On Wed, 14 Oct 2009 16:00:54 -0400
Mark Schaub <[email protected]> wrote:
> Good Afternoon,
>
> I have my virtual users stored in an Active Directory database. As far
> as mail info goes the 2 important fields are: mail (their primary
> email address) and otherMailbox (a multivalue attribute containing
> their mail aliases). Right now all email addresses belong in the same
> domain and there are no immediate plans to change this.
>
> If I use Postfix to do the lookups and delivery only using Dovecot for
> passdb Pam driver and a static userdb then everything delivers fine to
> mail and otherMailbox addresses. I have been working on switching over
> to Dovecot's deliver process in order to integrate sieve capability. I
> have configured userdb ldap and passdb ldap in Dovecot and have set up
> master and client sockets. Before I describe my problem let me show
> you my configuration (as I think the dovecot-ldap.conf in particular
> needs to be explained). Here are the important parts of dovecot.conf:
>
> auth default {
> socket listen {
> master {
> path = /usr/var/run/dovecot/auth-master
> mode = 0666
> user = vmail
> group = vmail
> }
>
> client {
> path = /var/spool/postfix/private/auth
> mode = 0666
> user = postfix
> group = postfix
> }
> }
>
> passdb ldap {
> args = /etc/dovecot-ldap.conf
> }
> userdb ldap {
> # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
> args = /etc/dovecot-ldap.conf
> }
>
> and my dovecot -n:
>
> lda:
> postmaster_address: [email protected]
> mail_plugins: sieve
> auth default:
> mechanisms: plain login
> debug: yes
> passdb:
> driver: ldap
> args: /etc/dovecot-ldap.conf
> userdb:
> driver: ldap
> args: /etc/dovecot-ldap.conf
> socket:
> type: listen
> client:
> path: /var/spool/postfix/private/auth
> mode: 438
> user: postfix
> group: postfix
> master:
> path: /usr/var/run/dovecot/auth-master
> mode: 438
> user: vmail
> group: vmail
> plugin:
> sieve: ~/.dovecot.sieve
> sieve_dir: ~/sieve
> sieve_storage: ~/sieve
>
> Further, here is my dovecot-ldap.conf:
>
> hosts = delldb.sau24.org:3268
> base = dc=sau24, dc=org
> ldap_version = 3
> dn = cn=Mail User,cn=Users,dc=sau24,dc=org
> dnpass = secret
> auth_bind = yes
> scope = subtree
> user_attrs = sAMAccountName=home=/home/vmail/%$,=uid=501,=gid=501
> pass_attrs = sAMAccountName=user
> user_filter =
> (&(objectclass=person)(|(sAMAccountName=%n)([email protected])([email protected])))
> pass_filter =
> (&(objectclass=person)(|(sAMAccountName=%n)([email protected])([email protected])))
>
> Now, you'll notice that the user_filter and pass_filter have the
> domain statically placed after the mail and othermailbox attributes.
> This reason for this is that this ldap configuration is used for both
> authentication purposes and local delivery, so its not always being
> passed the domain info (for authentication it gets the users IP
> address). Since all my users are on the same domain I can statically
> set this here. This setup authenticates users to imap and pop (users
> use their sAMAccountName as their username when they log in), and
> pulls their correct home directory. Checking mail is not a problem at
> all.
>
> Further, this setup will deliver mail correctly to mail addressed to
> the value in the "mail" attribute. The problem seems to be in the
> otherMailbox attribute, it cannot lookup the users sAMAccountName
> based off of the otherMailbox field. Here is what it looks like in the
> logs for mail sent to my "mail" attribute ([email protected]):
>
> Oct 14 12:36:19 auth(default): Info: master in: USER 1
> [email protected] service=deliver
> Oct 14 12:36:19 auth(default): Info: ldap([email protected]): user
> search: base=dc=sau24, dc=org scope=subtree
> filter=(&(objectclass=user)(|(sAMAccountName=mark.schaub)([email protected])([email protected])))
> fields=sAMAccountName
> Oct 14 12:36:19 auth(default): Info: ldap([email protected]):
> result: sAMAccountName(home=/home/vmail/%$)=/home/vmail/mschaub
> Oct 14 12:36:19 auth(default): Info: master out: USER 1
> [email protected] home=/home/vmail/mschaub uid=501
> gid=501
> Oct 14 12:36:19 deliver([email protected]): Info: sieve:
> msgid=<[email protected]>:
> stored mail into mailbox 'INBOX'
>
> But this is what I get when I try to send to an address listed in my
> otherMailbox field ([email protected]):
>
> Oct 14 12:30:58 auth(default): Info: master in: USER 1
> [email protected] service=deliver
> Oct 14 12:30:58 auth(default): Info: ldap([email protected]): user
> search: base=dc=sau24, dc=org scope=subtree
> filter=(&(objectclass=user)(|(sAMAccountName=tech)([email protected])([email protected])))
> fields=sAMAccountName
> Oct 14 12:30:58 auth(default): Info: ldap([email protected]): Unknown user
> Oct 14 12:30:58 auth(default): Info: master out: NOTFOUND 1
>
> As a test I tried modifying my dovecot-ldap.conf to use different
> fields instead of otherMailbox. Sending to some of those attributes
> worked, others didnt. I could use the "sn" and "givenName" attributes,
> but "postalCode" and "title" would give the same error as
> otherMailbox.
>
> My question is this: is there something wrong with my configuration or
> can Dovecot only query certain fields in the user_attr string?
>
> Thanks,
> ~ Mark
Not sure, if it helps, but you are trying to do "mta's" work by dovecot
delivery.
Your postfix setup must do lookups for mail aliases and return REAL mailbox
name(mail ldap field).
I'm using Exim as MTA - it is working fine. I have 1 router, which resolves
'othermailbox' ldap field to 'mail' field and after that the dovecot delivery
is running.
With such setup my users are able to use sieve, but authentication can be done
only by real mailboxes.
Postfix must have some mechanisms to makes it work this way.
Note:
mail must have u...@domain - if you want to use multiply domains.
othermail should be us...@domain to restrict alias mapping to one certain
domain in multidomain setup.
