Moving from single to multi-domain. Mailboxes from default domain not being the same as before

Discussion:

Vladislav Kurz

2018-07-04 14:48:23 UTC

auto-creates *another *mailbox
(//var/spool/cyrus/mail/domain/o/ourcompany.com.br/h/user/heiler^bemerguy//).
As the "ourcompany.com.br" is the default domain, it would be better
(and a lot less troublesome) if it continued to use the old
"//var/spool/cyrus/mail/h/user/heiler^bemerguy" /mailbox/./ *Is it
possible*?

Did you set imapd.conf properly? Try this:

virtdomains: userid
defaultdomain: ourcompany.com.br

We used that when moving to multidomain system, but we used SASLDB as
backend (not LDAP).

--
Best regards
Vladislav Kurz

ellie timoney

2018-07-06 03:10:48 UTC

Permalink

Hi,

The "defaultdomain" is the domain that's assumed by Cyrus for users that
are uid only. Any other domain needs to be explicitly specified in the
user (this applies to login, delivery, etc). So, if you have:
defaultdomain: foo.com

then "user" and "***@foo.com" are the same account (and can login using
either variation), but "***@bar.com" is some other account and can only
login as "***@bar.com".
It's not clear to me how you wish to use the extra domains. Do you want
your existing users to be able to send/receive from multiple different
domains? (e.g. user "anne" has both email addresses "***@foo.com",
"***@bar.com").
Or do you want accounts in different domains to be not related to each
other? (e.g. "***@foo.com" and "***@bar.com" aretwo totally different accounts)

In either case, I would think about having one LDAP attribute (single-
value, unique) to represent a user's "primary" email address, and a
separate LDAP attribute (multi-value, unique) to represent their
"aliases". You would set up Cyrus to only consider the "primary"
attribute, and then set up your SMTP server to deliver email destined
for "alias" addresses to the "primary" address for the matching
account. I believe this is a common enough configuration that it
shouldn't be hard to find information online. I have managed (non-
Cyrus) systems that worked like this in the past, but it was a long time
ago so I can't offer much specific help.
As for autocreate, it is not compiled in by default, it needs to be
turned on at build time with the --enable-autocreate argument to
configure. If you installed Cyrus from a distribution, your
distribution may have done this for you.
If you don't want to recompile to remove the feature, you can control it
using the autocreate_* options in imapd.conf (see man imapd.conf.5).
For example you should be able to use "autocreate_users" to limit it
only to certain LDAP groups rather than every valid login (if that is
useful to you).
But if you set up your LDAP directory and Cyrus such that each user only
has a single "primary" email address that they can use in Cyrus, and map
delivery to aliases outside of Cyrus, then people won't be able to login
with the "wrong" alias, and therefore autocreate won't accidentally make
new accounts for them. :)
Cheers,

ellie

Hi,
Yeah "virtdomains" is set to "userid". The "defaultdomain" was
commented out. By setting it to "ourcompany.com.br", it prevented the
creation of another mailbox inside "domain/o/ourcompany.com.br"
sucessfully, thanks.> But now I got another problem. We used to have other "default" domains
like that. Like "companyalias.com.br", "companyalias2.com.br"... So is
there a way to use *more than one* "defaultdomain", to block the
creation of redundant mailboxes..?>

auto-creates *another *mailbox (//var/spool/cyrus/mail/domain/o/our-
company.com.br/h/user/heiler^bemerguy//). As the
"ourcompany.com.br" is the default domain, it would be better (and a
lot less troublesome) if it continued to use the old
"//var/spool/cyrus/mail/h/user/heiler^bemerguy" /mailbox/./ *Is it
possible*?

Did you set imapd.conf properly? Try this: virtdomains: userid
defaultdomain: ourcompany.com.br We used that when moving to
multidomain system, but we used SASLDB as backend (not LDAP).

