This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 10 and 50 (spanning 40 versions)
Revision 10 as of 2004-03-20 13:35:36
Size: 1710
Editor: spekje
Comment:
Revision 50 as of 2013-03-31 13:40:36
Size: 6281
Editor: cpc5-basf10-2-0-cust708
Comment: couple of spelling corrections
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
I wanted to use Dovecot to deal with mailboxes of non-unix users. ## page was renamed from VirtualhostingWithExim
= Dovecot virtual users =
An exercise in mailrouting by F. Overkamp < florian@obsimref.com >
Line 3: Line 5:
=== Assumptions === == Preamble ==
I wanted to use Dovecot to deal with mailboxes that may belong to accounts that may or may not exist as a unix user. I also required a large amount of flexibility in migration options - so mail-accounts may have any number of formats and daemons. I am doing distribution of these users by using [[http://www.vergenet.net/linux/perdition/|Perdition]], but thats just a preference.

A few assumptions were made in this setup:
Line 7: Line 13:
=== Making dovecot use these mailboxes === == Desired results ==
The result I was looking for was this:
Line 9: Line 16:
Mail for the domain comes in. If it has a dovecot mailbox, deliver it there. If not, continue with 'normal' local delivery.

 * So if frops@host is not a unix user and it does exist in dovecot, use that
 * So if florian@host is a unix user and it was not yet migrated to dovecot, use the old mailbox
 * So if dummy@host is a unix user and it was not yet migrated to dovecot, use the old mailbox
 * So if nonexistent@host exists nowhere, bounce :-)

== Making dovecot use these mailboxes ==
Line 10: Line 25:
 auth = default
 auth_userdb = static uid=500 gid=500 home=/home/dovecot/users/%u
 auth_passdb = passwd-file /home/dovecot/passwd
 auth_user = dovecot
auth default {
  userdb static {
    args =
uid=vmail gid=vmail home=/home/dovecot/users/%u
  }
  
passdb passwd-file {
    args =
/home/dovecot/passwd
  }
}
Line 15: Line 34:
The password file should not contain plain-text passwords, but rather the checksums for the desired authentication method. Add a second args line if you need more authentication methods.
Line 18: Line 38:
=== Making exim deliver to those virtual users ===

 # Transport to send any mail for who a dovecot user exists to the appropriate maildir box
 # Transports are evaluated in order of configuration, so if you place this
 # above the local_delivery director this will play nice:
 # If there is a virtual user in the dovecot dirs it will use that
 # If not, it will try normal local delivery
 dovecot_transport:
   driver = appendfile
   user = dovecot
   group = dovecot
   mode = 0600
   directory=/home/dovecot/users/${lc:$local_part}/
   maildir_format = true
   mode_fail_narrower = false
   envelope_to_add = true
   return_path_add = true

 # Director to send any mail for who a dovecot user exists to the appropriate maildir box
 dovecot:
   driver = smartuser
   require_files = +/home/dovecot/users/${local_part}/
   transport = dovecot_transport
== Making exim 3 deliver to those virtual users ==
{{{
# Director to send any mail for who a dovecot user exists to the appropriate maildir box
# Directors are evaluated in order of configuration, so if you place this
# above the local_delivery director this will play nice:
# If there is a virtual user in the dovecot dirs it will use that
# If not, it will try normal local delivery
# If you want to allow + addressing (ie having an address extension)
# then uncomment the suffix stanzas
dovecot:
  driver = smartuser
  #suffix = +*
  #suffix_optional
  require_files = +/home/dovecot/users/${local_part}/
  transport = dovecot_transport
}}}
{{{
# Transport to send any mail for who a dovecot user exists to the appropriate maildir box
# Transports definitions are not order dependant - you just call a named transport
dovecot_transport:
  driver = appendfile
  user = vmail
  group = vmail
  mode = 0600
  directory=/home/dovecot/users/${lc:$local_part}/
  maildir_format = true
  mode_fail_narrower = false
  envelope_to_add = true
  return_path_add = true
}}}
Line 44: Line 70:
Be carefull how you do this - test it with 'exim -bt <address>' for a few different options == Making exim 4 deliver to those virtual users ==
If at all possible you should use exim 4 in place of the obsolete exim 3. Exim 4 has many more features to enable fine control of mail policy. Packages are available for all current linux distributions and other OS platforms.

