[Dovecot] Newbie question: configuration for virtual users
Hi!
I'm looking forward to deploying dovecot as an IMAP server. I did some research into the various options and it looks like dovecot is the right daemon for me. I'll be using it with Exim.
I am running a few tens of users on my server, most of them small numbers of people part of a small company, e.g. example.com.
At present I have exim delivering to mbox in each virtual user's mail folder. So, for chris, john and mandy @ example.com, I have
/home/example/Mail/
chris
john
mandy
All of the users in example.com run under the same uid and gid (example). I like to separate these 'virtual' users from the real system users for security reasons. I presently serve up these mboxes via teapop, which allows for per-domain configuration. I couldn't find a similar setup after a cursory read of the config file examples on the dovecot website.
I'd like some advice on how to support different non-system users under dovecot, ideally storing mail in a similar configuration to above, except (presumably?) that the user files will be under each user name? Thus:
/home/example/Mail/
chris/
john/
mandy/
I may use postgresql to store user configuration data if appropriate.
Advice gratefully received. Rory
Rory Campbell-Lange
rory@campbell-lange.net
Hi
I've not done this but dovecot should be capable of doing what you want.
Try in dovecot.conf something like:
default_mail_env = mbox:/home/example/Mail/%u
(assumes each user's INBOX is actually called INBOX, otherwise add the :INBOX= option)
That sorts out the location bit - best to chroot the imap server process and deny full filesystem access so they can't get to each other's mail.
That just leaves the authentication/userdb bit (shamelessly lifted from docs)
auth_userd = pgsql /etc/dovecot-pgsql.conf
auth_passdb = pgsql /etc/dovecot-pgsql.conf
and in dovecot-pgsql.conf: connect = host=sql.example.com dbname=virtual user=virtual password=blarg user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u' password_query = SELECT password FROM users WHERE userid = '%u' default_pass_scheme = PLAIN
The user_query = is pretty much just showing the username is valid or not and forcing the UID/GID. You *could* store the location of the mail directory as "home" the use mbox:%h instead - or in my example not bother.
I'll offer some out of band advice - if your users are fairly static, I would advise storing dovecot's user list and passwords in a flat file which can be auto-generated from Postgres regularly. It just makes it easier to take the database offline for maintenance without forcing everything to a halt. Live DB driven services are good for sites with high data turnover like portals or ISPs - giving an instant reposnse to things like a new user registering - but sometimes it's more trouble than it's worth.
We used to tie exim into postgres - but if postgres fell over for a night we got a big pile of trouble in the form of mega mail queues.
Munge that lot to fit your server/table layouts etc and common UID/GID
You have the choice of holding the plain passwd, a PLAIN-MD5, DIGEST-MD5 or a crypt version in the database. However - choose wisely based on what the mail clients will support - there's a lot of variation. Sylpheed will do PLAIN or CRAM-MD5 only. You may find that despite the obvious issues, PLAIN is the best to use as everything can use it. Or if the user's already authenticate via some other mechanism, use that if dovecot supports it.
Hope that helps.
Tim
On Tue, 20 Jul 2004 23:41:13 +0100 Rory Campbell-Lange rory@campbell-lange.net wrote:
Hi!
I'm looking forward to deploying dovecot as an IMAP server. I did some research into the various options and it looks like dovecot is the right daemon for me. I'll be using it with Exim.
I am running a few tens of users on my server, most of them small numbers of people part of a small company, e.g. example.com.
At present I have exim delivering to mbox in each virtual user's mail folder. So, for chris, john and mandy @ example.com, I have
/home/example/Mail/ chris john mandy
All of the users in example.com run under the same uid and gid (example). I like to separate these 'virtual' users from the real system users for security reasons. I presently serve up these mboxes via teapop, which allows for per-domain configuration. I couldn't find a similar setup after a cursory read of the config file examples on the dovecot website.
I'd like some advice on how to support different non-system users under dovecot, ideally storing mail in a similar configuration to above, except (presumably?) that the user files will be under each user name? Thus:
/home/example/Mail/ chris/ john/ mandy/
I may use postgresql to store user configuration data if appropriate.
Advice gratefully received. Rory
Rory Campbell-Lange rory@campbell-lange.net
-- Tim Southerwood
Hi Tim
I'm very grateful for your advice.
On 21/07/04, Tim Southerwood (ts@doc.ic.ac.uk) wrote:
I've not done this but dovecot should be capable of doing what you want.
Great stuff! I'll look into the configuration you suggest. ...
I'll offer some out of band advice - if your users are fairly static, I would advise storing dovecot's user list and passwords in a flat file which can be auto-generated from Postgres regularly. It just makes it easier to take the database offline for maintenance without forcing everything to a halt. Live DB driven services are good for sites with high data turnover like portals or ISPs - giving an instant reposnse to things like a new user registering - but sometimes it's more trouble than it's worth.
Yes, I'm running a lot of services off Postgres, and been caught out by an apt-get update once or twice! ...
You have the choice of holding the plain passwd, a PLAIN-MD5, DIGEST-MD5 or a crypt version in the database. However - choose wisely based on what the mail clients will support - there's a lot of variation. Sylpheed will do PLAIN or CRAM-MD5 only. You may find that despite the obvious issues, PLAIN is the best to use as everything can use it. Or if the user's already authenticate via some other mechanism, use that if dovecot supports it.
I'm mainly supporting OSX Mail and XP Outlook users. Are they OK at supporting DIGEST-MD5 or crypt? Maybe I should use IMAPS and plain?
Sorry for the questions in response to your answers!
Many thanks, Rory
--
Rory Campbell-Lange
rory@campbell-lange.net
On Wed, 21 Jul 2004 00:47:10 +0100 Rory Campbell-Lange rory@campbell-lange.net wrote:
You have the choice of holding the plain passwd, a PLAIN-MD5, DIGEST-MD5 or a crypt version in the database. However - choose wisely based on what the mail clients will support - there's a lot of variation. Sylpheed will do PLAIN or CRAM-MD5 only. You may find that despite the obvious issues, PLAIN is the best to use as everything can use it. Or if the user's already authenticate via some other mechanism, use that if dovecot supports it.
I'm mainly supporting OSX Mail and XP Outlook users. Are they OK at supporting DIGEST-MD5 or crypt? Maybe I should use IMAPS and plain?
Hi
SSL and PLAIN is what we use - at least it's guaranteed to work with every client on the planet.
Cheers
Tim
-- Tim Southerwood Website: http://www.dionic.net/ email: ts@DIESPAMDIE.dionic.net (remove DIESPAMDIE. to get address)
participants (2)
-
Rory Campbell-Lange
-
Tim Southerwood