[Dovecot] how to separate virtual delivery and authentication?
Mihai Badici
mihai at badici.ro
Tue Jan 7 21:36:12 EET 2014
O
> > userdb for delivery) , this could be far better.But I think this is a
> > design issue.
> Remember: passdb is for authentificating users; userdb is for getting user
> information. When an user auth's for IMAP, passdb verifies the password
> and probably overrides the username, in the second step the userdb is
> queried for the user data. If you use prefetch userdb and provide
> different passdb and userdb queries, I would not expect a clean run.
>
> Maybe, it's better you give a detailed example, which makes your idea more
> visible.
>
> --
> Steffen Kaiser
Ok, an example is better.
let's say I use dovecot with postfix and I have in postfix/master.cf :
dovecot unix - n n - - pipe
flags=DRhu user=mailbox:mailbox
argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
I use two e-mail addresses, mihai at example.org and mihaib at example.org
My uid is mihai.badici ( I choose it not related to e-mail address)
So, the deliver service will query ldap in order to find the mailbox.
We need to put mail=%u or maildrop=%u, depends on schema.
On the other hand, the authentication will fail if I use uid, because it use
the same query.
I can put |(mail=%u)(uid=%u) and it's work, but is rather strange.
I can, indeed, use maildrop to "canonify" the mailbox in postfix before
delivery, and I think will work too.
But I think is more elegant to separate the delivery query and authentication
query. I'm not sure if is not possible to use only passdb query for
authentication.
--
Mihai Bădici
http://mihai.badici.ro
More information about the dovecot
mailing list