Hello all,
I'm building a mail system and would like to check whether my design is feasible. I'm fairly certain that it is but I think I don't have the right words and concepts lined up properly in my head.
The end system will provide temporary/disposable email addresses that can be accessed by multiple people.
People would be able to send email to addresses that match the following format:
user1@foobar.mydomain.com user2@foobar.mydomain.com
user1@barbaz.mydomain.com user2@barbaz.mydomain.com
I would like all emails to the "foobar" subdomain to end up in their own mailbox and all emails to the "barbaz" subdomain to go to their own mailbox. (I think that means I need a foobar and barbaz user on Dovecot). Users of the system should be able to see all of the emails, including the original addresses they were sent to.
e.g. user1@foobar.mydomain.com and user2@foobar.mydomain.com both get delivered to the "foobar" mailbox, and users can see all emails, including that they were sent to "user1" and "user2"
The users of the system would be able to access any of the foobar, barbaz, etc mailboxes - I believe that means that they would need to be set as master users.
I will be creating a web interface for users to get/set their credentials, so can add those users on an adhoc basis, but I will need to have the "foobar", "barbaz", etc users created whenever an email arrives (we won't know ahead of time).
The plan is to have postfix accepting the emails before passing them to Dovecot. I don't believe postfix needs to do much processing but that this would be the place to transform the address into the correct user/mailbox name.
So my questions are:
- Does the above sound reasonable?
- Can Dovecot auto-create users as needed?
- Will I be able to preserve the original email?
- Are master users the right approach?
There is no strong requirement for privacy between mailboxes - there is no issue with one user being able to read all email. There is also no requirement to be able to send email but that is a feature request for the future - we would want people to be able to send as the original address when that's implemented.
Any pointers gratefully received.
Thanks in advance,
Felix
On 10-27-2021 12:06 pm, Felix Ingram wrote:
user1@foobar.mydomain.com user2@foobar.mydomain.com user1@barbaz.mydomain.com user2@barbaz.mydomain.com
I would like all emails to the "foobar" subdomain to end up in their own mailbox and all emails to the "barbaz" subdomain to go to their own mailbox.
Your question might be more suited to the postfix mailing list. Dovecot doesn't receive mail from the internet, which i believe you understand as you said "have postfix accepting the emails before passing them to Dovecot".
On the postfix side, one option would be using one mailbox and one catchall for each subdomain.
Setup a user: catchall@foobar.mydomain.com
Setup an alias: @foobar.mydomain.com -> catchall@foobar.mydomain.com
Setup a user: catchall@barbaz.mydomain.com
Setup an alias: @barbaz.mydomain.com -> catchall@barbaz.mydomain.com
On the dovecot side, you can setup each person with their own login user and all of those users access the same IMAP inbox. Or you could just give everyone the password to the same one mailbox catchall@foobar.mydomain.com.
Not sure "dovecot creating users" is the right way to think about it. Dovecot simply looks for IMAP files where its told to look. In dovecot config you setup flat files or databases that tell dovecot if someone logs in with this user:pass then look in this /server/path for emails. Other than that config, which you could point to a different /server/path changing their inbox, there are no "accounts".
On Wed, 27 Oct 2021 at 18:27, <dovecot@ptld.com> wrote:
On 10-27-2021 12:06 pm, Felix Ingram wrote:
user1@foobar.mydomain.com user2@foobar.mydomain.com user1@barbaz.mydomain.com user2@barbaz.mydomain.com
I would like all emails to the "foobar" subdomain to end up in their own mailbox and all emails to the "barbaz" subdomain to go to their own mailbox.
Your question might be more suited to the postfix mailing list. Dovecot doesn't receive mail from the internet, which i believe you understand as you said "have postfix accepting the emails before passing them to Dovecot".
On the postfix side, one option would be using one mailbox and one catchall for each subdomain.
