Multiple mail domains and domain admins

UCS - Univention Corporate Server
#1

Hi there,

I'd like to achieve the following mail setup:

  • there should be one central domain, e.g. "whiteschool.com"
  • severals branches should be available as subdomains, such as "michigan.whiteschool.com"
  • branches should in addition have their own, additional domain, e.g. "wsschoolmich.com", which is organizational the same unit than "michigan.whiteschool.com" (same users, distribution lists etc)

Each branch should have it's own admin, who should be capabled of CRUD Users.

However, I don't get it how to implement this in UCS with OX, where to create the additional domains, and how to create the branch admins. Any suggestion would be highly appreciated.

Thanks in advance !

#2

Hello Wilhelm White,

unfortunately UCS does not support branch admins, or a delegation of email administration.

To create additional mail domains, in the UMC UI go to the "domain" category and select "Mail". There you can add an email domain. When you are adding something in that UMC module a new window will appear. There are two drop-downs in that one. Choose the right setting in both drop-downs.
Manual: http://docs.software-univention.de/manual-4.1.html#mail::management::domains

Greetings
Daniel

#3

Hello Daniel,

thanks for your swift reply.

Okay - given the fact that I created several mail domains (not contexts) as described above by you, my thought had been to:

  • add all users of a branch to a user group (group-branch-a, group-branch-b let's say)
  • add a user (admin-branch-a), and to provide him the right to modify UDM-users or UDM-oxmail, but only limited to the users of the specfifc group

Wouldn't it be possible to limit the "admin" user by using a policy, such as "cn=branch-a,cn=UMC,cn=policies,dc=master,dc=domain" to only see the users of certain (manually created) group ?

Right now I fail to create the corresponding LDAP filter and desired/excluded object classes for such an exercise, specifically which LDAP objects would be the right ones to use within the policy.

Even if it's not out of the box, it should do the trick, or am I missing something ?

Thanks in advance.

#4

There are LDAP ACLs that prohibit normal users from modifying other user accounts. You'd have to create rules allowing that and insert them before the UCS-created rules.
Creating secure LDAP ACLs is a dark art unsafe for the uninitiated but if you like, you can try :wink:

I think you will have better results and less trouble with Postfixadmin on plain Debian.

#5

Thanks for your thoughts and suggestions - appreciated ! :slight_smile:

Mastodon