Re: Moving from single to multi-domain. Mailboxes from default domain not being the same as before
Em 16/07/2018 22:55, ellie timoney escreveu: Or do you want accounts in different domains to be not related to each other? (e.g. "a...@foo.com" and "a...@bar.com" are two totally different accounts) In either case, I would think about having one LDAP attribute (single-value, unique) to represent a user's "primary" email address, and a separate LDAP attribute (multi-value, unique) to represent their "aliases". You would set up Cyrus to only consider the "primary" attribute, and then set up your SMTP server to deliver email destined for "alias" addresses to the "primary" address for the matching account. I believe this is a common enough configuration that it shouldn't be hard to find information online. I have managed (non-Cyrus) systems that worked like this in the past, but it was a long time ago so I can't offer much specific help. humm. so the existing "mail" field on ldap would always contain the @defaultdomain (as setup on cyrus), but another field for aliases where Postfix would look up?! The "mail" attribute wouldn't need to always contain the @defaultdomain, but it would always need to match the account that Cyrus knows about. And then the aliases attribute (I've seen "mailalternateaddress" used for this) would contain any other addresses that need to deliver to the same account. Right now Cyrus is using mailboxes without any domain.. just a plain "/var/spool/cyrus/mail/h/user/heiler^bemerguy".. defaultdomain is just for telling Cyrus what to assume when no domain is specified, none of your accounts need to actually use it, and in fact this domain doesn't even need to exist (unless accounts use it). At FastMail, I believe our defaultdomain is set to some nonsense value like "internal" or "invalid" or something, which none of our accounts use, and the side effect of this is that every account must always have a (real) domain explicitly specified. I'd recommend doing something similar, just to avoid confusion from Cyrus making assumptions. Basically what I'm saying here is, if you: * set it up in LDAP so that each account has exactly one "mail" attribute which matches their Cyrus account, and as many aliases as they need, and I think this will be the problem. Our ldap's "mail" attribute is mixed with @cinbesa.com.br or @belem.pa.gov.br.. but as our saslauth ldap_filter uses UID instead of MAIL for searching accounts they all use the same mailbox! If I change that to use the "mail" attribute instead, and the "mail" attribute is @defaultdomain, it will work, but if it's not, it will create another mailbox.. I don't know how can I write a ldap_filter to return only uid in that case. Or should I rewrite all users' "mail" attribute that are using domain aliases? * set up Postfix to handle the alias rewriting on delivery, and * set up Cyrus to look up the "mail" attribute (only) for authentication (as you have already done), and if necessary, instruct your users to use their full "mail" address as their login name then: * your defaultdomain doesn't really matter, because everything in Cyrus will use the full "mail" address, and * Cyrus won't autocreate multiple inboxes for people, because it never sees their aliases If you provide a webmail interface to your users, it will also need to know about their LDAP attributes so that they can send mail "from" an alias if they need to. But if your users just use IMAP, they can just be set up in the client. We use a roundcube Webmail, which uses smtp to send emails.. As for autocreate, it is not compiled in by default, it needs to be turned on at build time with the --enable-autocreate argument to configure. If you installed Cyrus from a distribution, your distribution may have done this for you. If you don't want to recompile to remove the feature, you can control it using the autocreate_* options in imapd.conf (see man
Re: Moving from single to multi-domain. Mailboxes from default domain not being the same as before
