I previously ran a Mac OS server that, for some unfathomable reason, I had setup with users controlled by LDAP. With that LDAP server it was nigh on impossible to change the domain when I decided to ditch DynDNS and use a spare personal domain, so much so that it wasn't possible to manage users if the local DNS resolved the Mac to my domain. It was a pleasure to finally migrate fully to the NAS and I resolved not to use LDAP this time: local users are easier to manage.
What happened then?
Why would I now want to go back to using LDAP for mail users?
Well, DSM's Mail Server stores a user's mail in .MailDir in their home folder. That would normally be hidden, and is when accessing using Unix file sharing, but not in File Station ... d'oh! ... and the user is the folder owner so there's a likelihood of a someone tidying up the folder or at the least damaging the files. If they've had a play in MailStation then there maybe other items too: sieve folder; .dovecot.sieve; .dovecot.svbin.
I've a + model NAS so why not use MailPlus Server? Sure, I could use MailPlus Server but I need eight accounts and don't want to pay over £200 for those three extra accounts, just so mail folders are properly inaccessible. I'm only using Mail Server to archive messages, in case I need to change my primary mail provider and something goes wrong. Today, I've set up my main mail to redirect a copy of messages to the NAS while we then use the main mail services for read, send, and whatever.
Moving mail users to LDAP
Mail Server only supports all local users or all LDAP users. So I originally chose local user accounts and then I realised .MailDir was visible in File Station.
Setting up LDAP requires a domain and selecting the connection criteria for services using it. I had already setup SRM VPN Plus Server to use LDAP users from my NAS. This allows the Internet router to support user remote access but they don't have any other access to SRM. To manage their password they have access to the NAS's DSM portal and no packages. In Control Panel the LDAP users group has most file service packages set to deny. Then the vpn users group has DSM access enabled. These LDAP users accounts mimic our normal NAS local users, so each NAS user will have a LDAP account for VPN access.
With DSM Control Panel I connected to the local LDAP server and enabled user homes for LDAP users. In LDAP I created a new group for mail users and in Control Panel assigned access to Mail Server and DSM. The LDAP user home folders aren't created until a user tries to connect for the first time. The easiest thing was to go through each user and log on.
Next (and to be safe) I copied each local user's mail folders (as detailed earlier) to the new LDAP user's home. This was using an admin account, so the copied items needed to have ownership assigned to the new user (and have it propagated to sub-folders and files).
Then in Mail Server I changed the SMTP accounts from being local users to LDAP users, and then had to recreate the aliases, e.g., fred [in the mail domain] to fred [in the LDAP server]. This now had the archived mail folders available for the new accounts and new mail being stored in the new accounts.
Tests sending messages to the mail server worked and viewing in MailStation showed the new mail and the archived mail. Hurray! it had worked.
The only thing left to do was the catch all account. This account is where all mail goes when there isn't a specific account for the incoming recipient. For example, mail to [email protected] is received but there is no bert account, however [email protected] is designated as the catch all account so mails to bert end up in fred's mailbox. Follow my guidance in Add catch-all address to Mail Server to add the catch-all account.
Pros vs Cons
The main pro is that local users no longer have the risk of trashing their mail archive. Mostly they will use a local user account for Drive, audio, video, and files in general. Then for specific services (mail and VPN, so far) will be the LDAP account and it doesn't have permission to use File Station, Drive, or other file sharing services that would give access to the user home folder.
Migrating was quite straight forward: move or copy over the mail folders to the new user's home folder, and set the owner permission to be the same as before. This can be used for moving mail folders to any user account, local or LDAP. Then make sure that your mail alias (the email address) is assigned to the user account of the moved mail folders.
The main con is that a user now has a local and LDAP account and the two logins will be different: definitley the username and maybe the password, unless they manually keep their passwords the same. For MailStation the login is simply their mail name 'fred' without domain, just as it was for local users, but for DSM and VPN Plus it is the full '[email protected]'.