November 28, 2025

Setting Up OpenLDAP for Multi-Domain Email: Self-Hosted Multi-Domain Email

Alexander Wei
4 minutes read

dovecot, email, identity-management, infrastructure, linux, openldap, postfix, Self-Hosted Multi-Domain Email, self-hosting

We are going to configure OpenLDAP for multi-domain email to manage our user accounts for a self-hosted multi-domain email setup. If you have ever used Google Workspace, you are already familiar with the concept of a centralized identity provider. LDAP is a standards-based, open source alternative.

What is LDAP?

LDAP stands for Lightweight Directory Access Protocol. It’s a protocol for accessing and managing directory information over a network. Think of it as a networked database optimized for reads, designed for storing structured information like user accounts, groups, and authentication credentials.

LDAP is not an identity provider by itself. It is a protocol. But when paired with a directory server like OpenLDAP, it becomes a powerful back-end for managing accounts across services.

Your email server needs to:

Know which users are valid (so it doesn’t accept spam to random addresses)
Authenticate users who sign in to fetch mail (e.g., via IMAP)
Map addresses to on-disk storage for each mailbox

You could manage this manually with Unix system users. But that becomes painful fast, especially across multiple domains.

By using OpenLDAP:

All account information lives in a central directory
Postfix can check recipient addresses with LDAP
Dovecot can authenticate and locate mailboxes with LDAP
You can scale to multiple domains easily

Think of it as a self-managed version of Google Workspace’s directory service. This is perfect for a self-hosted multi-domain email environment.

OpenLDAP for Multi-Domain Email

To support multiple sending and receiving domains from a single LDAP server (and a single VM), we structure our directory under a top-level node:

dn: dc=mail
objectclass: top
objectclass: dcObject
objectclass: organization
objectclass: domainRelatedObject
dc: mail
o: mail
associatedDomain: domain1.com
associatedDomain: domain2.com
associatedDomain: domain3.com

Each user is stored directly under the dc=mail root, with their email as the Common Name:

dn: cn=user1@domain1.com,dc=mail
objectClass: top
objectClass: inetOrgPerson
cn: user1@domain1.com
givenName: User
sn: One
mail: user1@domain1.com
userPassword: {MD5}HASHEDPASSWORD

This flat structure simplifies lookups and the configuration so that Postfix and Dovecot authenticate based on full email addresses. You do not need nested OUs unless you wish to group users or manage more complex ACLs.

LDAP Hierarchy for Multi-Domain Email

+--> dc=mail (7 total entries)
      cn=user1@domain3.com
      cn=user2@domain2.com
      cn=admin user
      cn=dovecot-reader
      cn=mailer
      ou=domain2.com
      ou=domain3.com
      ou=domain1.com

dc=mail: Top-level LDAP node

cn=: User or system account entries stored directly under the root

ou=: Organizational units per domain, optionally used for grouping or admin purposes

This hybrid approach provides the simplicity of flat user records while allowing domain-specific OUs to support grouping, ACLs, or future delegation.

Installing OpenLDAP

On Debian or Ubuntu:

sudo apt update
sudo apt install slapd ldap-utils

You will be prompted to set an admin password. If you skip the prompts, run:

sudo dpkg-reconfigure slapd

Set your organization name (e.g., “mail”) and domain (e.g., “domain1.com”). This will create the base DN: dc=mail.

Recommended: Manage Your Directory with phpLDAPadmin

For most users, managing OpenLDAP from the command line gets tedious, especially when working with LDIF files or inspecting deeply nested trees.

I recommend installing phpLDAPadmin, a web-based UI for browsing and editing LDAP entries:

sudo apt install phpldapadmin

Then edit /etc/phpldapadmin/config.php to set your base DN (e.g., dc=mail) and credentials.

Access the interface via your browser at http://<your-server-ip>/phpldapadmin. From here, you can:

Create new users with full email addresses
Add associatedDomain attributes to dc=mail
Organize and inspect system accounts and domain OUs

This tool makes debugging and setup much easier, especially when working with Dovecot and Postfix integration later.

Creating the Directory Tree

Once OpenLDAP is installed, you’ll want to define the base structure:

dc=mail — the root
Add each domain as an associatedDomain under the dc=mail entry
Add each user with a cn=user@domain DN directly under dc=mail
Use objectClass: inetOrgPerson for user entries

Example LDIF to Add a User

dn: cn=alex@domain3.com,dc=mail
objectClass: top
objectClass: inetOrgPerson
cn: alex@domain3.com
givenName: Alex
sn: User
mail: alex@domain3.com
userPassword: {MD5}HASHEDPASSWORD

Use slappasswd -h {MD5} to generate a password:

slappasswd -h {MD5}

Then add the user:

ldapadd -x -D cn=admin,dc=mail -W -f user.ldif

This model supports multiple domains without requiring nested structures or multiple base DNs — perfect for a self-hosted multi-domain email system.

Next Steps

With your directory in place, we’ll connect Postfix and Dovecot to LDAP. More on that later.

This will let us:

Reject mail to invalid addresses
Authenticate users via IMAP or SMTP
Deliver mail into per-user maildirs

Keep reading:

a computer chip with the letter a on top of it

Python

What Actually Happens When LangChain Runs In a Celery Task

Vector search using Celery and LangChain where OpenAI embedding clients live inside Celery workers. Startup signals and lazy resource loading.

December 5, 2025 No Comments

Text similarity search results for "canned tomato" uses OpenAI embeddings

Python

Vector Search with pgvector and Django – Celery: Scalable Django

A look at adding vector search to a Django service with pgVector and OpenAI embeddings, how Celery keeps embedding workloads scalable.