[Dovecot] how to separate virtual delivery and authentication?

Mihai Badici mihai at badici.ro
Tue Jan 7 10:33:54 EET 2014 

On Tuesday 07 January 2014 09:00:15 you wrote:
> On Mon, 30 Dec 2013, Mihai Badici wrote:
> > I have a "pure ldap" setting with postfix and dovecot.
> > When using  dovecot delivery, the recipient is checked via ldap.
> > The same ldap query is used when authenticate.
> > So, if I want to authenticate with the uid , I can't use a filter like
> > uid=%u because the delivery will fail. I don't want to use %nor something
> > else because I could use multiple e-mail addresses on a single account.
> > 
> > I actually use a filter like ( mail=%u)|(uid=%u) but I think for more
> > complex situations  should  be better to have two separate filters, one
> > for authentication and the other for the delivery. What is your oppinion?
> There are two filters already:
> 
> 1) the passdb filter
> which is used to find users during authentication
> 
> 2) the userdb filter
> which is used to get the information about users, e.g. after auth and for
> delivery

> The passdb filter uses uid only, userdb uses maildrop only.

There is not the efficiency , but the flexibility who interest me.
There are two sepparate processes: delivery and authentication. 
During delivery, dovecot will check if the mailbox exists and where it is 
located; it is not important how the user is authenticated.
During authentication, there is user, pasword and mailbox location, iti is not 
important if the user has an valid e-mail address.

When the filter is accessed by the delivery module, the query string must be 
the e-mail ( all other solutions will fail when multiple e-mail addresses and 
non-standard uid are used). 
When the filter is accessed  via the authentication module, the query will 
contain  the username, not the e-mail  . So basically there is not the same 
string provided as argument for the query filter. We need all sort of 
workarounds to solve this dilema, like the "or" between mail and uid ,  split 
the e-mail address as %u and % d and so on.... With two query strings, one for 
authentication and the other for delivery I think it could be more elegant and 
clear.



> 
> --
> Steffen Kaiser
-- 
Mihai Bădici
http://mihai.badici.ro

More information about the dovecot mailing list