Setup a user: catchall@foobar.mydomain.com Setup an alias: @foobar.mydomain.com -> catchall@foobar.mydomain.com Setup a user: catchall@barbaz.mydomain.com Setup an alias: @barbaz.mydomain.com -> catchall@barbaz.mydomain.com
On the dovecot side, you can setup each person with their own login user and all of those users access the same IMAP inbox. Or you could just give everyone the password to the same one mailbox catchall@foobar.mydomain.com.
So I think this would make sense, though one stumbling block could be that we don't know the various subdomains ahead of time. The purpose of the system is that users can create disposable/temporary email addresses for various testing jobs. The subdomain can be any value that the user wants, and we don't want them to have to precreate them before they can use an address (we have an existing system that works this way, and so we want to keep that behaviour). I think your approach would work, however, if I set up aliases similar to:
@barbaz.mydomain.com -> barbaz@mydomain.com.
I believe I can do that in postfix with some regex magic. I would then want users to log in as "barbaz", and get access to all of the emails. I believe that if I create Dovecot users for my system users, and then set them as master users, then they will be able to log into Dovecot with something like:
barbaz*<system user account>
as their username.
Not sure "dovecot creating users" is the right way to think about it.
Dovecot simply looks for IMAP files where its told to look. In dovecot config you setup flat files or databases that tell dovecot if someone logs in with this user:pass then look in this /server/path for emails. Other than that config, which you could point to a different /server/path changing their inbox, there are no "accounts".
I think my "creating users" was me wanting to make sure that when postfix passes an email for "barbaz@mydomain.com" to Dovecot, then Dovecot will store it and wait for someone to come along and impersonate barbaz. i.e. "barbaz" doesn't have to exist as a user already before Dovecot will store the mail.
Thanks again for the pointers - I shall play with postfix local delivery before trying to wire up Dovecot.
Regards,
Felix
I think your approach would work, however, if I set up aliases similar to:
@barbaz.mydomain.com -> barbaz@mydomain.com.
I believe I can do that in postfix with some regex magic.
Yes, that would work perfectly without any regex. You just point the catchall alias to the "user". @barbaz.mydomain.com -> barbaz@mydomain.com
one stumbling block could be that we don't know the various subdomains ahead of time.
The subdomain can be any value that the user wants, and we don't want them to have to precreate them before they can use an address
Best to my knowledge this is not possible with postfix. But ask the postfix mailing list to get a definitive answer. In postfix you have to tell it the domains it accepts mail for, anything else it considers relaying. Otherwise how does postfix know that email is meant to be saved here or it is just passing through and you want postfix to query DNS to find out where it goes (if relaying is even allowed).
The purpose of the system is that users can create disposable/temporary email addresses for various testing jobs.
Are you aware of postfix recipient_delimiter? It allows for disposable / wild card addresses. If enabled in postfix, you setup a mailbox user like barbaz@mydomain.com and any address with that user and the delimiter would still get delivered to that user.
barbaz@mydomain.com -> barbaz@mydomain.com
barbaz+randomtext@mydomain.com -> barbaz@mydomain.com
barbaz+test1@mydomain.com -> barbaz@mydomain.com
You can change the + to any symbol you want postfix to look out for.
I think my "creating users" was me wanting to make sure that when postfix passes an email for "barbaz@mydomain.com" to Dovecot, then Dovecot will store it and wait for someone to come along and impersonate barbaz. i.e. "barbaz" doesn't have to exist as a user already before Dovecot will store the mail.
If you are using LMTP dovecot will only accept emails from postfix that it can lookup the /directory/path to from one of the userdb{} or passdb{} sections. If dovecot can not find a match in any of the userdb{} or passdb{} it will reject the email as user unknown causing postfix to send a undeliverable notice email back to the envelope sender address, also known as back-scatter. I am not aware of a way to use wildcard addresses in dovecot userdb{}, i don't think its possible but i don't know what i don't know.
Interesting. Have you looked at this?
https://serverfault.com/questions/133190/host-wildcard-subdomains-using-post...
[People have too much "flair" and rep points and I can't participate in those stackexchange discussions or ask or answer like I used to.]
On October 27, 2021 3:15:01 PM AKDT, dovecot@ptld.com wrote:
I think your approach would work, however, if I set up aliases similar to:
@barbaz.mydomain.com -> barbaz@mydomain.com.
