Differences

This shows you the differences between two versions of the page.

--- virtualmailboxeswitheximanddovecot [2011/02/24 12:53] – Authentication via Dovecot jim
+++ virtualmailboxeswitheximanddovecot [2016/08/15 08:43] (current) – Give Exim read permission on vmail passwd jim
@@ Line 13: / Line 13: @@
 ===== Set up virtual mailbox space and configuration =====
-First I created a system user and group ''vmail'' to own all virtual mailboxes.
+First I created a user and group ''vmail'' to own all virtual mailboxes. I make the user a normal user because Dovecot will try to access all virtual mailboxes as that ''vmail'' user, and in Dovecot 2.x on Debian the config ''first_valid_uid'' is set to 500 to prevent attempts to access daemon mailboxes.
-  # adduser -system --home /var/local/vmail --group vmail
+  # adduser --home /var/local/vmail --group vmail
 and a configuration directory.
@@ Line 44: / Line 44: @@
 </code>
-The second, ''passwd'' contains the account information for the domain. There are two items on a line, username and password hash, separated by a colon. Generate the password has using the ''dovecotpw'' utility. Just to be on the safe side, we'll ensure the password file isn't world readable.
+The second, ''passwd'' contains the account information for the domain. There are two items on a line, username and password hash, separated by a colon. Generate the password has using the ''dovecotadm pw'' utility. Just to be on the safe side, we'll ensure the password file isn't world readable and is readable by Dovecot and Exim.
 <code>
-# /usr/sbin/dovecotpw -p password
+# doveadm pw -s SHA256-CRYPT -p password
-{CRAM-MD5}9186d855e11eba527a7a52ca82b313e180d62234f0acc9051b527243d41e2740
+{SHA256-CRYPT}$5$TQGxffy9XCxe53vu$L2NWgKJ47w3PoAIj3/IxLJIREA9QSyBKdKDMJlXvn07
 # cat > /etc/vmail/example.mod/passwd
-tommy.atkins:{CRAM-MD5}9186d855e11eba527a7a52ca82b313e180d62234f0acc9051b527243d41e2740
+tommy.atkins:{SHA256-CRYPT}$5$TQGxffy9XCxe53vu$L2NWgKJ47w3PoAIj3/IxLJIREA9QSyBKdKDMJlXvn07
 ^D
-# chgrp /etc/vmail/example.mod/passwd
+# chown dovecot:vmail /etc/vmail/example.mod/passwd
-# chmod 0640 /etc/vmail/example.mod/passwd
+# adduser Debian-exim vmail
+# chmod 0660 /etc/vmail/example.mod/passwd
 </code>
@@ Line 60: / Line 61: @@
 The next step is to configure Exim to deliver to virtual mailboxes.
-The first thing to do is to add the domain to the list of local domains. How you do this depends on which of Debian's configuration scheme you are using. You need to end up with a configuration file with the domain as part of the ''domainlist local_domains''. From here on, I'll show what I ended up with in the Exim configuration file, and leave it up to you to work out how to get it there.
+Exactly how you do this depends on which of Debian's configuration schemes you are using. I am using the ''conf.d'' multiple configuration file hierarchy with the config type ''internet''. From here on, I'll show what I ended up with in the Exim configuration file, and indicate where I put each entry in the ''conf.d'' hierarchy. Please treat these as an illustration; if you have a setup reasonably close to the standard installed version then I think these will probably work for you, but I can't promise.
-Next we need a router to expand virtual domain aliases.
+The first thing to do is to add the domain to the list of local domains. You need to end up with a configuration file with the domain as part of the ''domainlist local_domains''. I wanted to have the virtual mail domains work automatically, rather than have to add them manually to the list of local domains. I first added a configuration ''main/00_vmail_config'' with some definitions:
+<code>
+VMAIL_DELIVERY=dovecot_vmail
+VMAIL_DOMAINS=dsearch;/etc/vmail
+VMAIL_ALIASES=/etc/vmail/$domain/aliases
+VMAIL_PASSWD=/etc/vmail/$domain/passwd
+VMAIL_MAILBOX_DIR=/var/local/vmail/$domain
+</code>
+That ''dsearch;/etc/vmail'' will expand to a list of the files/directories under /etc/vmail. Which will be the domains to be handled.
+I then made a small modification to ''main/01_exim4-config_listmacrosdefs'' to add the virtual mail domains to the list of local domains:
+<code>
+# Local modification - add vmail domains to local domains, and provide
+# main_local_domains for the non-vmail domains.
+domainlist local_domains = MAIN_LOCAL_DOMAINS : VMAIL_DOMAINS
+domainlist main_local_domains = MAIN_LOCAL_DOMAINS
+</code>
+(I use ''main_local_domains'' elsewhere in my processing of non-virtual mail domains.)
+Next I need a router to expand virtual domain aliases. I put this into ''router/170_vmail_aliases''.
 <code>
 vmail_aliases:
   driver = redirect
-  data = ${lookup{$local_part}lsearch{/etc/vmail/$domain/aliases}}
+  domains = VMAIL_DOMAINS
-  domains = dsearch;/etc/vmail
+  allow_fail
+  allow_defer
+  data = ${lookup{$local_part}lsearch{VMAIL_ALIASES}}
   qualify_domain = $domain
-  retry_use_local_part
 </code>
