Difference between revisions of "Dovecot and Postfix Hybrid Authentication Example"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
 
(9 intermediate revisions by one user not shown)
Line 3: Line 3:
 
It might make things more clear to first [[Understand Postfix Account Types]] for a Linux system.
 
It might make things more clear to first [[Understand Postfix Account Types]] for a Linux system.
  
== configure postfix ==
+
== configuration steps with examples ==
 +
=== Step 1: prepare necessary files and directories ===
 +
Locate your postfix configuration files, they might be in /etc/postfix, or /etc/mail/postfix, or /etc/mail depending on your distro and installation.  For Redhat/Fedora/CentOS you will likely find the following directory structure:
  
Locate your postfix configuration files, they might be in /etc/postfix, or /etc/mail/postfix, or /etc/mail depending on your distro and installation.
+
/etc/poastfix
 +
/etc/dovecot
  
 +
You will have to manually create some files.
 +
touch [[/etc/postfix/virtual]]
 +
touch [[/etc/postfix/domains]]
 +
touch [[/etc/postfix/vmailbox]]
 +
mkdir /etc/auth
 +
touch [[/etc/auth/yourdomain.com/passwd]]
  
This document is not complete... here is a summary
+
You will have to manually populate those files. Click on each one for a sample. Remember to change obvious things such as yourdomain.com to your actual domain name, and populate the users with your actual users.
  
 +
== Step 2: edit the postfix main.cf ==
 +
Here are (some) important lines you will need in your main.cf
 +
 +
alias_maps = hash:/etc/aliases
 +
alias_database = hash:/etc/aliases
 +
home_mailbox = Maildir/
 +
virtual_alias_maps = hash:/etc/postfix/virtual
 +
virtual_mailbox_domains = hash:/etc/postfix/domains
 +
virtual_mailbox_base = /var/vmail
 +
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
 +
virtual_minimum_uid = 4000
 +
virtual_uid_maps = static:5000
 +
virtual_gid_maps = static:5000
 +
 +
Note the virtual_mailbox_base parameter.  This is where mail for virtual users is delivered to and stored.  This mail is kept separate from mail for system users.  Since we are using Maildir/ style mailboxes, for each user postfix will deliver to the proper Maildir structure under /var/spool/vmail .  The first time an email is delivered, and the structure under /var/spool/vmail does not yet exist for the user, postfix will create the directories.  It is important that postfix have write permission to the /var/spool/vmail folder. 
 +
 +
Another important consideration is that later, when we configure dovecot so users can pop or imap in to read their mail, it use the same path for mail_location.
 +
 +
The config files that begin with the word "hash" in the parameter, like virtual_alias_maps, /etc/postfix/domains, /etc/postfix/vmailbox are not directly read from by postfix.  These have to be processed by 'postmap' so they are made into a hash "lookup table" which is all of the data in your text file made optimized for faster parsing by postfix.  Use the command 'postmap' to make a hash AFTER you populate these files with your data.
 +
postmap /etc/postfix/virtual
 +
postmap /etc/postfix/domains
 +
postmap /etc/postfix/vmailbox
 +
 +
== Step 3: edit the dovecot.conf ==
 +
Here is a sample of (minimum) lines from dovecot.conf
 +
 +
protocols = imap pop3 lmtp
 +
listen = *
 +
login_greeting = Hello visitor!
 +
!include conf.d/*.conf
 +
 +
== Step 4: edit conf.d/10-auth.conf ==
 +
The 10-auth.conf is located in the conf.d/ folder.  Here is a sample of (minimum) lines from 10-auth.conf
 +
 +
disable_plaintext_auth = no
 +
auth_failure_delay = 4 secs
 +
auth_mechanisms = plain login
 +
!include auth-system.conf.ext
 +
!include auth-checkpassword.conf.ext
 +
 +
Make sure that !include auth-checkpassword.conf.ext is uncommented. 
 +
 +
== Step 5: edit conf.d/auth-checkpassword.conf.ext ==
 +
The auth-checkpassword.conf.ext is in the conf.d/ filder.  Here are all the necessary lines.
  