On Tue, Jul 17, 2018, at 3:37 AM, Heiler Bemerguy wrote: > Em 06/07/2018 00:10, ellie timoney escreveu: > >> Hi, >> >> The "defaultdomain" is the domain that's assumed by Cyrus for users >> that are uid only. Any other domain needs to be explicitly specified >> in the user (this applies to login, delivery, etc). So, if you have:>> >> defaultdomain: foo.com >> >> then "user" and "u...@foo.com" are the same account (and can login >> using either variation), but "u...@bar.com" is some other account and >> can only login as "u...@bar.com".>> >> It's not clear to me how you wish to use the extra domains. Do you >> want your existing users to be able to send/receive from multiple >> different domains? (e.g. user "anne" has both email addresses >> "a...@foo.com", "a...@bar.com").> > We used to have some domains that represented the same mailbox. Like > @cinbesa.com.br being the same as @belem.pa.gov.br.. but now we want > to create some other domains (while *maintaining* those we already > had), which will point to totally different mailboxes, like > @semad.belem.pa.gov.br and @sesma.belem.pa.gov.br :)> > > >> >> Or do you want accounts in different domains to be not related to >> each other? (e.g. "a...@foo.com" and "a...@bar.com" are>> two totally >> different accounts) >> >> In either case, I would think about having one LDAP attribute (single- >> value, unique) to represent a user's "primary" email address, and a >> separate LDAP attribute (multi-value, unique) to represent their >> "aliases". You would set up Cyrus to only consider the "primary" >> attribute, and then set up your SMTP server to deliver email destined >> for "alias" addresses to the "primary" address for the matching >> account. I believe this is a common enough configuration that it >> shouldn't be hard to find information online. I have managed (non- >> Cyrus) systems that worked like this in the past, but it was a long >> time ago so I can't offer much specific help.> > humm. so the existing "mail" field on ldap would always contain the > @defaultdomain (as setup on cyrus), but another field for aliases > where Postfix would look up?! The "mail" attribute wouldn't need to always contain the @defaultdomain, but it would always need to match the account that Cyrus knows about. And then the aliases attribute (I've seen "mailalternateaddress" used for this) would contain any other addresses that need to deliver to the same account. defaultdomain is just for telling Cyrus what to assume when no domain is specified, none of your accounts need to actually use it, and in fact this domain doesn't even need to exist (unless accounts use it). At FastMail, I believe our defaultdomain is set to some nonsense value like "internal" or "invalid" or something, which none of our accounts use, and the side effect of this is that every account must always have a (real) domain explicitly specified. I'd recommend doing something similar, just to avoid confusion from Cyrus making assumptions. Basically what I'm saying here is, if you: * set it up in LDAP so that each account has exactly one "mail" attribute which matches their Cyrus account, and as many aliases as they need, and* set up Postfix to handle the alias rewriting on delivery, and * set up Cyrus to look up the "mail" attribute (only) for authentication (as you have already done), and if necessary, instruct your users to use their full "mail" address as their login name then: * your defaultdomain doesn't really matter, because everything in Cyrus will use the full "mail" address, and* Cyrus won't autocreate multiple inboxes for people, because it never sees their aliases If you provide a webmail interface to your users, it will also need to know about their LDAP attributes so that they can send mail "from" an alias if they need to. But if your users just use IMAP, they can just be set up in the client. > > >> >> As for autocreate, it is not compiled in by default, it needs to be >> turned on at build time with the --enable-autocreate argument to >> configure. If you installed Cyrus from a distribution, your >> distribution may have done this for you.>> >> If you don't want to recompile to remove the feature, you can control >> it using the autocreate_* options in imapd.conf (see man >> imapd.conf.5). For example you should be able to use >> "autocreate_users" to limit it only to certain LDAP groups rather >> than every valid login (if that is useful to you).>> >> But if you set up your LDAP directory and Cyrus such that each user >> only has a single "primary" email address that they can use in Cyrus, >> and map delivery to aliases outside of Cyrus, then people won't be >> able to login with the "wrong" alias, and therefore autocreate won't >> accidentally make new accounts for them. :)>> > Right now I think they can login with the "uid" only OR with the > complete mail ("mail" field)> If you still have your ldap_filter set to*
Re: Moving from single to multi-domain. Mailboxes from default domain not being the same as before
