Understand Postfix Account Types
Postfix documentation attempts to explain the different types of users or ways to handle users. Here is a simplified list of user types, and how they differ.
1. A local system user receives mail for the primary machine domain. 2. A local system user receives mail from an alias virtual domain 3. A non-system user receives mail in a special virtual mailbox for any domain on the system.
Type 1 - If a user is in /etc/passwd then he or she is a user of the system. Traditionally that meant that his or her email account matched the system login username. So if Nicole’s login name in /etc/passwd is ‘nicole’ and the server domain is foo.com, Nicole would receive email to nicole@foo.com. Furthermore, if additional virtual domains are on the system, for example, abcdomain.com and defdomain.com, the user nicole would receive mail them too. Basically, nicole@any-domain-on-the-system will receive mail. This is the way things were back in the early sendmail days.
Type 2 - An email address is created, nicolemyspace@foo.com, so Nicole can use it to get her MySpace website related email, but there is no unix account called ‘nicolemyspace.’ Instead, the mail goes into her nicole unix account. Some mail systems are configured to accept mail for both nicole@ (the primary server domain) and any custom address from any domain hosted on the system. An alternative is to configure the system to not accept mail for the unix account name by default. This is something sendmail is limited in capability, and why mail administrators have turned to postfix as an alternative to sendmail.
Type 3 - Rather than having a unix account for all of the system mail users, especially since most only use email and would never need to login to the system for anything else, a nice option is the virtual mailbox for virtual users. This is inherently more secure. Mail users do not have real unix accounts on the system. There is a separate table of virtual users that can receive email from any domain on the system.
Combinations of the above are all possible with postfix. Consider that Kevin does not have a unix account on the system. Kevin is a virtual user, and authenticates with the username ‘kevin@otherdomain.com’ to retrieve his email. Kevin uses a weak password, so it is good that he doesn’t have an actual unix account on the system. Kevin wants to have an additional email address, ‘packersfan@foo.com’ to be forwarded into his virtual mailbox. This uses the virtual user table to forward to a virtual user mailbox and is possible with postfix.
The old /etc/alias table is no longer suitable for most user needs and really shouldn’t be used for email forwarding and distribution beyond localhost system messages from the administrator to unix account holders. For a modern secure mail server all of the email only users should have only virtual mailboxes without real unix accounts on the system. Any aliasing should be handled in the virtual user table. Unix accounts on the system should not receive Internet mail on any address with their username. Finally, dovecot should not be allowed chroot, limited to running as a non-privileged user.
tables
- /etc/passwd - user accounts on the unix system
- /etc/aliases - defines aliases for unix accounts on the system. by default these accept mail for any domain on the system. distribution to multiple recipients can be done.
- sendmail/virtualusertable - here aliases on specific domains can be defined to be forwarded to a unix mailbox, a distribution list defined in /etc/aliases, and email accounts on other mail systems. On a postfix system the table can also be used to forward email to virtual user mailboxes.
- postfix/vmailbox - maps virtual non-unix users to the path of their virtual mailbox
- dovecot/virtualpasswd - by any naming convention, this represents the file that contains all virtual users and their passwords. Often the name of the virtual user file is based on the domain of the virtual user's login, /etc/auth/yourdomain.com/passwd
There may also be tables for other things such as a table for the domains hosted on the system if they are not specified directly within one of the postfix configuration files. See Dovecot and Postfix Hybrid Authentication Example for a list of tables with example entries in the correct format.
final destination
On a modern mail server using a secure model, unix accounts on the system may not be the final destination for Internet email. If the system is a mail server only, there may be only a small handful of actual unix accounts. Virtual users all have a username which includes the domain name of their primary email address. They are not limited to receiving only mail from the domain in their username, however, it is considered the name of their mailbox, the final destination for Internet mail.