Hello,

We are a company with about 25 user accounts and about 36 GB of mail
data (including cyrus squatter indexes).

Our mail is currently served by a Centos4 mail server with postfix as MTA and
cyrus as backend. Our users access their mail via secured IMAP (TLS) or via
squirrelmail (https). Our users and their passwords are stored in an openldap
server. Postfix, cyrus imap and openldap used are the from latest version from
Centos 4. We use a combination of spamassassin, clamav and sagator to reject
spam and viruses. We also have a mailman service for about 30 mailing-lists
that have no more than 15 recipients each.
We have a 4Mb/s SDLS connexion to Internet.


Our server is reaching its limits (both storagewise and CPUwise) and instead
of upgrading it, we would like to move to google apps (Premier Edition).
We would like to continue using our ldap database as main user and password
database and thus would like to integrate google apps with our existing
IT infrastructure. This is possible with the Premier Edition provisioning
API. Ideally, the solution proposed will use the python interface to
google apps provisioning. (http://code.google.com/p/gdata-python-client/)

We are looking for someone to write the sync script and manage our move.
This is a repost: twice in a row, our provider 'vanished' and stopped
answering our emails. We really want someone serious please.



Here are the details of some of our most important requirements:
================================================================


Trivial, but worth saying:
=========================
a) our users should keep all their existing mails (ie mail will have to be synced)

b) our users should be able to access their mails through IMAP (SSL or TLS)
with their thunderbird clients as well as with the google web interface

c) our users should continue to get mail for different domains (john _at_ ourdomain1.com and
john _at_ ourdomain2.com should both work) on the same account

d) We might want to introduce a third domain (john _at_ ourdomain1.com and john _at_ ourdomain2.com
and john _at_ ourdomain3.com should all work)



Actually requires work:
=======================

e) The login name should be lastname of the user (as we do with our ldap) possibly
followed by an _at_ domain.com if required by google.
The accounts to be created/updated are in the following ldap groups only
* ou=people,dc=a9english,dc=com
* ou=shared_mail,dc=a9english,dc=com

f) Creation of a user in ldap should also create the associated mailbox and configuration on google apps

g) The google passwords should be our ldap passwords. Pushing our ldap passwords
to google once every hour (if required, as can be checked by googlePassLastChg) looks
possible and is sufficient for us.
Our ldap server uses "password-hash {MD5}" so that the existing hashed can
be pushed directly to google without anyone needing the cleartext passwords.
More info can be found here under "MD5":
http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_reference.html
This means that if a user changes their ldap password, the google password should
be updated too (within a few hours of the change is OK).

h) Some users have special aliases (like johnny _at_ ourdomain.com -> john _at_ ourdomain.com)
Such aliases are listed in a text file and could be either synced by the sync script
or added manually once and for all.

i) our users should be able to get both firstname _at_ ourdomain.com and lastname _at_ ourdomain.com
mails (This is just an alias that should be setup automatically by the sync script).

j) The transition should ideally take place during a weekend (Paris time) and no mails should be lost.
Maybe we can do an incremental update via IMAP (for many days if needed) so
that most of the old mails would be there by the migration date and the weekend
migration would only be copying the 'new' mails to google apps.

k) We want to be able to continue to use our existing mailing-lists (either self-hosted or via google apps)
The setup could be done manually. Our about 30 mailing-lists have no more than 15 recipients each.

l) a special alias 'everybody _at_ ourdomain.com' should send mail to everybody (with a valid ldap account)
meaning that if a new user is added she should get the mails too.

m) some special aliases should be created/updated based on ldap group membership. Eg as long as a
user is in the ldap group 'accounting' they should receive mails sent to 'accounting _at_ ourdomain.com'


Would be great if we could find a way to have it work:
======================================================
n) Ideally, hyphen-addressing should continue to work, ie one user 'john _at_ ourdomain.com' should be
able to give any address of the form 'john-anything _at_ ourdomain.com' and get their mail
automatically in their mailbox
We know that google supports plus-adressing
http://mail.google.com/support/bin/answer.py?hl=en&answer=12096
but our users hate it since many websites refuse the "+" in email adresses. So
we really would like to continue to use hyphen-addressing.
Some options that might be worth investigating include:
* Try to use a catchall adress and "to things" with those mails
* Try to use the filers API (automatically setup by the sync script)
* Keep a front mail server somewhere that would to adress rewriting while we
give time to our users to change their (many) hyphen-addresses




Here are the ressources that we will provide:
================================================================
- A technically knowledgeable contact
- A mail account at gymglish - for tests
- A user shell account on the mail server to code/test/run data transfer tasks...
- A read-only ldap account with full access to the ldap data
- Administrative access to our existing google apps premier edition account until
the first mails are about to be synced.
- Installation of newer libraries on the server if required. We currently have
python-2.3.4 (from Centos 4)
python-gdata-2.0.5
imapsync-1.286
- Archive of previous discussions with a freelance (who did not complete the
job unfortunately)
- When we will have to sync the mails from our IMAP server to Google, we will
ask each individual user to enter their password into the sync script.


A tgz file with our current configuration files is also available upon request.


What I expect:
================================================================

1) understanding of our situation and critical analysis of our requirements (maybe I forgot something
important !). If some requirements are not (or do not seem) possible, discussion with me to find
the best workaround
2) google apps sync script and detailed technical documentation on HOW to do the move. Should we have a problem, the
'rollback' procedure should be clear too.
3) Help with the actual move

Each step should be validated by me prior to taking the next step.


Best regards,
Antoine

NOTE2: Our specs mean that a user "john doze" with special alias johnny should be able to read
their mails sent the following addresses from the same account:
john _at_ domain1.com
doze _at_ domain1.com
johnny _at_ domain1.com
john _at_ domain2.com
doze _at_ domain2.com
johnny _at_ domain2.com
john _at_ domain3.com
doze _at_ domain3.com
johnny _at_ domain3.com
john-anything _at_ domain1.com
doze-anything _at_ domain1.com
john-anything _at_ domain2.com
doze-anything _at_ domain2.com
john-anything _at_ domain3.com
doze-anything _at_ domain3.com
doze+anything _at_ domain1.com
doze+anything _at_ domain2.com
doze+anything _at_ domain3.com