[Dovecot] how to separate virtual delivery and authentication?

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 7 Jan 2014, Mihai Badici wrote:

>> IMHO, exactly that works with the maildrop LDAP attribute. You enumerate
>> all mail addresses into maildrop. Use maildrop in userdb filter only. If
>> you like to use "uid" on command line of doveadm, you need to add the uid
>> to maildrop as well, otherwise have the passdb return another username,
>> e.g. the "mail" LDAP attribute to convert the uid into mail adress.
>
> This is also a workaround, adding uid to maildrop. Think at, for example,
> using Active Directory with dovecot ( I do not recommend that :) )

I don't know what that means. I wouldn't name it workaround.

> I wonder if I could use only passdb filter for authentication (and let userdb
> for delivery) , this could be far better.But I think this is a design issue.

Remember: passdb is for authentificating users; userdb is for getting user 
information. When an user auth's for IMAP, passdb verifies the password 
and probably overrides the username, in the second step the userdb is 
queried for the user data. If you use prefetch userdb and provide 
different passdb and userdb queries, I would not expect a clean run.

Maybe, it's better you give a detailed example, which makes your idea more 
visible.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUsv6nF3r2wJMiz2NAQI5NwgApS5GzJh+0Ywg8WIsVKqzK/B6LJxLBH8B
WlnfxBo4Vc6+7j3CdgiIPVPxRXHKCgp0N8uNcafbYTAXjkV5kemhrBD2XqTeFeYC
Osg1QjQOhuAHB/G/WSSLB1vRaOy/G1gFN/Y4ZWijabBTIJ1hi9VArraE1JPNzR+u
MxoRMJneX5nU5dTbvKs3+YErs54jZubeobctsLpr/JpK6erFUaRcccNvmD/ZGJTc
rLErV8GojSbayWExYItwDVlxolbXC4d9ZLA64AMHUqpdyULWP4N9WlyhcCXtJ1zz
wgvZEzlcoGw7aaq4EPfmrMyFiRNM702KWsa8Ut8w6iSYc38R7M6SOA==
=UU93
-----END PGP SIGNATURE-----