users are configured with userPrincipal as
mail address with an alias of XY at domain.com, then mails sent to
XY at domain.com will deliver to all users. 

I documented my sandbox qmail-ldap/dovecot system here, maybe it is
useful to you:

http://cocnm.computerisms.ca/index.php/Install_Qmail-ldap,_Dovecot,_and_Related_Email_Services

-- 
Computerisms
Bob Miller      
867-334-7117 / 867-633-3760
http://computerisms.ca


On Fri, 2014-02-14 at 12:07 +0100, Steffen Kaiser wrote:
> On Fri, 14 Feb 2014, matthias lay wrote:
> 
> > On 02/14/2014 08:27 AM, Steffen Kaiser wrote:
> >> On Fri, 7 Feb 2014, matthias lay wrote:
> >> 
> >>> I experienced that if a Mailaddress matches several users the delivery is 
> >>> aborted.
> >>> 
> >>> ----------------
> >>> dovecot: auth: Error: ldap(christian.test at securepoint.de): LDAP search 
> >>> returned multiple entries
> >>> dovecot: auth: ldap(christian.test at securepoint.de): unknown user
> >>> dovecot: lda: Error: user christian.test at securepoint.de: Auth USER lookup 
> >>> failed
> >>> -----------------
> >>> 
> >>> now my question, is there a way to have a mail like that delivered to all 
> >>> users that matches the lookup?
> >>> havent found anything in the docs.
> >> 
> >> This is a job of your MTA.
> >
> > MTA is qmail and doesnt know anything about users. dovecot uses usernames for 
> > mailboxes. lets say
> >
> > /var/mail/userA/Maildir
> > /var/mail/userB/Maildir
> >
> > both users have mailaddr XY at example.com mapped in Active Directory. Now when 
> > mails arrive lda is called like
> >
> > dovecot-lda -d XY at example.com <mailto:dafan.zhai at securepoint.de> -m INBOX
> >
> > and theres my problem.
> 
> You have implicitly created mail aliases for your users. qmail has to 
> resolve this alias "XY" into the users A and B.
> 
> You could wrap your call to the Dovecot LDA by a script resolving the 
> aliases somehow, e.g.:
> 
> #!/bin/bash
> 
> tmpf=/tmp/split.$$.tmp
> # save the message in case we have multiple recipients
> cat - >$tmpf
> ldapsearch "mailtarget=$1" samaccountname | \
>   awk '$1 == "sAMAccountName:" { print $2 } ' | \
>    while read uid; do
>     dovecot-lda -d "$uid" ..... < $tmpf
>     rc=$?
>     if test $rc -gt 0; then
>      rm -f $tmpf
>      exit $rc
>     fi
>    done
> rm -f $tmpf
> 
> adjust ldap query and attribute names and call to MDA.
> 
> This is not really nice, because you cannot handle individual problems, 
> e.g. what shall happen if delivery to userB fails? Shall userA get the 
> message, shall delivery to userA succeeded, but to retried to userB?
> Currently the first error is returned to qmail and probably one user gets 
> the same message again and again, because of a problem of another user's 
> mailbox. You could return $rc at the very end, then qmail gets the success 
> status of the delivery attemp to the last user.
> 
> I wouldn't do such stuff in a non-private environment.
>

More information about the dovecot mailing list