<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
</head>
<body><div>On Tue, Jul 17, 2018, at 3:37 AM, Heiler Bemerguy wrote:<br></div>
<blockquote type="cite"><div>Em 06/07/2018 00:10, ellie timoney escreveu:<br></div>
<div> <br></div>
<blockquote type="cite" cite="mid:1530846648.828222.1431613808.54159959@webmail.messagingengine.com"><div>Hi,<br></div>
<div><br></div>
<div>The "defaultdomain" is the domain that's assumed by Cyrus for
users that are uid only. Any other domain needs to be
explicitly specified in the user (this applies to login,
delivery, etc). So, if you have:<br></div>
<div><br></div>
<div> defaultdomain: foo.com<br></div>
<div><br></div>
<div>then "user" and "<a href="mailto:user@foo.com">user@foo.com</a>" are the same account
(and can login using either variation), but "<a href="mailto:user@bar.com">user@bar.com</a>"
is some other account and can only login as "<a href="mailto:user@bar.com">user@bar.com</a>".<br></div>
<div><br></div>
<div>It's not clear to me how you wish to use the extra domains.
Do you want your existing users to be able to send/receive from
multiple different domains? (e.g. user "anne" has both email
addresses "<a href="mailto:anne@foo.com">anne@foo.com</a>",
"<a href="mailto:anne@bar.com">anne@bar.com</a>").<br></div>
</blockquote><div><br></div>
<div>We used to have some domains that represented the same mailbox. Like
@cinbesa.com.br being the same as @belem.pa.gov.br.. but now we want
to create some other domains (while *maintaining* those we already
had), which will point to totally different mailboxes, like
@semad.belem.pa.gov.br and @sesma.belem.pa.gov.br :)<br></div>
<div> <br></div>
<div> <br></div>
<div> <br></div>
<blockquote type="cite" cite="mid:1530846648.828222.1431613808.54159959@webmail.messagingengine.com"><div><br></div>
<div>Or do you want accounts in different domains to be not
related to each other? (e.g. "<a href="mailto:anne@foo.com">anne@foo.com</a>" and "<a href="mailto:anne@bar.com">anne@bar.com</a>"
are <br></div>
<div>two totally different accounts)<br></div>
<div><br></div>
<div>In either case, I would think about having one LDAP attribute
(single-value, unique) to represent a user's "primary" email
address, and a separate LDAP attribute (multi-value, unique) to
represent their "aliases". You would set up Cyrus to only
consider the "primary" attribute, and then set up your SMTP
server to deliver email destined for "alias" addresses to the
"primary" address for the matching account. I believe this is a
common enough configuration that it shouldn't be hard to find
information online. I have managed (non-Cyrus) systems that
worked like this in the past, but it was a long time ago so I
can't offer much specific help.<br></div>
</blockquote><div><br></div>
<div>humm. so the existing "mail" field on ldap would always contain the
@defaultdomain (as setup on cyrus), but another field for aliases
where Postfix would look up?!<br></div>
</blockquote><div><br></div>
<div>The "mail" attribute wouldn't need to always contain the @defaultdomain, but it would always need to match the account that Cyrus knows about. And then the aliases attribute (I've seen "mailalternateaddress" used for this) would contain any other addresses that need to deliver to the same account.<br></div>
<div><br></div>
<div>defaultdomain is just for telling Cyrus what to assume when no domain is specified, none of your accounts need to actually use it, and in fact this domain doesn't even need to exist (unless accounts use it). At FastMail, I believe our defaultdomain is set to some nonsense value like "internal" or "invalid" or something, which none of our accounts use, and the side effect of this is that every account must always have a (real) domain explicitly specified. I'd recommend doing something similar, just to avoid confusion from Cyrus making assumptions.<br></div>
<div><br></div>
<div>Basically what I'm saying here is, if you:<br></div>
<div> <br></div>
<div>* set it up in LDAP so that each account has exactly one "mail" attribute which matches their Cyrus account, and as many aliases as they need, and<br></div>
<div>* set up Postfix to handle the alias rewriting on delivery, and<br></div>
<div>* set up Cyrus to look up the "mail" attribute (only) for authentication (as you have already done), and if necessary, instruct your users to use their full "mail" address as their login name<br></div>
<div><br></div>
<div>then:<br></div>
<div><br></div>
<div>* your defaultdomain doesn't really matter, because everything in Cyrus will use the full "mail" address, and<br></div>
<div>* Cyrus won't autocreate multiple inboxes for people, because it never sees their aliases<br></div>
<div><br></div>
<div>If you provide a webmail interface to your users, it will also need to know about their LDAP attributes so that they can send mail "from" an alias if they need to. But if your users just use IMAP, they can just be set up in the client.<br></div>
<div><br></div>
<blockquote type="cite"><div> <br></div>
<div> <br></div>
<blockquote type="cite" cite="mid:1530846648.828222.1431613808.54159959@webmail.messagingengine.com"><div><br></div>
<div>As for autocreate, it is not compiled in by default, it needs
to be turned on at build time with the --enable-autocreate
argument to configure. If you installed Cyrus from a
distribution, your distribution may have done this for you.<br></div>
<div><br></div>
<div>If you don't want to recompile to remove the feature, you can
control it using the autocreate_* options in imapd.conf (see man
imapd.conf.5). For example you should be able to use
"autocreate_users" to limit it only to certain LDAP groups
rather than every valid login (if that is useful to you).<br></div>
<div><br></div>
<div>But if you set up your LDAP directory and Cyrus such that
each user only has a single "primary" email address that they
can use in Cyrus, and map delivery to aliases outside of Cyrus,
then people won't be able to login with the "wrong" alias, and
therefore autocreate won't accidentally make new accounts for
them. :)<br></div>
<div><br></div>
</blockquote><div> Right now I think they can login with the "uid" only OR with the
complete mail ("mail" field)<br></div>
<div> <br></div>
</blockquote><div><br></div>
<div><span class="highlight" style="background-color:rgb(255, 255, 255)"><span class="colour" style="color:rgb(31, 31, 31)"><span class="font" style="font-family:"Source Sans Pro", sans-serif"><span class="size" style="font-size:14px">If you still have your </span></span></span></span>ldap_filter set to<i style="font-style: italic; caret-color: rgb(31, 31, 31); color: rgb(31, 31, 31); font-family: "Source Sans Pro", sans-serif; font-size: 14px; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;"> "(&(objectClass=inetOrgPerson)(mail=%U@%d))"</i> (per your original message), then they will currently be able to login with just the "uid" if their full "mail" address contains the defaultdomain. This is because of how Cyrus assumes the defaultdomain if there's no domain. If you have users whose "mail" is one of your other domains, they will be able to login with their full "mail" address, but not with just the "uid" part. :)<br></div>
<div><br></div>
<div>If you change your defaultdomain to some nonsense value like I suggested earlier, then everyone will need to login with their full "mail" address, but that address can be set to any of your real domains. This might be confusing for users who used to just log in with "uid", but depending on the size of your organisation, might be less confusing overall if everyone's login is their full mail address.<br></div>
<div><br></div>
<div>Cheers,<br></div>
<div><br></div>
<div>ellie</div>
</body>
</html>