[Dovecot] how to separate virtual delivery and authentication?

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Wed Jan 8 09:40:36 EET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 7 Jan 2014, Mihai Badici wrote:

>>> userdb for delivery) , this could be far better.But I think this is a
>>> design issue.
>> Remember: passdb is for authentificating users; userdb is for getting user
>> information. When an user auth's for IMAP, passdb verifies the password
>> and probably overrides the username, in the second step the userdb is
>> queried for the user data. If you use prefetch userdb and provide
>> different passdb and userdb queries, I would not expect a clean run.
>>
>> Maybe, it's better you give a detailed example, which makes your idea more
>> visible.
>
> Ok, an example is better.
> let's say I use dovecot with postfix and I have in postfix/master.cf :
>
> dovecot     unix  -       n       n       -       -       pipe
>    flags=DRhu user=mailbox:mailbox
>   argv=/usr/libexec/dovecot/deliver -f ${sender} -d  ${recipient}
>
> I use two e-mail addresses, mihai at example.org and mihaib at example.org
> My uid is mihai.badici (  I choose it not related to e-mail address)
>
> So, the deliver service will query ldap in order to find the mailbox.
> We need to put  mail=%u or maildrop=%u, depends on schema.
>
> On the other hand, the authentication will fail if I use uid, because it use
> the same query.
> I can put    |(mail=%u)(uid=%u)  and it's work, but is rather strange.
> I can, indeed, use maildrop to "canonify" the mailbox in postfix before
> delivery, and I think will work too.
> But I think is more elegant to separate the delivery query and authentication
> query.  I'm not sure if is not possible to use only passdb query for
> authentication.

That's what I meant in my second reply with "otherwise have the passdb 
return another username, e.g. the "mail" LDAP attribute to convert the uid 
into mail adress."

See: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields?highlight=user

You use only "uid" in passdb query, but return a field "user" to override 
the username, e.g.:

pass_attrs = uid=user

change "uid" to the attribute that holds your primary address.

Use the attribute in the userdb query that enumerate all mail addresses.

However, this has the drawback, IMHO, that you need to type a mail address 
with doveadm's -u switch.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUs0A9F3r2wJMiz2NAQIlDAgArtE42Fn7a2hTt/tqdOHR8NaGCHC3V1Vo
LqbXZ0fp3KnZBzyzT+NY6o4j6XbfBVAbYtwxTFe/auD1SI/BEXcnBWx5Yc/beA6Y
CbR6UE+AZl1/JatWF0hck/tNveuRwuHxWdJG2cpXInEdQgDC/UNlvahVMbQC1LLN
PK0UBebi0vwWZJFXo2ZrrvjHJPYZHkKmgebKEjxkh91vR8uE9+q8F1tbaJBuKifW
iKz4fPCf70OfivoLr3G37WtbclDnzA16pqEaJAolQzJKyE4QMcg3vsXzsavpeNP8
5xUCo7cIeOVdk3PTjmFsS/5LBxP8fjdjkd2aLIZ4y5aWIFwsHzmWBw==
=e+qJ
-----END PGP SIGNATURE-----


More information about the dovecot mailing list