Em 06/07/2018 00:10, ellie timoney escreveu: Hi, The "defaultdomain" is the domain that's assumed by Cyrus for users that are uid only. Any other domain needs to be explicitly specified in the user (this applies to login, delivery, etc). So, if you have: defaultdomain: foo.com then "user" and "u...@foo.com" are the same account (and can login using either variation), but "u...@bar.com" is some other account and can only login as "u...@bar.com". It's not clear to me how you wish to use the extra domains. Do you want your existing users to be able to send/receive from multiple different domains? (e.g. user "anne" has both email addresses "a...@foo.com", "a...@bar.com"). We used to have some domains that represented the same mailbox. Like @cinbesa.com.br being the same as @belem.pa.gov.br.. but now we want to create some other domains (while *maintaining* those we already had), which will point to totally different mailboxes, like @semad.belem.pa.gov.br and @sesma.belem.pa.gov.br :) Or do you want accounts in different domains to be not related to each other? (e.g. "a...@foo.com" and "a...@bar.com" are two totally different accounts) In either case, I would think about having one LDAP attribute (single-value, unique) to represent a user's "primary" email address, and a separate LDAP attribute (multi-value, unique) to represent their "aliases". You would set up Cyrus to only consider the "primary" attribute, and then set up your SMTP server to deliver email destined for "alias" addresses to the "primary" address for the matching account. I believe this is a common enough configuration that it shouldn't be hard to find information online. I have managed (non-Cyrus) systems that worked like this in the past, but it was a long time ago so I can't offer much specific help. humm. so the existing "mail" field on ldap would always contain the @defaultdomain (as setup on cyrus), but another field for aliases where Postfix would look up?! As for autocreate, it is not compiled in by default, it needs to be turned on at build time with the --enable-autocreate argument to configure. If you installed Cyrus from a distribution, your distribution may have done this for you. If you don't want to recompile to remove the feature, you can control it using the autocreate_* options in imapd.conf (see man imapd.conf.5). For example you should be able to use "autocreate_users" to limit it only to certain LDAP groups rather than every valid login (if that is useful to you). But if you set up your LDAP directory and Cyrus such that each user only has a single "primary" email address that they can use in Cyrus, and map delivery to aliases outside of Cyrus, then people won't be able to login with the "wrong" alias, and therefore autocreate won't accidentally make new accounts for them. :) Right now I think they can login with the "uid" only OR with the complete mail ("mail" field) -- Atenciosamente, Heiler Bensimon Bemerguy - CINBESA Analista de Redes, Wi-Fi, Virtualização e Serviços Internet (55) 91 98151-4894 Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Moving from single to multi-domain. Mailboxes from default domain not being the same as before
Hi, The "defaultdomain" is the domain that's assumed by Cyrus for users that are uid only. Any other domain needs to be explicitly specified in the user (this applies to login, delivery, etc). So, if you have: defaultdomain: foo.com then "user" and "u...@foo.com" are the same account (and can login using either variation), but "u...@bar.com" is some other account and can only login as "u...@bar.com". It's not clear to me how you wish to use the extra domains. Do you want your existing users to be able to send/receive from multiple different domains? (e.g. user "anne" has both email addresses "a...@foo.com", "a...@bar.com"). Or do you want accounts in different domains to be not related to each other? (e.g. "a...@foo.com" and "a...