Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
virtualmailboxeswitheximanddovecot [2011/02/24 12:18] – Delivery via Exim. jimvirtualmailboxeswitheximanddovecot [2016/08/15 08:43] (current) – Give Exim read permission on vmail passwd jim
Line 13: Line 13:
 ===== Set up virtual mailbox space and configuration ===== ===== Set up virtual mailbox space and configuration =====
  
-First I created a system user and group ''vmail'' to own all virtual mailboxes.+First I created a user and group ''vmail'' to own all virtual mailboxes. I make the user a normal user because Dovecot will try to access all virtual mailboxes as that ''vmail'' user, and in Dovecot 2.x on Debian the config ''first_valid_uid'' is set to 500 to prevent attempts to access daemon mailboxes.
  
-  # adduser -system --home /var/local/vmail --group vmail+  # adduser --home /var/local/vmail --group vmail
      
 and a configuration directory. and a configuration directory.
Line 44: Line 44:
 </code> </code>
  
-The second, ''passwd'' contains the account information for the domain. There are two items on a line, username and password hash, separated by a colon. Generate the password has using the ''dovecotpw'' utility. Just to be on the safe side, we'll ensure the password file isn't world readable.+The second, ''passwd'' contains the account information for the domain. There are two items on a line, username and password hash, separated by a colon. Generate the password has using the ''dovecotadm pw'' utility. Just to be on the safe side, we'll ensure the password file isn't world readable and is readable by Dovecot and Exim.
  
 <code> <code>
-/usr/sbin/dovecotpw -p password +doveadm pw -s SHA256-CRYPT -p password 
-{CRAM-MD5}9186d855e11eba527a7a52ca82b313e180d62234f0acc9051b527243d41e2740+{SHA256-CRYPT}$5$TQGxffy9XCxe53vu$L2NWgKJ47w3PoAIj3/IxLJIREA9QSyBKdKDMJlXvn07
 # cat > /etc/vmail/example.mod/passwd # cat > /etc/vmail/example.mod/passwd
-tommy.atkins:{CRAM-MD5}9186d855e11eba527a7a52ca82b313e180d62234f0acc9051b527243d41e2740+tommy.atkins:{SHA256-CRYPT}$5$TQGxffy9XCxe53vu$L2NWgKJ47w3PoAIj3/IxLJIREA9QSyBKdKDMJlXvn07
 ^D ^D
-chgrp /etc/vmail/example.mod/passwd +chown dovecot:vmail /etc/vmail/example.mod/passwd 
-# chmod 0640 /etc/vmail/example.mod/passwd+# adduser Debian-exim vmail 
 +# chmod 0660 /etc/vmail/example.mod/passwd
 </code> </code>
  
Line 60: Line 61:
 The next step is to configure Exim to deliver to virtual mailboxes. The next step is to configure Exim to deliver to virtual mailboxes.
  
-The first thing to do is to add the domain to the list of local domains. How you do this depends on which of Debian's configuration scheme you are using. You need to end up with a configuration file with the domain as part of the ''domainlist local_domains''. From here on, I'll show what I ended up with in the Exim configuration file, and leave it up to you to work out how to get it there.+Exactly how you do this depends on which of Debian's configuration schemes you are using. I am using the ''conf.d'' multiple configuration file hierarchy with the config type ''internet''. From here on, I'll show what I ended up with in the Exim configuration file, and indicate where I put each entry in the ''conf.d'' hierarchy. Please treat these as an illustration; if you have a setup reasonably close to the standard installed version then I think these will probably work for you, but I can't promise.
  
-Next we need a router to expand virtual domain aliases.+The first thing to do is to add the domain to the list of local domains. You need to end up with a configuration file with the domain as part of the ''domainlist local_domains''. I wanted to have the virtual mail domains work automatically, rather than have to add them manually to the list of local domains. I first added a configuration ''main/00_vmail_config'' with some definitions: 
 + 
 +<code> 
 +VMAIL_DELIVERY=dovecot_vmail 
 + 
 +VMAIL_DOMAINS=dsearch;/etc/vmail 
 + 
 +VMAIL_ALIASES=/etc/vmail/$domain/aliases 
 +VMAIL_PASSWD=/etc/vmail/$domain/passwd 
 + 
 +VMAIL_MAILBOX_DIR=/var/local/vmail/$domain 
 +</code> 
 + 
 +That ''dsearch;/etc/vmail'' will expand to a list of the files/directories under /etc/vmail. Which will be the domains to be handled. 
 + 
 +I then made a small modification to ''main/01_exim4-config_listmacrosdefs'' to add the virtual mail domains to the list of local domains: 
 + 
 +<code> 
 +# Local modification - add vmail domains to local domains, and provide 
 +# main_local_domains for the non-vmail domains. 
 +domainlist local_domains = MAIN_LOCAL_DOMAINS : VMAIL_DOMAINS 
 +domainlist main_local_domains = MAIN_LOCAL_DOMAINS 
 +</code> 
 + 
 +(I use ''main_local_domains'' elsewhere in my processing of non-virtual mail domains.) 
 + 
 +Next need a router to expand virtual domain aliases. I put this into ''router/170_vmail_aliases''.
  
