Handling mail for non-system users with Exim4?
Posted by sabin on Thu 1 Dec 2005 at 11:50
I run Debian Sarge on my main server at home which provides different services. I also run exim4, courier-imap-(ssl), squirrelmail and spamd as my mail setup on this box. Now I am wondering how I could give different users email accounts whithout adding them system-wide as users.
I have setup exim4, imapd and squirrelmail to allow system users to use it. How would I make exim deliver mails for nonexistent system users to defined inboxes ?
I should mention that I have also mysql running which could be an option for authentificating users.
Does anyone know about an HOWTO, which fits my needs or can give me hints/help me with that?
I'd also like to make dspam work for every user I'd add.
Thanks alot in advance, Sabin
http://www.tty1.net/virtual_domains_en.html
enjoy
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View sabin's Scratchpad | View Weblogs ]
./sabin -s
[ Parent | Reply to this comment ]
However, instead of trying to convince exim and courier to use non-system accounts, I created a shell-users group and used the pam_access module to restrict ssh users as follows: In /etc/pam.d/ssh add the line:
account required pam_access.so accessfile=/etc/security/shell-access.confAnd then the file /etc/security/shell-access.conf contains:
+:shell-users:ALL -:ALL:ALLNow, I feel a lot safer from all the attempts to crack my server by guessing ssh passwords.
Still haven't found a good way to let these email users change their passwords yet ...
[ Parent | Reply to this comment ]
I started with a simple system where you can have aliases for each domain (I also have multiple domains). Then I added the possibility to have virtual users. But as I (still) don't like databases, I did it in a more directory-oriented way. In
/etc/exim4/conf.d/router/360_exim4-local_vdom_aliases
I have the following:
#
# First we look up in /etc/exim4/virtual, if we have to do any aliasas,
# based on the virtual domains!
#
vdom_aliases:
driver = redirect
allow_defer
allow_fail
domains = dsearch;/etc/exim4/virtual
data = ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domai n}}}
retry_use_local_part
pipe_transport = address_pipe
file_transport = address_file
#
# Then, if there is no local delivery, let's go and look if we have
# a virtual domain defined at /var/mail/virtual
#
vdom_aliases_maildir:
debug_print = "R: vdom_aliases_maildir for $local_part@$domain"
driver = redirect
allow_defer
allow_fail
domains = dsearch;/var/mail/virtual
data = /var/mail/virtual/$domain/$local_part/
directory_transport = address_directory
pipe_transport = address_pipe
file_transport = address_file
user = vmail
group = vmail
Now I have two possibilities to influence the mail-delivery of exim:
- Use /etc/exim4/virtual/domainname in a "alias"-style way
- Add a directory in /var/mail/virtual/domain/name to have mail delivered in there
If I'd have debian.org, I could have
/etc/exim4/virtual/debian.org:
postmaster : user@localhost forwarding_adress : user@somewhere.else.org * : trash@localhost
Furthermore I'd create the directories
/var/mail/virtual/debian.org/user
/var/mail/virtual/debian.org/bug
to have the users "user@debian.org" and "bug@debian.org". Both directories should be owned by user vmail.vmail.
As imap-server I use dovecot with the following line in
/etc/dovecot/dovecot.conf
default_mail_env = maildir:/var/mail/virtual/%d/%n/and
auth_userdb = passwd-file /etc/passwd.imapfor the passwords. This serves mail as stored by exim. One can also add symbolic links in there in order to cover local users.
Well, it's a bit hacky, but I wanted something easily extendable (and what is more easy than to write "mkdir -p newdomain.org/user") and I just love my filesystem. (Why does MS want to make the filesystem a DB? One should make the DB a filesystem ;)
Hope it helps,
ineiti
[ Parent | Reply to this comment ]
[ Send Message | View sabin's Scratchpad | View Weblogs ]
I think I should go for it and try it. my problem is, that I'm not that familiar with exim, so I'm sure it's gonna be a long night again!
thanks for your hint!
./sabin -s
[ Parent | Reply to this comment ]
dpkg-reconfigure exim4-config
Another useful tip is to use
exim4 -d+route -bt bug@debian.org (or whatever domain you're using it with)
and look how he "resolves" the address. Very, very useful when debugging ;)
Good luck with exim. Tell us whether it worked, and what I forgot to write in the message, <grin>...
Ineiti
[ Parent | Reply to this comment ]
[ Send Message | View sabin's Scratchpad | View Weblogs ]
I did it so far like you described up there. I get the following error though:
sabin@mydomain.org is undeliverable:
Unrouteable address
when I hit "exim4 -d+route -bt sabin@mydomain.org"
note: mydomain.org is not my addy, I just replaced it.
2.
I wonder how I should tell courier to use a password file instead of pam.
concerning the mail directories I added this line:
MAILDIRPATH=/var/mail/virtual/%d/%n/
greets,
./sabin -s
[ Parent | Reply to this comment ]
OK, I forgot something: 1st is because exim refuses to use not known domains. You have to tell it in 'dpkg-reconfigure exim4-config' under "Other destinations for which mail is accepted"
@:localhost:dsearch;/etc/exim4/virtual:dsearch;/var/mail/virtual
This tells exim to consider all files in /etc/exim4/virtual and /var/mail/virtual as domains for which to accept mails.
For 2nd, I don't know courier ;) Dovecot works fine for me...
Have fun,
Ineiti
[ Parent | Reply to this comment ]
[ Send Message | View sabin's Scratchpad | View Weblogs ]
domain = mydomain.org
errors_to=NULL
domain_data=NULL localpart_data=NULL
routed by dspam_router router
envelope to: sabin@mydomain.org
transport: dspam_spamcheck
sabin@mydomain.org
router = dspam_router, transport = dspam_spamcheck
./sabin -s
[ Parent | Reply to this comment ]
With a little cross referencing to the exim4 site docs you can set it up to use text files to replace the mysql back end.
It also goes into more details on courier-imap configuration.
http://www.xmn-berlin.de/~marte/exim/exim4_mysql_amavis_spamassas in.html
[ Parent | Reply to this comment ]
Couple of things
How to get this to work when you have catchall addresses in the /etc/exim4/virtual files?
For example
/etc/exim4/virtual/domain.tld
contains
foo: foo@localhost
* : trash@localhost
then under /var/mail/virtual I have a directory domain.tld with a directory testuser
Mail to testuser@domain.tld is delivered to the trash@localhost address (I'm guessing this is because the vdom_aliases_maildir config is after vdom_aliases in the config file but I don't really know).
Secondly - regarding courier - you can set the name of the maildir directory in /etc/default/courier - but - the path is harder. It appears to assume $HOME. Some google hits suggest changing the authenticator to redefine $HOME to /var/mail/virtual (for me that would be playing in /etc/courier/authdaemonrc) - so this appears to be harder with courier.
[ Parent | Reply to this comment ]
yes, this is not intuitive. But to inverse the order is not what you want, neither: this would mean that local adresses get delivered BEFORE any aliases are done, which is not good. The correct way would be:
1. do any aliases without the "catch-all"
2. search in /var/mail/virtual/$domain$/$name$
3. Test for "catch-alls" and eventually deliver
Sounds complicated ;) A simple workaround is to have all your adresses in the alias-file:
foo : foo@localhost
testuser : testuser@localhost
* : trash@localhost
Which makes it a bit more complicated to set up a new user:
DOMAIN=domain.tld; USER=newuser; \
mkdir -p /var/mail/virtual/$DOMAIN/$USER; \
echo $USER : $USER@localhost >> /etc/exim4/virtual/$DOMAIN
But well, it's not soo bad ;)
Have fun,
ineiti
[ Parent | Reply to this comment ]
Oh - and one day - some fine day when I actually get the time to play - maybe just maybe I'll look at using LDAP directly :)
The only other issue I see here is that it appears that for dovecot or courier to work you have to symlink existing users Maildirs to the /var/exim/virtual directory structure - or have I misunderstood that point? In other words - if imap points to /var/exim/virtual/domain/local then all users must exist there - including local ones? And - if the imap authentication is via a separate user database file - then all local users passwords need to be duplicated there?
I did try a quick aptitude purge courier-imap; aptitude install dovecot - and it more or less worked (I could read all old mail in the inbox after the restart - but new mail didn't show - however I suspect the client).
I'm looking at migrating both pop and imap to dovecot to play with this a bit (not a major server - and learning a new package is sometimes fun) - but - exim is currently using courier authdaemon to handle SMTP auth - and I'm not sure how linked that is to the other courier parts (if you hadn't guessed - I got it working from a howto - and am still working on my understanding of the finer details). I really need to find out how that bit is working (and see if I can't get my father's mail client to play with something more than LOGIN or PLAIN).
[ Parent | Reply to this comment ]
-----------
yes, I have symlinks in /var/mail/virtual to all Maildir-directories... For the passwords, read http://wiki.dovecot.org/Authentication , which states:
""
Dovecot 1.0-tests supports defining multiple password databases, so that if password doesn't match in the first database, it checks the next one. This can be useful if you want to easily support having both local system users in /etc/passwd but also virtual users. This isn't possible in 0.99 releases.
""
To prevent linking, you could have dovecot look in the standard home-directories, and give the virtual directories in the dovecot-password file.
New mail doesn't show up
------------------------
Be sure to have the appropriate uid and gid set in the virtual directories. Furthermore I have some troubles with mixing of .INBOX and INBOX (difference of a dot in front!) for all sub-directories (also .Trash and Trash). I didn't solve that one, yet :(
SMTP with exim
--------------
I searched around a lot, only to find this one, which works nicely, even with TLS:
http://www.debian-administration.org/articles/280
This site rocks ;)
Have fun,
Ineiti
[ Parent | Reply to this comment ]
New mail - the mail is in the Maildir (when I switched back to courier it showed). However - the mail client I have is the cvs copy of gnus with some heavy elisp customisation - I'm going to want to test again with some other clients before I say that it's dovecot that's at fault.
SMTP with exim - cool - will look at this
This site rocks - yes - agreed - all hail Steve :) If you really like the site then remember this link
[ Parent | Reply to this comment ]
So - the only stage I need still to do is LDAP. For dovecot I can read up on the link posted above (with possible use of a backport or self-compiled). For sending though - SMTP auth - I've found the following
http://www.alios.org/exim4ldapauth.html
Now - anyone have any ideas how to change the config per virtual domain (different sites have different LDAP structures) ?
[ Parent | Reply to this comment ]