{{{
# Router to send any mail for who a dovecot user exists to the appropriate maildir box
# Routers are evaluated in order of configuration.
# You will want to place this after the remote router and before the
# localuser router in the default configuration.
# If you want to allow + addressing (ie having an address extension)
# then uncomment the suffix stanzas
dovecot_router:
  driver = accept
  #local_part_suffix = +*
  #local_part_suffix_optional
  require_files = +/home/dovecot/users/${local_part}/
  transport = dovecot_transport
}}}
{{{
# Transport to send any mail for who a dovecot user exists to the appropriate maildir box
# Transports definitions are not order dependant - you just call a named transport
dovecot_transport:
  driver = appendfile
  user = vmail
  group = vmail
  mode = 0600
  directory=/home/dovecot/users/${lc:$local_part}/
  maildir_format = true
  mode_fail_narrower = false
  envelope_to_add = true
  return_path_add = true
}}}
In order to make this work, exim must be able to read the /home/dovecot/users/ directory, otherwise delivery will not work.

== Exim4 on Debian ==
Using the exim4 package on Debian the configuration changes need to be applied to the /router/ and /transport/ directories inside /etc/exim4/conf.d/ (by default). This only applies in split-configuration mode. In single-file configuration, the changes must be applied at the appropriate points. I created new files in each with a similar numbering scheme as the current ones. The numbers determine the order in which these get added to the main configuration file.

After the changes are made, you will need to run (as root) the '''invoke-rc.d exim4 restart''' command and the file will be regenerated. (You will have to pass a -r argument or else it will spit out an error message telling you to read the man page - THIS IS DANGEROUS as it overwrites your entire configuration - so if you haven't been using Debian's scripts to maintain your configuration files, don't use this command!)

== Testing your exim configuration ==
Be careful how you do this - test it with 'exim -bt <address>' for a few different options

 * So if frops@host is not a unix user and it does exist in dovecot, use that:

{{{
frops@host
  deliver to frops in domain host
  director = dovecot, transport = dovecot_transport
}}}
 * So if florian@host is a unix user and it was not yet migrated to dovecot, use the old mailbox:

{{{
florian@host
  deliver to florian in domain host
  director = procmail, transport = procmail_pipe
}}}
== Further Issues ==
It is possible to extend this configuration to make exim use the same database for SMTP authentication, although it is slightly difficult due to the different password hashing schemes. If you keep the password database file in PLAIN format then it can be done relatively easily.

== Security considerations ==
Need evaluation and recommendations.

Dovecot virtual users

An exercise in mailrouting by F. Overkamp < florian@obsimref.com >

Preamble

I wanted to use Dovecot to deal with mailboxes that may belong to accounts that may or may not exist as a unix user. I also required a large amount of flexibility in migration options - so mail-accounts may have any number of formats and daemons. I am doing distribution of these users by using Perdition, but thats just a preference.

A few assumptions were made in this setup:

  • All virtual users/mailboxes are in /home/dovecot/users
  • Password file for these users is /home/dovecot/passwd (looks just like a htpasswd file)

Desired results

The result I was looking for was this:

Mail for the domain comes in. If it has a dovecot mailbox, deliver it there. If not, continue with 'normal' local delivery.

  • So if frops@host is not a unix user and it does exist in dovecot, use that
  • So if florian@host is a unix user and it was not yet migrated to dovecot, use the old mailbox
  • So if dummy@host is a unix user and it was not yet migrated to dovecot, use the old mailbox
  • So if nonexistent@host exists nowhere, bounce :-)

Making dovecot use these mailboxes

auth default {
  userdb static {
    args = uid=vmail gid=vmail home=/home/dovecot/users/%u
  }
  passdb passwd-file {
    args = /home/dovecot/passwd
  }
}

The password file should not contain plain-text passwords, but rather the checksums for the desired authentication method. Add a second args line if you need more authentication methods.