@bar.com" aretwo totally different accounts) In either case, I would think about having one LDAP attribute (single- value, unique) to represent a user's "primary" email address, and a separate LDAP attribute (multi-value, unique) to represent their "aliases". You would set up Cyrus to only consider the "primary" attribute, and then set up your SMTP server to deliver email destined for "alias" addresses to the "primary" address for the matching account. I believe this is a common enough configuration that it shouldn't be hard to find information online. I have managed (non- Cyrus) systems that worked like this in the past, but it was a long time ago so I can't offer much specific help. As for autocreate, it is not compiled in by default, it needs to be turned on at build time with the --enable-autocreate argument to configure. If you installed Cyrus from a distribution, your distribution may have done this for you. If you don't want to recompile to remove the feature, you can control it using the autocreate_* options in imapd.conf (see man imapd.conf.5). For example you should be able to use "autocreate_users" to limit it only to certain LDAP groups rather than every valid login (if that is useful to you). But if you set up your LDAP directory and Cyrus such that each user only has a single "primary" email address that they can use in Cyrus, and map delivery to aliases outside of Cyrus, then people won't be able to login with the "wrong" alias, and therefore autocreate won't accidentally make new accounts for them. :) Cheers, ellie On Fri, Jul 6, 2018, at 2:42 AM, Heiler Bemerguy via Info-cyrus wrote: > Hi, > Yeah "virtdomains" is set to "userid". The "defaultdomain" was > commented out. By setting it to "ourcompany.com.br", it prevented the > creation of another mailbox inside "domain/o/ourcompany.com.br" > sucessfully, thanks.> But now I got another problem. We used to have other > "default" domains > like that. Like "companyalias.com.br", "companyalias2.com.br"... So is > there a way to use *more than one* "defaultdomain", to block the > creation of redundant mailboxes..?> > Em 04/07/2018 11:48, Vladislav Kurz escreveu: >> On 07/04/18 16:37, Heiler Bemerguy via Info-cyrus wrote: >> >>> *The problem is:* When I authenticate with @ourcompany.com.br, it >>> auto-creates *another *mailbox (//var/spool/cyrus/mail/domain/o/our- >>> company.com.br/h/user/heiler^bemerguy//). As the >>> "ourcompany.com.br" is the default domain, it would be better (and a >>> lot less troublesome) if it continued to use the old >>> "//var/spool/cyrus/mail/h/user/heiler^bemerguy" /mailbox/./ *Is it >>> possible*? >>> >> Did you set imapd.conf properly? Try this: virtdomains: userid >> defaultdomain: ourcompany.com.br We used that when moving to >> multidomain system, but we used SASLDB as backend (not LDAP). >>> > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/> To > Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Moving from single to multi-domain. Mailboxes from default domain not being the same as before
Hi, Yeah "virtdomains" is set to "userid". The "defaultdomain" was commented out. By setting it to "ourcompany.com.br", it prevented the creation of another mailbox inside "domain/o/ourcompany.com.br" sucessfully, thanks. But now I got another problem. We used to have other "default" domains like that. Like "companyalias.com.br", "companyalias2.com.br"... So is there a way to use more than one "defaultdomain", to block the creation of redundant mailboxes..? Em 04/07/2018 11:48, Vladislav Kurz escreveu: On 07/04/18 16:37, Heiler Bemerguy via Info-cyrus wrote: *The problem is:* When I authenticate with @ourcompany.com.br, it auto-creates *another *mailbox (//var/spool/cyrus/mail/domain/o/ourcompany.com.br/h/user/heiler^bemerguy//). As the "ourcompany.com.br" is the default domain, it would be better (and a lot less troublesome) if it continued to use the old "//var/spool/cyrus/mail/h/user/heiler^bemerguy" /mailbox/./ *Is it possible*? Did you set imapd.conf properly? Try this: virtdomains: userid defaultdomain: ourcompany.com.br We used that when moving to multidomain system, but we used SASLDB as backend (not LDAP). Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Moving from single to multi-domain. Mailboxes from default domain not being the same as before
On 07/04/18 16:37, Heiler Bemerguy via Info-cyrus wrote: > *The problem is:* When I authenticate with @ourcompany.com.br, it > auto-creates *another *mailbox > (//var/spool/cyrus/mail/domain/o/ourcompany.com.br/h/user/heiler^bemerguy//). > > As the "ourcompany.com.br" is the default domain, it would be better > (and a lot less troublesome) if it continued to use the old > "//var/spool/cyrus/mail/h/user/heiler^bemerguy" /mailbox/./ *Is it > possible*? Did you set imapd.conf properly? Try this: virtdomains: userid defaultdomain: ourcompany.com.br We used that when moving to multidomain system, but we used SASLDB as backend (not LDAP). -- Best regards Vladislav Kurz Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus