dovecot - Oct 2017 - How to map email addresses to usernames?

Hello,

I have a general question about userdb and passdb lookups, in my case related
to driver=sql.

The documentation and most examples in the internet seem to assume that a
user's login username to access a mailbox is identical to his email-address,
or at least to the local-part of this email-address. This setup works fine.
But I don't understand how to setup dovecot, when login username and email
adresses differ. Or to say it in other words, how to map email-adresses to
mailbox users.

I need a sql password_query for passdb to validate the password for a given
login name during SMTP or SASL authentication. Lets say the credentials are
"user-1"/"anypassword", then the query is similar to
"select password from
mailboxes where username='%u'".

The next step, user_query for userdb is executed to get storage information
for user "user-1". This query must also search for the username
"user-1", not
for an email-adress: "select home, mail from mailboxes where
username='%u'".

So far, so good. But:

For incoming mails via LMTP, my user_query from userdb is being executed with
the email-address as search parameter (instead of the login name), so it
fails. I miss a third query that maps one user to each email address for
delivery, prior to the userdb lookup. For Example:

bob at example.org => user-1
eve at example.org => user-1
ted at example.org => user-2
@catchall.org   => user-3

"select username from addr_maps where addr='%n@%d'".

What is the correct setup for this szenario?

I've found two solutions that seem to work, but i'm not sure if they are
really failsafe.

I) I use driver=prefetch as a first userdb, so for authentication, only the
password_query from passdb is relevant and returns all mailbox details. A
second userdb does a user_query lookup against email-addresses and is only
called for incoming mails.

passdb {
    driver = sql
    args = /etc/dovecot/sql-check-user.conf	
}
userdb {
    driver = prefetch
}
userdb {
    driver = sql
    args = /etc/dovecot/sql-check-addr.conf	
}


II) The second userdb performs lookups against usernames (as in the passwd
query), but I place a third userdb {} within the lmtp's protocol section,
which does a address lookup instead of a username lookup:

protocol lmtp {
    userdb {
        driver = sql
        args = /etc/dovecot/sql-check-addr.conf	
    }
}

passdb {
    driver = sql
    args = /etc/dovecot/sql-check-user.conf	
}
userdb {
    driver = sql
    args = /etc/dovecot/sql-check-user.conf	
}


What do you think, is there a better solution?




- greetings
Andreas



Dovecot Version: 2.2.27 (c0f36b0)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 10 Oct 2017, Andreas Born wrote:
> For incoming mails via LMTP, my user_query from userdb is being executed
with
I think from https://wiki2.dovecot.org/UserDatabase

you write user_query to accept any spellings of the user, I mean:
> bob at example.org => user-1
> eve at example.org => user-1
> ted at example.org => user-2
> @catchall.org   => user-3
user-1 => user-1
       ^ no domain from passdb lookup

Then have the extra field "user=" return the correct user string
"user-1"
along with its data. I'm sort of pretty sure, that I had such setup once 
ago. Currently, I let the MTA map all email addresses into the user name, 
your shown examples.

I mean, you have to avoid a scenario like:

passdb / userdb
bob at example.org => user-1 at example.net
user-1 at example.net => user-2 at example.net

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWd8VSHz1H7kL/d9rAQIYDAf/fJchwWIigPkDKfUl1L4v0JDERsNO0XiW
qu6ubfTTneCd+RvAgXcnT0xDalv2eptN/8ZHkocw2KyfhZBOQZqbThQE4BjE8bA3
QQvegMtndz5rVgN/YpTEUaSw4r2wxzzSg1NZdQs8zXwRx1XrtpGUnO0qa6vGB7Sg
Zq9zjWCXMUa5snF6D8oEbSdAQeNGAU9QaLloJXX9byzxC2BtRQv+EHv80ncayNfQ
eTmSOX9DjsSTas7AnA9RZF6bCRR6ewsOVkoMAi0m8Nt/RJ3IyjvNlClLmCjkB4GO
L6mstfdarQ51vIttbwJAi3hmWk5rUO66xEGjVBGNqDcKgR9fSBe4Tg==8xoS
-----END PGP SIGNATURE-----