Create a nicer option structure that deals with the mail storage and its
owner, uid, group and gid. Also includes the directory layout as a
property of how mails are stored..
The "login" prefix makes this option more confusing rather than clearer,
because what other account types are there? LDAP ones for example, but
you can login with those too, so the prefix is pointless.
In conflicts between local addresses and LDAP addresses the local one
will always take priority in mail routing.
This is something we now document and guarantee through tests.
I fail to understand how mail became the uidAttribute way back when LDAP
support was introduced, but it was unintentional and clearly a mistake.
The uid attribute is the standard system login name per RFC4519 2.39 and
what we default to going forward.
Now that we have more experience with how we use the LDAP module options
we can make smarter decisions in how to organize them. We can also
explain much better what these options imply, which results in more
extensive option documentation.
The only storage scheme we support is a single declarative user with
fixed uid/gid. The default_fields are overridable if these fields leak
in from LDAP, so promote them to override_fields instead.
The LDAP support was not in a good shape when it was merged. This is a
breaking change and course correction to apply best practices going
forward.
This fixes various issues experienced with the Dovecot LDAP home
directory.
The gravest issue is that the `homeDirectory` attribute from
the `posixAccount` schema would overwrite the Dovecot home directory and
cause permission errors. This was possible because we defined the home
variable in `default_fields` that is inherently mutable and just a preset
if no other value gets transmitted from LDAP. This did not surface in
tests, because our LDAP schema was too minimal compared to a common
production dataset.
The most annoying issue and the actual breaking change is that we now
default to UUID based home directories. Every entry in an IDM that
supports LDAP comes with a unique identifier that does not change upon
account name changes. We want those to enable simple account name
migrations that don't require any manual data migration.
To migrate existing dovecot home directories a migration script is
included, which will be backported to the 25.11 release, so the migration
can already be started from the previous release version.
This helps so much during development as it tells me openldap failed and
doesn't require me to do a root cause analysis on a postmap failure much
later in during the test.
In TLS1.2 available cipher suites depend on the available key material,
so the last round of cipher suites updates broke TLS1.2 support with RSA
key pairs.
The NixOS ACME module has been defaulting to EC256 (and earlier EC384)
key material, so I assume this did not affect many setups in practice.
Martin Weinelt
Martin Weinelt
lennart
headpats