Skip to content

🚀: Create a user account per email address stored in LDAP #1496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
DodoLeDev opened this issue May 13, 2025 · 1 comment
Open
1 task done

🚀: Create a user account per email address stored in LDAP #1496

DodoLeDev opened this issue May 13, 2025 · 1 comment
Labels
enhancement New feature or request

Comments

@DodoLeDev
Copy link

Which feature or improvement would you like to request?

I would like to strictly separate domains, even for email addresses linked to the same physical person.

Concretely, I want a way to have one inbox for each email address stored in the LDAP (so no need for the alias feature, I can use mailing lists for this if I ever need it).

This can be done by making Stalwart not treating all the stored mail fields as aliases for a user, coupled with the last configuration described in the next section.

Is your feature request related to a problem?

Initially, I wanted to separate mailboxes for each domain, in order to migrate them to their own mail infrastructure if they ever wanted to do so. However, duplicating entries in the LDAP server is not a maintainable solution, so I wanted to take advantage of the ability to fill up the mail field multiple times per person.

To concretize this idea, I first tried to find a way to distinguish accounts based on email entry, but I just cannot dismiss uid in Bind Auth, and because I use FreeIPA as my LDAP backend, stalwart is just unable to decrypt its passwords.

After trying my patch, and changing the LDAP filters to search by email instead of uid...

Image

...I found that Stalwart still fills the aliases of the user with the other entries in the mail field of the LDAP. Consequently, when I log in with the other email address of the user, I face the following error:

Image

Code of Conduct

  • I agree to follow this project's Code of Conduct
@DodoLeDev DodoLeDev added the enhancement New feature or request label May 13, 2025
@DodoLeDev DodoLeDev changed the title 🚀: 🚀: Create a user account per email address stored in LDAP May 13, 2025
@DodoLeDev DodoLeDev mentioned this issue May 13, 2025
Open
@DodoLeDev
Copy link
Author

A PoC of this feature is available here: DodoLeDev:separate-accounts-by-email

Caution

In this branch, the feature has been hardcoded in the code, so there is no way to use the old behavior without reverting commits

A toggle may be available when configuring the LDAP server, just like this:

Image

This would require Stalwart to have access to the password hash (because you generally can't log in to it with email), so Bind Auth would be disabled
And because the identifier of the account is now the email address, the Name LDAP filter and the Name attribute should be disabled, as well as the email aliases field, because managing aliases with this option would not be possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DodoLeDev