Dear Aki, good afternoon. Thank you very much for your response and thank you again for the tip on how I could resolve this issue. The problem I'm facing is that I need dovecot to serve emails with two different authorization methods for imap and sasl, one through the kerberos ticket as in https://wiki.dovecot.org/Authentication/Kerberos which I have working but only with a static userdb and also with plain (over tls of course) performing an ldap bind. I also need to verify the validity of incoming emails for the lmtp process. I have only managed to get plain working with the ldap userdb, or the kerberos solution with static databases and no address verification working but not both. I believe I could set up two different dovecot instances listening on different ports or even on different ip addresses over the same ethernet device but I believe I would run into problems with the locking of files and I would like a one solution to serve them all. Is this even possible? Is there information on how to achieve this somewhere I haven't found? Thank you very much again. Best regards, David Wells. El 30/09/2019 a las 03:36, Aki Tuomi escribi?:> On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote: >> Good afternoon. >> >> I have dovecot setup to authenticate virtual users using either gssapi >> or doind a bind to an ldap server to achieve a single sign on capable >> imap server connected to a samba active directory DC. What I am also >> trying to achieve is to have dovecot's lmtp daemon handle the mails >> passed from postfix. However, the only way I've gotten this to work is >> setting allow_all_users = yes in the userdb but this causes lmtp to >> deliver mails to non existant accounts without rejection. I've been >> searching but haven't found a way to set this same thing up but having >> dovecots lmtp check the validity of the mails recipient against the same >> samba AD DC through ldap before delivering it and rejecting unknown >> email addresses. Could someone please provide some insight into how to >> achieve this? >> >> Thank you very much in advance. >> Best regards, >> David Wells. >> >> > You could setup LDAP userdb without bind authentication, and use a > service account instead. > > Aki >
Good morning. I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement> When using LDA <https://wiki.dovecot.org/LDA> and static userdb, > deliver can check if destination user exists. With auth binds this > check isn't possible.Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct? -------- Mensaje reenviado -------- Asunto: Re: lmtp and virtual users Fecha: Mon, 30 Sep 2019 17:14:16 -0300 De: David Wells - Alfavinil S.A. via dovecot <dovecot at dovecot.org> Responder a: David Wells - Alfavinil S.A. <dwells at alfavinil.com> Para: Aki Tuomi <aki.tuomi at open-xchange.com>, dovecot at dovecot.org Dear Aki, good afternoon. Thank you very much for your response and thank you again for the tip on how I could resolve this issue. The problem I'm facing is that I need dovecot to serve emails with two different authorization methods for imap and sasl, one through the kerberos ticket as in https://wiki.dovecot.org/Authentication/Kerberos which I have working but only with a static userdb and also with plain (over tls of course) performing an ldap bind. I also need to verify the validity of incoming emails for the lmtp process. I have only managed to get plain working with the ldap userdb, or the kerberos solution with static databases and no address verification working but not both. I believe I could set up two different dovecot instances listening on different ports or even on different ip addresses over the same ethernet device but I believe I would run into problems with the locking of files and I would like a one solution to serve them all. Is this even possible? Is there information on how to achieve this somewhere I haven't found? Thank you very much again. Best regards, David Wells. El 30/09/2019 a las 03:36, Aki Tuomi escribi?:> On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote: >> Good afternoon. >> >> I have dovecot setup to authenticate virtual users using either gssapi >> or doind a bind to an ldap server to achieve a single sign on capable >> imap server connected to a samba active directory DC. What I am also >> trying to achieve is to have dovecot's lmtp daemon handle the mails >> passed from postfix. However, the only way I've gotten this to work is >> setting allow_all_users = yes in the userdb but this causes lmtp to >> deliver mails to non existant accounts without rejection. I've been >> searching but haven't found a way to set this same thing up but having >> dovecots lmtp check the validity of the mails recipient against the same >> samba AD DC through ldap before delivering it and rejecting unknown >> email addresses. Could someone please provide some insight into how to >> achieve this? >> >> Thank you very much in advance. >> Best regards, >> David Wells. >> >> > You could setup LDAP userdb without bind authentication, and use a > service account instead. > > Aki >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191001/f4ff5cdb/attachment-0001.html>
On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:> Good morning. > > I was just reading > https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found > the following statement >> When using LDA <https://wiki.dovecot.org/LDA> and static userdb, >> deliver can check if destination user exists. With auth binds this >> check isn't possible. > > Is this still relevant? Is there a workaround? It seems like using > dovecots lmtp in an active directory environment is not possible, is > this correct? >You cannot check user existence with auth binds because auth bind requires user credentials. This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos. Aki -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191002/149238da/attachment-0001.html>