Hi there, I?m working on a setup with postfix (2.5.5) + dovecot (1.2.11) using a Active Directory user backend. At first, I used the instructions found here[1] to do the base configuration. As I understand, I need to use dovecot as a LDA to be able to use the quota plugin and have a per-user quota configuration, and this led me to two distinct (and opposed) configuration options. It seems that the usual dovecot + AD configuration uses the "auth_bind = yes" option, where the dovecot tries to bind to AD using user credentials. *But* to be able to use LDA, dovecot cant rely on user credentials, as there?s none when a mail arrives, so one need to use "auth_bind = no" and choose a "user" to bind to AD, using the dn and dnpass options. Am I right until here? I could just use auth_bind=no *IF* the "dn" user has the necessary privileges to read other AD users passwords (like a administrator user). Is this correct? Well, antecipating that the AD sysadmin guy will not be happy with this, I thought that maybe I could "mix" the two configurations, since I dont need the user password to find user mailbox (while delivering), but I do while doing his authentication. I may use one configuration for userdb, and another for passdb. BUT (again!) there?s another problem, since delivering needs "email" (user at domain) and authentication needs "user" values (and, it?s perfectly valid that one should use "John Doe" as user, and foo at bar as email!). So, I messed a little with user filters and got this configuration: dovecot.conf: mail_uid = 1001 mail_gid = 1001 passdb ldap { args = /etc/dovecot/dovecot-ldap-pass.conf } userdb ldap { args = /etc/dovecot/dovecot-ldap.conf } dovecot-ldap-pass.conf: hosts = 10.x.x.x base = dc=mydomain,dc=com,dc=br ldap_version = 3 auth_bind = yes auth_bind_userdn = mydomain\%u dovecot-ldap-pass.conf: hosts = 10.x.x.x auth_bind = no dn = cn=Unprivleged User,cn=Users,dc=mydomain,dc=com,dc=br dnpass = 123456 ldap_version = 3 base = dc=mydomain,dc=com,dc=br deref = never scope = subtree user_attrs = sAMAccountName=mail=maildir:/var/vmail/%$/Maildir user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u))) pass_attrs = sAMAaccountName=user,userPassword=password pass_filter = (&(objectClass=person)(sAMAaccountName=%u)) The "pass_attrs and pass_filter" in dovecot-ldap-pass.conf is not used. The clever part, or the incredible stupid one, is the the filter (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u))) which means "find some person with email=something OR some person with username=user". I?m not sure of the full implications this could have... Anyway, it?s working, as the system accepts emails and the user can retrieve it using pop3. Is there a better way to doing all this? Is it safe to bind dovecot to AD with the necessary privileges to read user passwords? I?m no AD expert, but can this special user be "read-only" ? thanks in advance [1] http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ -- Christian Lyra