-That ''desarch;/etc/vmail'' will expand to a list of the files/directories under /etc/vmail. Which will be the domains to be handled. ''qualify_domain = $domain'' ensures the expanded alias, if any, has the same domain as the original, if the domain is not specified in the alias.
+''qualify_domain = $domain'' ensures the expanded alias, if any, has the same domain as the original, if the domain is not specified in the alias.
-Once that's done, we can think about routing to a transport for delivery.
+Once that's done, I can think about routing virtual mail users to a transport for delivery, and rejecting messages to unknown users in a virtual mail domain. I put this into ''router/180_vmail_user''.
 <code>
-vmail_deliver:
+vmail_user:
   driver = accept
-  condition = ${if eq {}{${lookup{$local_part}lsearch{/etc/vmail/$domain/passwd}}}{no}{yes}}
+  domains = VMAIL_DOMAINS
-  domains = dsearch;/etc/vmail
+  local_parts = lsearch;VMAIL_PASSWD
-  no_more
+  transport = VMAIL_DELIVERY
-  retry_use_local_part
-  transport = vmail_delivery
+vmail_no_such_user:
+  driver = redirect
+  domains = VMAIL_DOMAINS
+  allow_fail = true
+  data = :fail: Unknown user
+  more = false
 </code>
-Here we're accepting the mail on condition that the local part of the address appears in the domain's password file. If it does, the message proceeds to the transport.
+Here I'm accepting the mail on condition that the local part of the address appears in the domain's password file. If it does, the message proceeds to the virtual mail delivery transport. Otherwise, the user does not exist in the virtual mail domain and I can fail delivery and give up.
+Now to the transports. I am now delivering all mail using Dovecot ''deliver''. I define a transport for this in ''transport/30_dovecot_vmail'' and select it using the VMAIL_DELIVERY definition.
+<code>
+dovecot_vmail:
+  driver = pipe
+  command = /usr/lib/dovecot/deliver -d $local_part@$domain -f $sender_address -a $original_local_part@$original_domain
+  message_prefix =
+  message_suffix =
+  log_output
+  delivery_date_add
+  envelope_to_add
+  return_path_add
+  user = vmail
+  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
+</code>
+Prior to using Dovecot ''deliver'', I had Exim deliver virtual mail itself, with this transport in ''transport/30_vmail_home''.
 <code>
-vmail_delivery:
+vmail_home:
   driver = appendfile
   envelope_to_add
-  directory = /var/local/vmail/$domain/$local_part/Maildir
+  directory = VMAIL_MAILBOX_DIR/$local_part/Maildir
   maildir_format
   create_directory = true
@@ Line 109: / Line 159: @@
   # exim4 -bt tommy.atkins@example.mod
   tommy.atkins@example.mod
-  router = vmail_deliver, transport = vmail_delivery
+  router = vmail_user, transport = dovecot_vmail
 ===== Reading mail =====
 Now we need to modify the Dovecot setup to allow our user to read mail.
+==== Dovecot 1.x ====
 I'm assuming your ''dovecot.conf'' already has
@@ Line 159: / Line 210: @@
 to your ''dovecot.conf'' while you try and work out what's going wrong.
+==== Dovecot 2.x with Debian conf.d configuration ====
+Again, I'm assuming that ''10-mail.conf'' has
+  mail_location = maildir:~/Maildir
+in it, telling Dovecot to find your regular users mail in ''~/Maildir''.
+I first added a new auth configuration file, ''auth-vmail.conf.ext''.
+  # Virtual mailbox passwords.
+  passdb {
+    driver = passwd-file
+    args = username_format=%n /etc/vmail/%d/passwd
+  }
+  # VMail static settings.
+  userdb {
+    driver = static
+    args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n
+  }
+This gives Dovecot the essential password and user info settings.
+I then modified ''10-auth.conf'', adding the new ''vmail'' auth at the end of the file.
+  !include auth-vmail.conf.ext
+To debug authentication problems, enable ''auth_debug'' and ''auth_debug_passwords'' in ''10-logging.conf''.
 ===== Letting your virtual users send mail =====
@@ Line 165: / Line 246: @@
 There's several ways of cracking this nut. I'll just mention that if you do it by allowing authenticated SMTP, I found it easiest to do by handing the authentication over to Dovecot.
+==== Dovecot 1.x ====
 I needed to create the Dovecot authenticator socket by adding
@@ Line 182: / Line 265: @@
 section in ''dovecot.conf''. It's commented out by default in Debian. Without other arrangements, Exim needs its mode to be 0666; comments in the Dovecot config suggest this is generally safe.
-Then, in the Exim configuration, use these authenticators:
+Then, in the Exim configuration, add ''auth/30_dovecot_auth'' containing:
 <code>
@@ Line 200: / Line 283: @@
   server_mail_auth_condition = false
 </code>
+==== Dovecot 2.x ====
+In ''10-master.conf'' I add a Dovecot authenticator socket with permissions for Exim by adding the following lines in the section ''service auth''.
+<code>
+  unix_listener auth-client {
+    mode = 0660
+    group = Debian-exim
+  }
+</code>
+Then add ''auth/30_dovecot_auth'' to the Exim configuration as above.

virtualmailboxeswitheximanddovecot.1298552005.txt.gz · Last modified: 2011/02/24 12:53 by jim

Show page Recent Changes Backlinks

Old revisions Admin Sitemap Back to top