Hello, OK. You want user 12345 to log in through IMAP, and not 12345@xxxxxxxxxxx Thus, you need a mailbox 12345 in Cyrus, that it will authenticate against SASL (eventually hitting LDAP). The problem: User 12345 cannot receive mail, because postfix doesn't know the guy. On the other hand, 12345@xxxxxxxxxx cannot login because LDAP doesn't know the guy ;) The solution: Change you recipient canonical settings to virtual maps. Your LDAP query filter would then be something to the effect of (&(|(mail=%s)(mailAlternateAddress=%s))(enableMail=Y)) And get rid of the "result_filter = %s@xxxxxxxxxx" What this will allow is: 1) A user called 12345 in LDAP and Cyrus 2) A postfix lookup for *any* email address, as long as enableMail=Y 3) A postfix mapping of the email address to %s (12345). 4) Email addresses of 12345@xxxxxxxxxx will result in 12345 (=uid) Problem solved. ;) Hope this will work for you. It does for me! (guus.leeuw@xxxxxxxxxxxxxxx is an alias and receives mail for leeuwg@xxxxxxxxxxxxxxx, leeuwg1@xxxxxxxxxxxxxxx, however, since guus.leeuw@xxxxxxxxxxxxxxx is the mail attribute, and the other two are kept in mailAlternateAddress, my sender_canonical_map tells postfix that my mail address is guus.leeuw@xxxxxxxxxxxxxxx, *although* I only login to Cyrus/SSH/Whatnot with leeuwg!! And I guess, that is what you want ;) Have fun, Guus (Ah, and you could even accept mail for guus_leeuw_jr@xxxxxxxxxxxxxxxxx, as long as postfix knows myotherdomain.com is a mydestination ;) > -----Original Message----- > From: info-cyrus-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:info-cyrus- > bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Jose Morelli Neto > > 2007/1/8, Guus Leeuw jr. <Guus.Leeuw@xxxxxxxxxxxxxxx>: > > > > Hello, > > Hi Guus! > > > > > First of all a couple of questions: > > > > 1) Are you planning to manage multiple domains' mail, or just the > domain.com mail? > > Yes, I need to manage more two domains, like lists.domain.com and > domain.org. > > > > > 2) Can you post the contents of the canonical.cf file that postfix > uses for canonical mapping? > > I needed to modify the configurations of canonical, because I wasn't > send mail. Now it is thus: > main.cf -------- > recipient_canonical_maps = > proxy:ldap:/etc/postfix/ldap/recipient_canonical.cf > sender_canonical_maps = proxy:ldap:/etc/postfix/ldap/sender_canonical.cf > main.cf -------- > > recipient_canonical.cf ---------- > server_host = ldap://ldap.domain.com:389 > bind = yes > bind_dn = cn=admin,dc=domain,dc=com > bind_pw = password > > search_base = ou=users,dc=domain,dc=com > query_filter = (&(mail=%s)(objectClass=CourierMailAccount)(enableMail=Y)) > result_attribute = uid > result_filter = %s@xxxxxxxxxx > recipient_canonical.cf ---------- > > sender_canonical.cf -------- > server_host = ldap://ldap.domain.com:389 > bind = yes > bind_dn = cn=admin,dc=domain,dc=com > bind_pw = password > > search_base = ou=users,dc=domain,dc=com > query_filter = (&(uid=%s)(objectClass=CourierMailAccount)(enableMail=Y)) > result_attribute = mail > sender_canonical.cf -------- > > As you can see in file recipient_canonical.cf, the result_filter have > @domain.com fixed. This way, it wouldn't work with virtual domains, > i'll need to add an attribute with code+domain like 12345@xxxxxxxxxxx > > > > > 3) Why would you want SASL to talk to PAM for PAM to talk to LDAP? > Why not do the whole thing in 1 go? > > > Yes, the reason is that this server directly effects the > authentication of ssh in LDAP. I Tried authenticate SASL directly in > LDAP, with this saslauthd configuration: > ldap_servers: ldap://ldap.domain.com/ > ldap_version: 3 > ldap_search_base: ou=users,dc=domain,dc=com > ldap_filter: uid=%u > ldap_auth_method: bind > > > It's works normally. > > > > > I belief, you told imapd to use the PLAIN mechanism? AFAIK PLAIN is not > equal to PAM in terms of mechanism? OK, PAM method, I could understand, > but then again, that raises question 3. > > Yes, I understand that using salauthd as method this will autenticate > on PAM (and this work). I see in imapd.conf manual, that this can > autenticate (or get an attribute) directly in LDAP, but i don't found > any example of this. > > If I can get the UID from LDAP after postfix deliver via LMTP to > Cyrus, and before the Cyrus verify that the mailboxes exist (and > verify using the UID), this will work perfectly. The tests with > canonical worked, but I will need to convert the mail address > everytime, and I will have to modify my LDAP Base (~ 150.000 > registers). I belive that there is an "corret way" to make this. > > > > Can you bind to the LDAP server with the uid 12345? Can you bind to LDAP > with user.12345@xxxxxxxxxx? > > yes with uid 12345, and no with user.12345@xxxxxxxxxxx > > > > > > > > > > > Without answers, it would be difficult to help (for me). > > > > > > I understand, also it's difficult for me to explain :) > > > > > Regards, > > > > Guus > > > > Thank's for your interest in this problem! > > Neto. > > > > > > From: info-cyrus-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:info-cyrus- > bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Jose Morelli Neto > > Sent: 08 January 2007 12:07 > > To: info-cyrus@xxxxxxxxxxxxxxxxxxxx > > Subject: Authentication in LDAP with different UID > > > > > > > > > > Hello, > > > > I am updating the mail server at my work and in this process I decided > to change the Courier-IMAP for the Cyrus-IMAP, however I still came across > myself with a problem without solution (at least for me). Here, all users > have an personal ID who is used to effect the authentication in some > systems (also in the mail). For example, an user with the personal ID > 12345 possess the mail user@xxxxxxxxxx > > > > > > If I create the mailbox in cyrus with the personal ID (cm user.12345), > I can connect through imap/pop3 and cyrus get access to the mailbox > without problems (using as user 12345), however when sending a message for > this user, postfix delivery saw LMTP for cyrus, that does not locate > mailbox (with the error: lmtpunix [5514]: to verify_user (user.12345) > failed: Mailbox you donate not exist). Then if I create mailbox with the > user's mail ( cm user.user@xxxxxxxxxx), the message is delivery without > problems from postfix to cyrus (that it finds mailbox), however I can't > have access to mailbox saw IMAP/POP using as login the person code (12345) > and only the email ( user@xxxxxxxxxx). > > > > The authentication of cyrus is made by SASL using the mechanism PAM > (that it validates through LDAP). > > > > > > It follows some configurations to facilitate the understanding: > > /etc/imapd.conf -------------------------------------- > > configdirectory: /var/lib/imap > > partition-default: /var/spool/imap > > admins: cyrus > > sievedir: /var/lib/imap/sieve > > sendmail: /usr/sbin/sendmail > > hashimapspool: true > > sasl_pwcheck_method: saslauthd > > sasl_mech_list: PLAIN > > tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem > > tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem > > tls_ca_file: /usr/share/ssl/certs/ca- bundle.crt > > virtdomains: userid > > defaultdomain: domain.com > > /etc/imapd.conf -------------------------------------- > > > > /etc/postfix/main.cf -------------------------------- > > virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp > > canonical_maps = proxy:ldap:/etc/postfix/ldap/canonical.cf > > /etc/postfix/main.cf -------------------------------- > > > > usuário.ldif ------------------------- > > dn: uid=12345,ou=users,dc=domain,dc=com > > uid: 12345 > > cn: Test User > > sn: test > > loginShell: /bin/false > > uidNumber: 90001 > > mail: user@xxxxxxxxxx > > quota: 20971520 > > gidNumber: 513 > > homeDirectory: /home/user > > mailbox: /home/user/Maildir/ > > mailHost: siaimail10.domain.com > > description: description > > enableMail: S > > objectClass: top > > objectClass: person > > objectClass: posixAccount > > objectClass: shadowAccount > > objectClass: CourierMailAccount > > objectClass: inetLocalMailRecipient > > usuário.ldif ------------------------- > > > > > > I tried through postfix, modify/create/use some macro (those used in > master.cf: ${user} ${extension}) that it passed to cyrus the personal ID > (in the place of the address) but I did not have success. > > > > I made with the SASL authenticate in LDAP using the UID, but did not > give very certain, therefore cyrus uses proper login to locate mailbox, > and thus I don't deliver the message saw lmtp (therefore mailbox was with > the name of the user). > > > > > > The only thing next than I found of what necessary patch of the Kolab > was one that allows (theoretically, I did not make tests) to consult the > virtual domínios through ldap. > > > > I used canonical_maps in postfix quering ldap for the mail ( > user@xxxxxxxxxx) and returning email (12345@xxxxxxxxxxx), but for virtual > domains I would have to add a new attribute in LDAP with the personal ID + > the domain. > > > > Someone has experience in this integration and that it can help me? > > > > > > thank's for attention. > > Neto. > > > > > > -- > > José Morelli Neto > > http://josemorelli.net > > > > -- > > No virus found in this incoming message. > > Checked by AVG. > > Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date: > 07/01/2007 18:29 > > > > > > -- > > No virus found in this outgoing message. > > Checked by AVG. > > Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date: > 07/01/2007 18:29 > > > > > > -- > José Morelli Neto > http://josemorelli.net > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.433 / Virus Database: 268.16.8/621 - Release Date: 09/01/2007 > 13:37 > -- No virus found in this outgoing message. Checked by AVG. Version: 7.5.433 / Virus Database: 268.16.8/621 - Release Date: 09/01/2007 13:37 ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
