Postfix : root and system user authentication

[Aymeric Agon-Rambosson]

I have a solution to my problem.

For reference, I am putting it here :

I recall that my issue is that postfix authorises login with root 
(or other users), even though authentication is delegated to 
dovecot, and the documentation about {first,last}_valid_{g,u}id 
seems to say that is should not be possible (and that 
authentication to dovecot with root is also forbidden in a 
hardcoded way).

I thank Mr. Ardley to have pointed out that dovecot delegates the 
authentication to PAM.

What actually happens (in my case at least) is that dovecot 
questions PAM about a specific authentication attempt, and 
receives PAM's answer. Then, *and only for itself*, it applies its 
own restrictions regarding root login and 
{first,last}_valid_{g,u}id. When it authenticates on behalf of 
postfix, it notifies postfix of success directly.

So the semantic of {first,last}_valid_{g,u}id should be understood 
for dovecot only, not for other processes that have delegated 
authentication to dovecot, which answers my first question.

Then, on how to effectively restrict postfix submission login 
based on uids, the simple solution not involving virtual users is 
to set these conditions in PAM directly.

The conditions that dovecot must match in order to succeed 
authentication with PAM are in the file /etc/pam.d/dovecot (at 
least on Debian) :

#%PAM-1.0

@include common-auth
@include common-account
@include common-session

A simple way to restrict login based on uids is to modify the file 
as such :

#%PAM-1.0

auth    required        pam_succeed_if.so uid > 500 quiet
@include common-auth
@include common-account
@include common-session

Now, in order for dovecot (and *for every process it authenticates 
on behalf of* as well, which is what matters) to succeed 
authentication, the uid will have to be greater than 500. It is 
possible to specify other conditions as well, see 
https://linux.die.net/man/8/pam_succeed_if.

Best regards to everyone,

Aymeric