----
Cyrus Home Page: http://www.cyrusimap.org/
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

ellie timoney

2018-07-17 01:55:52 UTC

Permalink

Post by ellie timoney
Hi,
The "defaultdomain" is the domain that's assumed by Cyrus for users
that are uid only. Any other domain needs to be explicitly specified
in the user (this applies to login, delivery, etc). So, if you have:>>
defaultdomain: foo.com
It's not clear to me how you wish to use the extra domains. Do you
want your existing users to be able to send/receive from multiple
different domains? (e.g. user "anne" has both email addresses

We used to have some domains that represented the same mailbox. Like
@cinbesa.com.br being the same as @belem.pa.gov.br.. but now we want
to create some other domains (while *maintaining* those we already
had), which will point to totally different mailboxes, like
@semad.belem.pa.gov.br and @sesma.belem.pa.gov.br :)>

Post by ellie timoney
Or do you want accounts in different domains to be not related to
In either case, I would think about having one LDAP attribute (single-
value, unique) to represent a user's "primary" email address, and a
separate LDAP attribute (multi-value, unique) to represent their
"aliases". You would set up Cyrus to only consider the "primary"
attribute, and then set up your SMTP server to deliver email destined
for "alias" addresses to the "primary" address for the matching
account. I believe this is a common enough configuration that it
shouldn't be hard to find information online. I have managed (non-
Cyrus) systems that worked like this in the past, but it was a long
time ago so I can't offer much specific help.>

humm. so the existing "mail" field on ldap would always contain the
@defaultdomain (as setup on cyrus), but another field for aliases
where Postfix would look up?!

The "mail" attribute wouldn't need to always contain the @defaultdomain,
but it would always need to match the account that Cyrus knows about.
And then the aliases attribute (I've seen "mailalternateaddress" used
for this) would contain any other addresses that need to deliver to the
same account.
defaultdomain is just for telling Cyrus what to assume when no domain is
specified, none of your accounts need to actually use it, and in fact
this domain doesn't even need to exist (unless accounts use it). At
FastMail, I believe our defaultdomain is set to some nonsense value like
"internal" or "invalid" or something, which none of our accounts use,
and the side effect of this is that every account must always have a
(real) domain explicitly specified. I'd recommend doing something
similar, just to avoid confusion from Cyrus making assumptions.
Basically what I'm saying here is, if you:

* set it up in LDAP so that each account has exactly one "mail"
attribute which matches their Cyrus account, and as many aliases as
they need, and* set up Postfix to handle the alias rewriting on delivery, and
* set up Cyrus to look up the "mail" attribute (only) for authentication
(as you have already done), and if necessary, instruct your users to
use their full "mail" address as their login name
then:

* your defaultdomain doesn't really matter, because everything in Cyrus
will use the full "mail" address, and* Cyrus won't autocreate multiple inboxes for people, because it never
sees their aliases
If you provide a webmail interface to your users, it will also need to
know about their LDAP attributes so that they can send mail "from" an
alias if they need to. But if your users just use IMAP, they can just
be set up in the client.

Post by ellie timoney
As for autocreate, it is not compiled in by default, it needs to be
turned on at build time with the --enable-autocreate argument to
configure. If you installed Cyrus from a distribution, your
distribution may have done this for you.>>
If you don't want to recompile to remove the feature, you can control
it using the autocreate_* options in imapd.conf (see man
imapd.conf.5). For example you should be able to use
"autocreate_users" to limit it only to certain LDAP groups rather
than every valid login (if that is useful to you).>>
But if you set up your LDAP directory and Cyrus such that each user
only has a single "primary" email address that they can use in Cyrus,
and map delivery to aliases outside of Cyrus, then people won't be
able to login with the "wrong" alias, and therefore autocreate won't
accidentally make new accounts for them. :)>>

Right now I think they can login with the "uid" only OR with the
complete mail ("mail" field)>

If you still have your ldap_filter set to*
"(&(objectClass=inetOrgPerson)(mail=%U@%d))"* (per your original
message), then they will currently be able to login with just the "uid"
if their full "mail" address contains the defaultdomain. This is
because of how Cyrus assumes the defaultdomain if there's no domain. If
you have users whose "mail" is one of your other domains, they will be
able to login with their full "mail" address, but not with just the
"uid" part. :)
If you change your defaultdomain to some nonsense value like I suggested
earlier, then everyone will need to login with their full "mail"
address, but that address can be set to any of your real domains. This
might be confusing for users who used to just log in with "uid", but
depending on the size of your organisation, might be less confusing
overall if everyone's login is their full mail address.
Cheers,

ellie