* Set up postfix virtual mailbox text file with email address and destination folder - this is plain text file that must be made hash database
 
* Make sure all domains are configured in postfix
 
* create a passwd file for each virtual user domain /etc/passwd.domain.com
 
* edit dovecot/conf.d/auth-checkpassword.conf.ext
 
mail_location = maildir:~/Maildir
 
 
  passdb {
 
  passdb {
  driver = pam
+
  driver = passwd-file
 +
  args = /etc/auth/%d/passwd
 
  }
 
  }
  driver = passwd-file
+
  args = /etc/postfix/passwd/%d
+
userdb {
 +
  driver = prefetch
 +
}
 +
 +
userdb {
 +
  driver = passwd-file
 +
  args = /etc/auth/%d/passwd
 +
}
 +
 
 +
== conclusion ==
 +
There are many guides on how to do this, with different structures in the files and locations, or even how the virtual user tables and mailbox are made distinct.  If you become familiar with how it works, then you can customize it to fit your system schema. If you find any errors on this page, please create a wiki account and correct them.
  
 
== references ==
 
== references ==
 +
These are the best references and related guides as of 2014 for postmap/dovecot virtual user configuration.
  
 
* [http://www.postfix.org/VIRTUAL_README.html Postfix Virtual Domain Hosting Howto]
 
* [http://www.postfix.org/VIRTUAL_README.html Postfix Virtual Domain Hosting Howto]

Latest revision as of 21:29, 13 February 2014

This guide assumes you already have postfix installed, dovecot installed, and at minimum have email established for unix accounts either by final destination or virtual alias domains. Now you want to set up a separate virtual user database, and these virtual users that do not have a unix account on the system will be able to retrieve their email from their virtual mailbox. The security benefit is in that email only users need not have any security credentials in the /etc/passwd and still be able to pop or imap in and retrieve email.

It might make things more clear to first Understand Postfix Account Types for a Linux system.

configuration steps with examples

Step 1: prepare necessary files and directories

Locate your postfix configuration files, they might be in /etc/postfix, or /etc/mail/postfix, or /etc/mail depending on your distro and installation. For Redhat/Fedora/CentOS you will likely find the following directory structure:

/etc/poastfix
/etc/dovecot

You will have to manually create some files.

touch /etc/postfix/virtual
touch /etc/postfix/domains
touch /etc/postfix/vmailbox
mkdir /etc/auth
touch /etc/auth/yourdomain.com/passwd

You will have to manually populate those files. Click on each one for a sample. Remember to change obvious things such as yourdomain.com to your actual domain name, and populate the users with your actual users.

Step 2: edit the postfix main.cf

Here are (some) important lines you will need in your main.cf

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = hash:/etc/postfix/domains
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 4000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

Note the virtual_mailbox_base parameter. This is where mail for virtual users is delivered to and stored. This mail is kept separate from mail for system users. Since we are using Maildir/ style mailboxes, for each user postfix will deliver to the proper Maildir structure under /var/spool/vmail . The first time an email is delivered, and the structure under /var/spool/vmail does not yet exist for the user, postfix will create the directories. It is important that postfix have write permission to the /var/spool/vmail folder.

Another important consideration is that later, when we configure dovecot so users can pop or imap in to read their mail, it use the same path for mail_location.

The config files that begin with the word "hash" in the parameter, like virtual_alias_maps, /etc/postfix/domains, /etc/postfix/vmailbox are not directly read from by postfix. These have to be processed by 'postmap' so they are made into a hash "lookup table" which is all of the data in your text file made optimized for faster parsing by postfix. Use the command 'postmap' to make a hash AFTER you populate these files with your data.

postmap /etc/postfix/virtual
postmap /etc/postfix/domains
postmap /etc/postfix/vmailbox

Step 3: edit the dovecot.conf

Here is a sample of (minimum) lines from dovecot.conf

protocols = imap pop3 lmtp
listen = *
login_greeting = Hello visitor!
!include conf.d/*.conf

Step 4: edit conf.d/10-auth.conf

The 10-auth.conf is located in the conf.d/ folder. Here is a sample of (minimum) lines from 10-auth.conf

disable_plaintext_auth = no
auth_failure_delay = 4 secs
auth_mechanisms = plain login
!include auth-system.conf.ext
!include auth-checkpassword.conf.ext

Make sure that !include auth-checkpassword.conf.ext is uncommented.

Step 5: edit conf.d/auth-checkpassword.conf.ext

The auth-checkpassword.conf.ext is in the conf.d/ filder. Here are all the necessary lines.

passdb {
  driver = passwd-file
  args = /etc/auth/%d/passwd
}

userdb {
  driver = prefetch
}

userdb {
  driver = passwd-file
  args = /etc/auth/%d/passwd
}

conclusion

There are many guides on how to do this, with different structures in the files and locations, or even how the virtual user tables and mailbox are made distinct. If you become familiar with how it works, then you can customize it to fit your system schema. If you find any errors on this page, please create a wiki account and correct them.

references

These are the best references and related guides as of 2014 for postmap/dovecot virtual user configuration.

&nbsp