 <code> <code>
 vmail_aliases: vmail_aliases:
   driver = redirect   driver = redirect
-  data = ${lookup{$local_part}lsearch{/etc/vmail/$domain/aliases}} +  domains = VMAIL_DOMAINS 
-  domains = dsearch;/etc/vmail+  allow_fail 
 +  allow_defer 
 +  data = ${lookup{$local_part}lsearch{VMAIL_ALIASES}}
   qualify_domain = $domain   qualify_domain = $domain
-  retry_use_local_part 
 </code> </code>
  
-That ''desarch;/etc/vmail'' will expand to a list of the files/directories under /etc/vmail. Which will be the domains to be handled. ''qualify_domain = $domain'' ensures the expanded alias, if any, has the same domain as the original, if the domain is not specified in the alias.+''qualify_domain = $domain'' ensures the expanded alias, if any, has the same domain as the original, if the domain is not specified in the alias.
  
-Once that's done, we can think about routing to a transport for delivery.+Once that's done, can think about routing virtual mail users to a transport for delivery, and rejecting messages to unknown users in a virtual mail domain. I put this into ''router/180_vmail_user''.
  
 <code> <code>
-vmail_deliver:+vmail_user:
   driver = accept   driver = accept
-  condition ${if eq {}{${lookup{$local_part}lsearch{/etc/vmail/$domain/passwd}}}{no}{yes}} +  domains = VMAIL_DOMAINS 
-  domains = dsearch;/etc/vmail +  local_parts = lsearch;VMAIL_PASSWD 
-  no_more +  transport = VMAIL_DELIVERY 
-  retry_use_local_part + 
-  transport vmail_delivery+vmail_no_such_user: 
 +  driver = redirect 
 +  domains = VMAIL_DOMAINS 
 +  allow_fail = true 
 +  data = :fail: Unknown user 
 +  more false
 </code> </code>
  
-Here we're accepting the mail on condition that the local part of the address appears in the domain's password file. If it does, the message proceeds to the transport.+Here I'accepting the mail on condition that the local part of the address appears in the domain's password file. If it does, the message proceeds to the virtual mail delivery transport. Otherwise, the user does not exist in the virtual mail domain and I can fail delivery and give up. 
 + 
 +Now to the transports. I am now delivering all mail using Dovecot ''deliver''. I define a transport for this in ''transport/30_dovecot_vmail'' and select it using the VMAIL_DELIVERY definition.
  
 <code> <code>
-vmail_delivery:+dovecot_vmail: 
 +  driver = pipe 
 +  command = /usr/lib/dovecot/deliver -d $local_part@$domain -f $sender_address -a $original_local_part@$original_domain 
 +  message_prefix = 
 +  message_suffix = 
 +  log_output 
 +  delivery_date_add 
 +  envelope_to_add 
 +  return_path_add 
 +  user = vmail 
 +  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 
 +</code> 
 +Prior to using Dovecot ''deliver'', I had Exim deliver virtual mail itself, with this transport in ''transport/30_vmail_home''
 + 
 +<code> 
 +vmail_home:
   driver = appendfile   driver = appendfile
   envelope_to_add   envelope_to_add
-  directory = /var/local/vmail/$domain/$local_part/Maildir+  directory = VMAIL_MAILBOX_DIR/$local_part/Maildir
   maildir_format   maildir_format
   create_directory = true   create_directory = true
Line 104: Line 154:
  
