We're investigating the possibiliy to migrate our mail system from
Sendmail+Cyrus to Sendmail+Dovecot.
The system must use authentication against Windows AD (supposedly using
LDAP) and must use virtual hosting.
So far we managed to work around a bug reported in [1], and IMAP/POP3
authentication on LDAP works OK.
LDAP auth is set up using binds (Cyrus and Ejabberd authenticate against
the same LDAP server without problems).
As we use virtual users, userdb is set to be "static" in a standard way:
userdb static {
args = uid=10513 gid=10513 home=/var/local/dovecot/%u
}
After verifying IMAP/POP3 authentication works, I've set up the Dovecot
LDA to deliver mail for domain users.
This exposed another problem which I don't understand: the delivery
program tries to figure out whether the user exists (which is perfectly
sensible), it talks to the "master" authentication process which
seemingly uses passdb backend to search LDAP. But this fails with the
message "passdb doesn't support lookups, can't verify user's existence".
[2] suggests it's auth binds that prevent this scheme from functioning
correctly, but we can't stop using auth binds as Windows AD doesn't
store users' passwords in any way sensible for external consumption.
This would also pose unnecessary security risk on the domain, as the
account used for initial binding should have had rights to read
passwords, and its credentials are placed in the Dovecot configuration
file in clear text.
I read about "allow_all_users" in [3], but our Sendmail doesn't check
whether the target user exists and we don't want to implement this as it
logically pertains to the program which actually manages users'
mailboxes -- Dovecot in our case.
Is there a way to solve the problem at hand within the specified
constraints?
1. http://dovecot.org/pipermail/dovecot/2009-May/039540.html
2. http://www.mail-archive.com/dovecot@dovecot.org/msg09449.html
3. http://www.mail-archive.com/dovecot@dovecot.org/msg08848.html
