Postfix : root and system user authentication

jeremy ardley jeremy at
Thu Mar 16 01:58:38 UTC 2023

On 16/3/23 06:31, Aymeric Agon-Rambosson wrote:
> I have a solution to my problem.
> For reference, I am putting it here :
> A simple way to restrict login based on uids is to modify the file as 
> such :
> #%PAM-1.0
> auth    required uid > 500 quiet
> @include common-auth
> @include common-account
> @include common-session

It is possible for dovecot sasl component to use different authorisation 
back-ends, such as LDAP, GSSAPI, MySQL etc. These do not necessarily 
have the ability to reject uid < 500.

However, generally, these backends can be used by pam as well. In 
default debian installations:

cat dovecot

#auth required preauth silent audit
#auth [default=die] authfail audit

@include common-auth
@include common-account
@include common-session

cat common-auth

# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.

A good practice would be to use  postfix --> dovecot/sasl --> pam --> 
backend server and do the uid vetting in the dovecot pam configuration



More information about the dovecot mailing list