 By the way, when you add a user, it's an idea to either send them a welcome mail to check things are working properly and create their ''Maildir'' into the bargain. Otherwise, you should create the ''Maildir'' by hand, so that there is something there when they try to read their mail. By the way, when you add a user, it's an idea to either send them a welcome mail to check things are working properly and create their ''Maildir'' into the bargain. Otherwise, you should create the ''Maildir'' by hand, so that there is something there when they try to read their mail.
 +
 +When that's done, test your handiwork:
 +
 +  # exim4 -bt tommy.atkins@example.mod
 +  tommy.atkins@example.mod
 +  router = vmail_user, transport = dovecot_vmail
 +
 +===== Reading mail =====
 +
 +Now we need to modify the Dovecot setup to allow our user to read mail.
 +
 +==== Dovecot 1.x ====
 +
 +I'm assuming your ''dovecot.conf'' already has
 +
 +  mail_location = maildir:~/Maildir
 +
 +in it, telling Dovecot to find your regular users mail in ''~/Maildir''.
 +
 +We need to add the virtual domains to the
 +
 +  auth default {
 +  }
 +  
 +section of the configuration. The first stage is to add the virtual users password files.
 +
 +  passdb passwd-file {
 +    args = username_format=%n /etc/vmail/%d/passwd
 +  }
 +
 +Here's a tip. My configuration also has a configuration for PAM
 +
 +  passdb pam {
 +  }
 +  
 +Put the virtual users ''passwd-file'' entry **before** the ''pam'' section. If you don't, your virtual usernames will be tried in ''pam'' first. Confusion will abound if they succeed. And if they don't, it will look to programs like ''denyhosts'' or ''fail2ban'' as if a PAM login failed, and you may find access to the host unexpectedly blocked.
 +
 +Now you need to add a ''userdb'' section telling Dovecot how to find the mailbox. You will have a
 +
 +  userdb passwd {
 +  }
 +  
 +section serving your existing users. **After** that, add a catch-all for the virtual mailbox users.
 +
 +  userdb static {
 +    args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n
 +  }
 +
 +This tells Dovecot to use ''vmail'' permissions to access the mailbox, and that the user home is at ''/var/local/main/<domain>/<user>''. Dovecot will apply it's existing rule that the mail is to be found in directory ''Maildir'' under the user's home, and you are off to the races.
 +
 +In practice, you'll most probably run into authentication problems. For help sorting them out, add
 +
 +  auth_debug = yes
 +  auth_debug_passwords = yes
 +  
 +to your ''dovecot.conf'' while you try and work out what's going wrong.
 +
 +==== Dovecot 2.x with Debian conf.d configuration ====
 +
 +Again, I'm assuming that ''10-mail.conf'' has
 +
 +  mail_location = maildir:~/Maildir
 +
 +in it, telling Dovecot to find your regular users mail in ''~/Maildir''.
 +
 +I first added a new auth configuration file, ''auth-vmail.conf.ext''.
 +
 +  # Virtual mailbox passwords.
 +  passdb {
 +    driver = passwd-file
 +    args = username_format=%n /etc/vmail/%d/passwd
 +  }
 +  
 +  # VMail static settings.
 +  userdb {
 +    driver = static
 +    args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n
 +  }
 +
 +This gives Dovecot the essential password and user info settings.
 +
 +I then modified ''10-auth.conf'', adding the new ''vmail'' auth at the end of the file.
 +
 +  !include auth-vmail.conf.ext
 +
 +To debug authentication problems, enable ''auth_debug'' and ''auth_debug_passwords'' in ''10-logging.conf''.
 +
 +===== Letting your virtual users send mail =====
 +
 +Your virtual mail users will probably want to send some mail, too. So you may want to give them access to your Exim server to relay mail. But, of course, you don't want world+dog also relaying their spam through your host.
 +
 +There's several ways of cracking this nut. I'll just mention that if you do it by allowing authenticated SMTP, I found it easiest to do by handing the authentication over to Dovecot.
 +
 +==== Dovecot 1.x ====
 +
 +I needed to create the Dovecot authenticator socket by adding
 +
 +   socket listen {
 +     client {
 +       path = /var/run/dovecot/auth-client
 +       mode = 0666
 +     }
 +   }
 +
 +to the
 +
 +  auth default {
 +  }
 +
 +section in ''dovecot.conf''. It's commented out by default in Debian. Without other arrangements, Exim needs its mode to be 0666; comments in the Dovecot config suggest this is generally safe.
 +
 +Then, in the Exim configuration, add ''auth/30_dovecot_auth'' containing:
 +
 +<code>
 +dovecot_plain:
 +  driver = dovecot
 +  public_name = PLAIN
 +  server_socket = /var/run/dovecot/auth-client
 +  #server_set_id = $auth2
 +  server_mail_auth_condition = false
 +
 +
 +dovecot_login:
 +  driver = dovecot
 +  public_name = LOGIN
 +  server_socket = /var/run/dovecot/auth-client
 +  #server_set_id = $auth2
 +  server_mail_auth_condition = false
 +</code>
 +
 +==== Dovecot 2.x ====
 +
 +In ''10-master.conf'' I add a Dovecot authenticator socket with permissions for Exim by adding the following lines in the section ''service auth''.
 +
 +<code>
 +  unix_listener auth-client {
 +    mode = 0660
 +    group = Debian-exim
 +  }
 +</code>
 +
 +Then add ''auth/30_dovecot_auth'' to the Exim configuration as above.
 +
 
virtualmailboxeswitheximanddovecot.1298549896.txt.gz · Last modified: 2011/02/24 12:18 by jim
Show page Recent Changes Backlinks
Old revisions Admin Sitemap Back to top
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0