Em 16/07/2018 22:55, ellie timoney escreveu:
Or do you want accounts in different domains to be not
related to each other? (e.g. " a...@foo.com" and " a...@bar.com"
are
two totally different accounts)
In either case, I would think about having one LDAP
attribute (single-value, unique) to represent a user's
"primary" email address, and a separate LDAP attribute
(multi-value, unique) to represent their "aliases". You
would set up Cyrus to only consider the "primary" attribute,
and then set up your SMTP server to deliver email destined
for "alias" addresses to the "primary" address for the
matching account. I believe this is a common enough
configuration that it shouldn't be hard to find information
online. I have managed (non-Cyrus) systems that worked like
this in the past, but it was a long time ago so I can't
offer much specific help.
humm. so the existing "mail" field on ldap would always
contain the @defaultdomain (as setup on cyrus), but another
field for aliases where Postfix would look up?!
The "mail" attribute wouldn't need to always contain the
@defaultdomain, but it would always need to match the account
that Cyrus knows about. And then the aliases attribute (I've
seen "mailalternateaddress" used for this) would contain any
other addresses that need to deliver to the same account.
Right now Cyrus is using mailboxes without any domain.. just a plain
"/var/spool/cyrus/mail/h/user/heiler^bemerguy"..
defaultdomain is just for telling Cyrus what to assume when
no domain is specified, none of your accounts need to actually
use it, and in fact this domain doesn't even need to exist
(unless accounts use it). At FastMail, I believe our
defaultdomain is set to some nonsense value like "internal" or
"invalid" or something, which none of our accounts use, and the
side effect of this is that every account must always have a
(real) domain explicitly specified. I'd recommend doing
something similar, just to avoid confusion from Cyrus making
assumptions.
Basically what I'm saying here is, if you:
* set it up in LDAP so that each account has exactly one
"mail" attribute which matches their Cyrus account, and as many
aliases as they need, and
I think this will be the problem. Our ldap's "mail" attribute is
mixed with @cinbesa.com.br or @belem.pa.gov.br.. but as our saslauth
ldap_filter uses UID instead of MAIL for searching accounts they all
use the same mailbox!
If I change that to use the "mail" attribute instead, and the "mail"
attribute is @defaultdomain, it will work, but if it's not, it will
create another mailbox.. I don't know how can I write a ldap_filter
to return only uid in that case.
Or should I rewrite all users' "mail" attribute that are using
domain aliases?
* set up Postfix to handle the alias rewriting on delivery,
and
* set up Cyrus to look up the "mail" attribute (only) for
authentication (as you have already done), and if necessary,
instruct your users to use their full "mail" address as their
login name
then:
* your defaultdomain doesn't really matter, because
everything in Cyrus will use the full "mail" address, and
* Cyrus won't autocreate multiple inboxes for people, because
it never sees their aliases
If you provide a webmail interface to your users, it will
also need to know about their LDAP attributes so that they can
send mail "from" an alias if they need to. But if your users
just use IMAP, they can just be set up in the client.
We use a roundcube Webmail, which uses smtp to send emails..
As for autocreate, it is not compiled in by default, it
needs to be turned on at build time with the
--enable-autocreate argument to configure. If you installed
Cyrus from a distribution, your distribution may have done
this for you.
If you don't want to recompile to remove the feature, you
can control it using the autocreate_* options in imapd.conf
(see man imapd.conf.5). For example you should be able to
use "autocreate_users" to limit it only to certain LDAP
groups rather than every valid login (if that is useful to
you).
But if you set up your LDAP directory and Cyrus such that
each user only has a single "primary" email address that
they can use in Cyrus, and map delivery to aliases outside
of Cyrus, then people won't be able to login with the
"wrong" alias, and therefore autocreate won't accidentally
make new accounts for them. :)
Right now I think they can login with the "uid" only OR
with the complete mail ("mail" field)
If you still have your ldap_filter
set to "(&(objectClass=inetOrgPerson)(mail=%U@%d))"
(per your original message), then they will currently be able to
login with just the "uid" if their full "mail" address contains
the defaultdomain. This is because of how Cyrus assumes the
defaultdomain if there's no domain. If you have users whose
"mail" is one of your other domains, they will be able to login
with their full "mail" address, but not with just the "uid"
part. :)
Yeah this worked for @cinbesa but created another mailbox when
anyone tried to login with domain aliases..
If you change your defaultdomain to some nonsense value like
I suggested earlier, then everyone will need to login with their
full "mail" address, but that address can be set to any of your
real domains. This might be confusing for users who used to
just log in with "uid", but depending on the size of your
organisation, might be less confusing overall if everyone's
login is their full mail address.
Cheers,
ellie
--
Atenciosamente,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
|