Postfix, Dovecot, LDAP: Grant multiple users access to one mail address

Rhino R.

11/18/23, 12:58 PM

I'm sure this is a common problem but I'm not able to find any good solution nor at least something that leads me to the right track. Additionally, I have no experience with LDAP so far, maybe this is why I cannot find anything related.

I've running a mail server with Postfix, Dovecot, MySQL, rspamd and Redis on AlmaLinux 9 so far and this system works great. Now I want to switch from SQL-based authentication to LDAP. There is a lot of information out there about using LDAP.

But I cannot find anything about having a mail address (e.g. box@example.com) which can be accessed by multiple users (e.g. foo and bar). Foo and bar should have it's on addresses as well (foo@example.com and bar@example.com). Now I want that foo and bar can authenticate for box as well while reading, writing, deleting etc. mails as they can in their own mail boxes.

The goal is to easily give access to box@example.com by adding an existing user to a kind of whitelist without having a separate password for box@example.com. Only enlisted users can login into box. Additionally, I thought about using Kerberos for a one-time-authentication but that's too heavy for me at the moment.

The only thing that I found is to redirect any mails of box@example.com to Foo and Bar, but that's more like a mailing list, which I do not want to implement.

Therefore, I appreciate any help about how to solve that.

228

0 + 4

email-server

postfix

ldap

anx

11/18/23, 2:18 PM

Consider the difference between "can log into the box (possibly not at the same time as their own)" and "has permission to send as and see another folder in their IMAP structure that contains the shared box" - comes with different usage patterns and configuration approaches.

Rhino R.

11/18/23, 2:34 PM

@anx thanks for clarifying my issue. Even both approaches are interesting, the second one (has permission to send as box and see additional folder in IMAP structure) is hitting my target very well.

anx

11/18/23, 6:55 PM

I cannot provide a full answer, because I never did it. Some pointers: Decide whether users are in control (SETACL) of granting and removing mailbox access (very risky if users cannot be trusted or used software cannot be relied on when it comes to removing no longer necessary permissions) or whether it is mostly fixed share targets managed by adding or removing tags/groups in LDAP (acl_groups). Decide whether sending as (impersonating, even) the shared mailbox is really necessary. Add the userdb/passdb lookups for LDAP, then spend 2 workdays solely on fully understanding effective ACL.

Rhino R.

11/23/23, 11:40 AM

Thank you very much so far. I will need some time for trying this but when I created a working solution, I will post it as an answer here. Your comment helped me very well to clarify some issues.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Postfix, Dovecot, LDAP: Grant multiple users access to one mail address

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.