By the way, I did not bother making another set of configs to deal with non-virtual users - I use perdition for that in my migration scenario.

Making exim 3 deliver to those virtual users

# Director to send any mail for who a dovecot user exists to the appropriate maildir box
# Directors are evaluated in order of configuration, so if you place this
# above the local_delivery director this will play nice:
# If there is a virtual user in the dovecot dirs it will use that
# If not, it will try normal local delivery
# If you want to allow + addressing (ie having an address extension)
# then uncomment the suffix stanzas
dovecot:
  driver = smartuser
  #suffix = +*
  #suffix_optional
  require_files = +/home/dovecot/users/${local_part}/
  transport = dovecot_transport

# Transport to send any mail for who a dovecot user exists to the appropriate maildir box
# Transports definitions are not order dependant - you just call a named transport
dovecot_transport:
  driver = appendfile
  user = vmail
  group = vmail
  mode = 0600
  directory=/home/dovecot/users/${lc:$local_part}/
  maildir_format = true
  mode_fail_narrower = false
  envelope_to_add = true
  return_path_add = true

In order to make this work, exim must be able to read the /home/dovecot/users/ directory, otherwise delivery will not work.

Making exim 4 deliver to those virtual users

If at all possible you should use exim 4 in place of the obsolete exim 3. Exim 4 has many more features to enable fine control of mail policy. Packages are available for all current linux distributions and other OS platforms.

# Router to send any mail for who a dovecot user exists to the appropriate maildir box
# Routers are evaluated in order of configuration.
# You will want to place this after the remote router and before the
# localuser router in the default configuration.
# If you want to allow + addressing (ie having an address extension)
# then uncomment the suffix stanzas
dovecot_router:
  driver = accept
  #local_part_suffix = +*
  #local_part_suffix_optional
  require_files = +/home/dovecot/users/${local_part}/
  transport = dovecot_transport

# Transport to send any mail for who a dovecot user exists to the appropriate maildir box
# Transports definitions are not order dependant - you just call a named transport
dovecot_transport:
  driver = appendfile
  user = vmail
  group = vmail
  mode = 0600
  directory=/home/dovecot/users/${lc:$local_part}/
  maildir_format = true
  mode_fail_narrower = false
  envelope_to_add = true
  return_path_add = true

In order to make this work, exim must be able to read the /home/dovecot/users/ directory, otherwise delivery will not work.

Exim4 on Debian

Using the exim4 package on Debian the configuration changes need to be applied to the /router/ and /transport/ directories inside /etc/exim4/conf.d/ (by default). This only applies in split-configuration mode. In single-file configuration, the changes must be applied at the appropriate points. I created new files in each with a similar numbering scheme as the current ones. The numbers determine the order in which these get added to the main configuration file.

After the changes are made, you will need to run (as root) the invoke-rc.d exim4 restart command and the file will be regenerated. (You will have to pass a -r argument or else it will spit out an error message telling you to read the man page - THIS IS DANGEROUS as it overwrites your entire configuration - so if you haven't been using Debian's scripts to maintain your configuration files, don't use this command!)

Testing your exim configuration

Be careful how you do this - test it with 'exim -bt <address>' for a few different options

  • So if frops@host is not a unix user and it does exist in dovecot, use that:

frops@host
  deliver to frops in domain host
  director = dovecot, transport = dovecot_transport
  • So if florian@host is a unix user and it was not yet migrated to dovecot, use the old mailbox:

florian@host
  deliver to florian in domain host
  director = procmail, transport = procmail_pipe

Further Issues

It is possible to extend this configuration to make exim use the same database for SMTP authentication, although it is slightly difficult due to the different password hashing schemes. If you keep the password database file in PLAIN format then it can be done relatively easily.

Security considerations

Need evaluation and recommendations.


None: HowTo/VirtualhostingWithExim (last edited 2013-03-31 13:40:36 by cpc5-basf10-2-0-cust708)