-
Notifications
You must be signed in to change notification settings - Fork 1
Postfix Mysql and Dovecot
#Postfix
-
install postfix-mysql
-
grant postfix the right to read the database.
grant select on madmin.* to 'postfix'@'127.0.01' identified by 'NicePassword';
Postfix and Mysql have to communicate via TCP because the socket is not reachable by the chrooted postix process.
configure your virtual_transport
All mails to virtual users should be forwarded to the dovecot deliver binary which applies sieve/quota and stores the mails in a mailbox and updates the index/cache main.cf:
virtual_transport = dovecot
master.cf:
dovecot unix - n n - - pipe
flags=DRhu user=dovenull:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
configure virtual_mailbox_domains
To tell postfix which domains should be accepted. main.cf:
virtual_mailbox_domains = mysql:/etc/postfix/virtual_mailbox_domains.cf
/etc/postfix/virtual_mailbox_domains.cf:
user = postfix
password = NicePassword
dbname = madmin
hosts = 127.0.0.1
query = select name from domains where name='%s'
configure virtual_mailbox_maps
To tell postfix which addresses are valid. Postfix will answer with "User unknown in virtual mailbox table" if the query returns zero results. In main.cf:
virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.cf
/etc/postfix/virtual_mailbox_maps.cf:
user = postfix
password = NicePassword
dbname = madmin
hosts = 127.0.0.1
query = select users.name,domains.name from domains,users where users.domain_id=domains.id and users.name='%u' and domains.name='%d';
configure virtual_alias_maps
This table is used for forwards. In main.cf:
virtual_alias_maps = mysql:/etc/postfix/virtual_alias_maps.cf
/etc/postfix/virtual_alias_maps.cf:
user = postfix
password = NicePassword
dbname = madmin
hosts = 127.0.0.1
query = select forwards.destination from forwards,domains where forwards.name='%u' and domains.name='%d' and forwards.domain_id=domains.id;
postfix can use dovecot to authenticate clients. add this to the master.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
Dovecot listens on a socket for authentication requests, validates them against the configured auth-mechanisms and returns the result. Dovecot has to create the socket below the chroot of postfix. So postfix can reach it whenn chrooted. Add this to the service "auth" stanza of your dovecot config:
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
#Dovecot *install dovecot-mysql
since bsd has blowfish builtin to libc, dovecot can authenticate directly against the db /etc/dovecot/conf.d/auth-sql.conf.ext
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
/etc/dovecot/dovecot-sql.conf.ext:
driver = mysql
connect = host=127.0.0.1 dbname=madmin user=dovecot password=AnotherPassword
default_pass_scheme = BLF-CRYPT
password_query = SELECT users.password_digest as password from domains,users where users.domain_id=domains.id and users.name='%n' and domains.name='%d';
user_query = SELECT 111 AS uid, 115 AS gid, '/tmp/' as home from users,domains where users.domain_id=domains.id and users.name='%n' and domains.name='%d';
we have to use a a workaround to use bcrypt. We tell dovecot to use the checkpasswd driver and pass it our own script which can then use the credentials and ask the webapp if they are okay.
auth-checkpassword.conf.ext:
passdb {
driver = checkpassword
args = /path-to-madmin/bin/madmin-auth.sh
}
# passdb lookup should return also userdb info
userdb {
driver = prefetch
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
The userdb doesn't need to decrypt anything. So we can ask the database directly
/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=madmin user=dovecot password=NicePassword
user_query = SELECT 111 AS uid, 8 AS gid, '/tmp/' as home from users,domains where users.domain_id=domains.id and users.name='%n' and domains.name='%d';
Take care that the uid and gid are the ones the deliver-process is started with. The deliver-process is started by postfix. see the master.cf