Background
I previously ran a Mac OS server that, for some unfathomable reason, I had setup with users controlled by LDAP. With that LDAP server it was nigh on impossible to change the domain when I decided to ditch DynDNS and use a spare personal domain, so much so that it wasn't possible to manage users if the local DNS resolved the Mac to my domain. I was a pleasure to finally migrate fully to the NAS and I resolved not to use LDAP this time: local users are easier to manage.
Why would I now want to go back to using LDAP for mail users?
Well, DSM's Mail Server stores a user's mail in .MailDir in their home folder. That would normally be hidden but not in File Station ... d'oh! ... and the user is the folder owner so there's a likelihood of a someone tidying up the folder or at the least damaging the files. If they've had a play in MailStation then there maybe other items too: sieve folder; .dovecot.sieve; .dovecot.svbin.
Sure I could use MailPlus Server but I need eight accounts and don't want to pay over £200 for those three extra accounts, just so mail folders are properly inaccessible. I'm only using Mail Server to archive messages, in case I need to change my primary mail provider.
Moving mail users to LDAP
Mail Server only supports all local users or all LDAP users.
Setting up LDAP requires a domain and selecting the connection criteria for services using it. I had already setup SRM VPN Plus Server to use LDAP users from my NAS. This allows the Internet router to support user remote access but they don't have any other access to SRM. To manage their password they have access to the NAS's DSM portal and no packages. In Control Panel the LDAP users group has most file service packages set to deny. Then the vpn users group has DSM access enabled.
With DSM Control Panel I connected to the local LDAP server and enabled user homes for LDAP users. In LDAP I created a new group for mail users and in Control Panel assigned access to Mail Server and DSM. The LDAP user home folders aren't created until a user tries to connect for the first time. The easiest thing was to go through each user and log on.
Next I copied each local user's mail folders (as detailed earlier) to the new LDAP user's home. This was using an admin account, so the copied items needed to have ownership assigned to the new user (and have it propagated to sub-folders and files). Next in Mail Server I changed the SMTP accounts from local users to LDAP users, and then had to recreate the aliases fred [in the mail domain] to fred [in the LDAP server]. This now had the archived mail folders available for the new accounts and new mail being stored in the new accounts.
Testing sending messages to the mail server worked and viewing in MailStation showed the new mail and the archived mail. Hurray! it had worked.
The only thing left to do was the catch all account. To do this for local users was fairly simple but needed SSH and knowledge of command line text editors (I use vi).
Add these lines to the end (replace fred with the local user to get the mail). Stop and restart the SMTP service in the Mail Server app.
The same can be added to the end of the template file too.
From my notes I have: "Can attempt to update the following file to see if the changes don't get removed using reboots."
Before:
Insert these lines:
So how do I do this for LDAP users? I spent a long time trying different things, mostly instructions to have virtual domains and alias maps, and finally decided to see if just changing 'fred' to '[email protected]' would work. It did For me the mail domain and the LDAP domain are the same, but I think this is redirecting catchall to this email address, which happens to be to my server and a known mail account.
Pros vs Cons
The main pro is that local users no longer have the risk of trashing their mail archive. Mostly they will use a local user account for Drive, audio, video, and files in general. Then for specific services (mail and VPN, so far) will be the LDAP account. Migrating was quite straight forward: move or copy over the mail folders to the new user's home folder, and set the owner permission to be the same as before.
The main con is that a user now has a local and LDAP accounts and the two logins are different, unless they manually keep their passwords the same. For MailStation the login is simply their mail name 'fred' without domain, just as it was for local users, but for DSM and VPN Plus it is the full '[email protected]'.
I previously ran a Mac OS server that, for some unfathomable reason, I had setup with users controlled by LDAP. With that LDAP server it was nigh on impossible to change the domain when I decided to ditch DynDNS and use a spare personal domain, so much so that it wasn't possible to manage users if the local DNS resolved the Mac to my domain. I was a pleasure to finally migrate fully to the NAS and I resolved not to use LDAP this time: local users are easier to manage.
Why would I now want to go back to using LDAP for mail users?
Well, DSM's Mail Server stores a user's mail in .MailDir in their home folder. That would normally be hidden but not in File Station ... d'oh! ... and the user is the folder owner so there's a likelihood of a someone tidying up the folder or at the least damaging the files. If they've had a play in MailStation then there maybe other items too: sieve folder; .dovecot.sieve; .dovecot.svbin.
Sure I could use MailPlus Server but I need eight accounts and don't want to pay over £200 for those three extra accounts, just so mail folders are properly inaccessible. I'm only using Mail Server to archive messages, in case I need to change my primary mail provider.
Moving mail users to LDAP
Mail Server only supports all local users or all LDAP users.
Setting up LDAP requires a domain and selecting the connection criteria for services using it. I had already setup SRM VPN Plus Server to use LDAP users from my NAS. This allows the Internet router to support user remote access but they don't have any other access to SRM. To manage their password they have access to the NAS's DSM portal and no packages. In Control Panel the LDAP users group has most file service packages set to deny. Then the vpn users group has DSM access enabled.
With DSM Control Panel I connected to the local LDAP server and enabled user homes for LDAP users. In LDAP I created a new group for mail users and in Control Panel assigned access to Mail Server and DSM. The LDAP user home folders aren't created until a user tries to connect for the first time. The easiest thing was to go through each user and log on.
Next I copied each local user's mail folders (as detailed earlier) to the new LDAP user's home. This was using an admin account, so the copied items needed to have ownership assigned to the new user (and have it propagated to sub-folders and files). Next in Mail Server I changed the SMTP accounts from local users to LDAP users, and then had to recreate the aliases fred [in the mail domain] to fred [in the LDAP server]. This now had the archived mail folders available for the new accounts and new mail being stored in the new accounts.
Testing sending messages to the mail server worked and viewing in MailStation showed the new mail and the archived mail. Hurray! it had worked.
The only thing left to do was the catch all account. To do this for local users was fairly simple but needed SSH and knowledge of command line text editors (I use vi).
Bash:
sudo vi /var/packages/MailServer/target/etc/main.cf
Bash:
## Catchall email address
luser_relay = fred
local_recipient_maps =
Bash:
sudo vi /var/packages/MailServer/target/etc/template/main.template
Bash:
sudo vi /var/packages/MailServer/target/scripts/DaemonConfSet.sh
Bash:
/bin/mv /tmp/tempinfo $PostfixConf
Bash:
echo -e "## Catchall email address" >> /tmp/tempinfo
echo -e "luser_relay = fred" >> /tmp/tempinfo
echo -e "local_recipient_maps =" >> /tmp/tempinfo
Pros vs Cons
The main pro is that local users no longer have the risk of trashing their mail archive. Mostly they will use a local user account for Drive, audio, video, and files in general. Then for specific services (mail and VPN, so far) will be the LDAP account. Migrating was quite straight forward: move or copy over the mail folders to the new user's home folder, and set the owner permission to be the same as before.
The main con is that a user now has a local and LDAP accounts and the two logins are different, unless they manually keep their passwords the same. For MailStation the login is simply their mail name 'fred' without domain, just as it was for local users, but for DSM and VPN Plus it is the full '[email protected]'.