[Dovecot] how to separate virtual delivery and authentication?

Mihai Badici mihai at badici.ro
Tue Jan 7 21:36:12 EET 2014


O
> > userdb for delivery) , this could be far better.But I think this is a
> > design issue.
> Remember: passdb is for authentificating users; userdb is for getting user
> information. When an user auth's for IMAP, passdb verifies the password
> and probably overrides the username, in the second step the userdb is
> queried for the user data. If you use prefetch userdb and provide
> different passdb and userdb queries, I would not expect a clean run.
> 
> Maybe, it's better you give a detailed example, which makes your idea more
> visible.
> 
> --
> Steffen Kaiser


Ok, an example is better.
let's say I use dovecot with postfix and I have in postfix/master.cf :

dovecot     unix  -       n       n       -       -       pipe
    flags=DRhu user=mailbox:mailbox 
   argv=/usr/libexec/dovecot/deliver -f ${sender} -d  ${recipient} 	                   

I use two e-mail addresses, mihai at example.org and mihaib at example.org
My uid is mihai.badici (  I choose it not related to e-mail address)

So, the deliver service will query ldap in order to find the mailbox.
We need to put  mail=%u or maildrop=%u, depends on schema.

On the other hand, the authentication will fail if I use uid, because it use 
the same query.
I can put    |(mail=%u)(uid=%u)  and it's work, but is rather strange.
I can, indeed, use maildrop to "canonify" the mailbox in postfix before 
delivery, and I think will work too.
But I think is more elegant to separate the delivery query and authentication 
query.  I'm not sure if is not possible to use only passdb query for 
authentication.  





-- 
Mihai Bădici
http://mihai.badici.ro


More information about the dovecot mailing list