Setup Dovecot with LDAP

August 08, 2016

Reading time ~2 minutes


The Dovecot wiki does a really good job at explaining how to have Dovecot and OpenLDAP work together, but in this post I will describe the steps I took to configure Dovecot to work with OpenLDAP on a Linux host.

LDAP authentication

As described in the wiki - Dovecot offers two ways to perform LDAP authentication, but I chose LDAP password lookups. This is recommended over authentication binds.


Normally !include auth-system.conf.ext is enabled, but this should be commented and !include auth-ldap.conf.ext uncommented.


passdb {
  driver = ldap

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = home=/home/vmail/%d/%u

Here we're simply telling Dovecot to use LDAP instead of PAM or MySQL, respectively. For default_fields I'm using a domain/user structure as referenced by the %d and %u variables you can pass to Dovecot. Following this was configuring the relevant options in dovecot-ldap.conf.ext.


hosts =
auth_bind = no
dn = uid=dovecot,ou=System,dc=domain,dc=net
dnpass = MyP@sswd
ldap_version = 3
base = ou=Mail,dc=domain,dc=net
deref = never
scope = subtree
default_pass_scheme = SSHA

# user filter
user_attrs = mailHomeDirectory=home,mailStorageDirectory=mail,mailUidNumber=uid,mailGidNumber=gid,mailQuota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=inetOrgPerson)(uid=%n)(mailEnabled=TRUE))

# password filter
pass_attrs  = mail=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))

iterate_attrs = mail=user
iterate_filter = (objectClass=inetOrgPerson)

Because I am using specific LDAP attributes shown in both user_attrs and user_filter I needed to get postfix-book.schema loaded into OpenLDAP.


While I use a global quota I also like the option of setting user specific quotas. Since I'm using postfix-book.schema in OpenLDAP, mailQuota=quota_rule=*:bytes=%$ works just fine so that the mailQuota attribute can be added to mail user records.



One last thing I needed to do was tell PAM that Dovecot should use LDAP for authentication. This involved editing /etc/pam.d/dovecot with the following

auth    required nullok
account required


Once everything has been verified the last thing is to restart Dovecot. With systemd one can execute systemctl restart dovecot. It's also a good idea to verify no errors are shown in the mail log usingtail -f /path/to/mail.log.

comments powered by Disqus

Setup Postfix with LDAP

Intro There are many ways to configure a virtual mail environment using postfix, but in this post I will describe the steps I took to config…… Continue reading

Splunk Enterprise (Free) LDAP auth in Apache

Published on August 03, 2017

Setup Cyrus SASL with LDAP

Published on August 09, 2016