Postfix : root and system user authentication
Aki Tuomi
aki.tuomi at open-xchange.com
Thu Mar 16 06:53:31 UTC 2023
> On 16/03/2023 03:58 EET jeremy ardley <jeremy at ardley.org> wrote:
>
>
> On 16/3/23 06:31, Aymeric Agon-Rambosson wrote:
> >
> > I have a solution to my problem.
> >
> > For reference, I am putting it here :
> >
> >
> > A simple way to restrict login based on uids is to modify the file as
> > such :
> >
> > #%PAM-1.0
> >
> > auth required pam_succeed_if.so uid > 500 quiet
> > @include common-auth
> > @include common-account
> > @include common-session
> >
> >
>
> It is possible for dovecot sasl component to use different authorisation
> back-ends, such as LDAP, GSSAPI, MySQL etc. These do not necessarily
> have the ability to reject uid < 500.
>
> However, generally, these backends can be used by pam as well. In
> default debian installations:
>
> cat dovecot
> #%PAM-1.0
>
> #auth required pam_faillock.so preauth silent audit
> #auth [default=die] pam_faillock.so authfail audit
>
> @include common-auth
> @include common-account
> @include common-session
>
> cat common-auth
>
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
> # traditional Unix authentication mechanisms.
>
>
> A good practice would be to use postfix --> dovecot/sasl --> pam -->
> backend server and do the uid vetting in the dovecot pam configuration
>
Dovecot itself can reject uid < 500. Just set first_valid_uid = 500 and first_valid_gid = 500.
Aki
> --
>
> Jeremy
More information about the dovecot
mailing list