SYNOPSYS

I have used exim for a while, but wasn’t sure of what was going on, and to be honest, mail hassle is not … well (!)
So let’s give a try at postfix, coupled with dovecot and PostgreSQL

What I want is:

  • ssmtp service with per user password
  • imaps service with per user password
  • virtual domains
  • virtual uid per user

as usual this setup is made on a debian wheezy.

PROCEDURE

Start fist with dovecot and PostgreSQL
Design your DB as you wish and feed /etc/dovecot/dovecot-sql.conf as it should be.
What matters here is the use of peer authentication between dovecot and PostgreSQL using UNIX socket (that rocks).

/etc/postgresql/9.1/main/pg_hba.conf 

1
2

# "local" is for Unix domain socket connections only
local  all  all peer

create a ‘secure’ user 

1

adduser --system --no-create-home -uid XYZ secuser

/etc/dovecot/dovecot-sql.conf 

1
2
3
4
5
6

# use unix:PostgreSQL
connect = host=/var/run/postgresql dbname=vmaildb
# SQL queries of your own
password_query =user_query =

Setup your authentication services used by dovecot and postfix

/etc/dovecot/dovecot.conf 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

auth default {
    mechanisms = login plain
    user = secuser
    userdb sql {
        args = /etc/dovecot/dovecot-sql.conf
    }
    passdb sql {
        args = /etc/dovecot/dovecot-sql.conf
    }
    socket listen {
        # contacted by /usr/lib/dovecot/deliver to know where the mailboxes are
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = secuser
        }
        # contacted by postfix to know if a client can send an email (SASL)
        client {
            path = /var/spool/postfix/private/auth
            mode = 0600
            user = postfix
        }
    }
}

corresponding sockets 

1
2

srw------- 1 secuser  root … /var/run/dovecot/auth-master
srw------- 1 postfix  root … /var/spool/postfix/private/auth

Explain to postfix how to use dovecot to deliver mails

postfix/master.cf 

1
2
3

# Local Delivery Agent
 dovecot   unix  -       n       n       -       -       pipe
flags=DRhu user=secuser:dovecot argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

multiple UID

To be able to deliver the mails with the virtual user UID,
2 options exists, setuid bit and sudo.
No sudo on servers for me if possible, but beware, if you update dovecot, your setuid bit will be lost forever.

deliver needs setuid to deliver to diffenet UID 

1
2
3

chgrp dovecot /usr/lib/dovecot/deliver
chmod 04750 /usr/lib/dovecot/deliver
-rwsr-x--- 1 root dovecot … /usr/lib/dovecot/deliver

TO BE CONTINUED …

  • postfix basic setup
  • virtual aliases
  • drop wrong virtual destinations

update your postfix config and check it 

1
2
3
4
5
6
7

postalias /etc/alaiases
postmap /etc/postfix/valiases
postmap -q "user@domain.fqdn" /etc/postfix/valiases
postfix reload
postconf -d (default)
mailq (-q)
postuser -d ALL deferred