I believe I can do that in postfix with some regex magic.
Yes, that would work perfectly without any regex. You just point the catchall alias to the "user". @barbaz.mydomain.com -> barbaz@mydomain.com
one stumbling block could be that we don't know the various subdomains ahead of time.
The subdomain can be any value that the user wants, and we don't want them to have to precreate them before they can use an address
Best to my knowledge this is not possible with postfix. But ask the postfix mailing list to get a definitive answer. In postfix you have to tell it the domains it accepts mail for, anything else it considers relaying. Otherwise how does postfix know that email is meant to be saved here or it is just passing through and you want postfix to query DNS to find out where it goes (if relaying is even allowed).
The purpose of the system is that users can create disposable/temporary email addresses for various testing jobs.
Are you aware of postfix recipient_delimiter? It allows for disposable / wild card addresses. If enabled in postfix, you setup a mailbox user like barbaz@mydomain.com and any address with that user and the delimiter would still get delivered to that user.
barbaz@mydomain.com -> barbaz@mydomain.com barbaz+randomtext@mydomain.com -> barbaz@mydomain.com barbaz+test1@mydomain.com -> barbaz@mydomain.com
You can change the + to any symbol you want postfix to look out for.
I think my "creating users" was me wanting to make sure that when postfix passes an email for "barbaz@mydomain.com" to Dovecot, then Dovecot will store it and wait for someone to come along and impersonate barbaz. i.e. "barbaz" doesn't have to exist as a user already before Dovecot will store the mail.
If you are using LMTP dovecot will only accept emails from postfix that it can lookup the /directory/path to from one of the userdb{} or passdb{} sections. If dovecot can not find a match in any of the userdb{} or passdb{} it will reject the email as user unknown causing postfix to send a undeliverable notice email back to the envelope sender address, also known as back-scatter. I am not aware of a way to use wildcard addresses in dovecot userdb{}, i don't think its possible but i don't know what i don't know.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On 10-27-2021 11:10 pm, justina colmena ~biz wrote: Interesting. Have you looked at this?
https://serverfault.com/questions/133190/host-wildcard-subdomains-using-post...
That makes sense and would work, setting domains and user addresses with perl regex expressions.
On Thu, 28 Oct 2021 at 00:15, <dovecot@ptld.com> wrote:
I think your approach would work, however, if I set up aliases similar to:
@barbaz.mydomain.com -> barbaz@mydomain.com.
I believe I can do that in postfix with some regex magic.
Yes, that would work perfectly without any regex. You just point the catchall alias to the "user". @barbaz.mydomain.com -> barbaz@mydomain.com
I've managed to get this working in postfix - I needed the regex rather than a static map, as I need to extract the unknown subdomain portion but it seems to be working. I have been able to get postfix to save it to a file as well and it seems to work as I expected.
[..]
The purpose of the system is that users can create disposable/temporary email addresses for various testing jobs.
Are you aware of postfix recipient_delimiter? It allows for disposable / wild card addresses. If enabled in postfix, you setup a mailbox user like barbaz@mydomain.com and any address with that user and the delimiter would still get delivered to that user.
barbaz@mydomain.com -> barbaz@mydomain.com barbaz+randomtext@mydomain.com -> barbaz@mydomain.com barbaz+test1@mydomain.com -> barbaz@mydomain.com
You can change the + to any symbol you want postfix to look out for.
We were using this approach on a different domain but our issue was that we have multiple people on the same piece of work and so they needed to share access to all of the mails. We decided on the approach I'm describing as we also wanted to have control at the DNS level to do this such as expiring addresses.
I think my "creating users" was me wanting to make sure that when postfix passes an email for "barbaz@mydomain.com" to Dovecot, then Dovecot will store it and wait for someone to come along and impersonate barbaz. i.e. "barbaz" doesn't have to exist as a user already before Dovecot will store the mail.
If you are using LMTP dovecot will only accept emails from postfix that it can lookup the /directory/path to from one of the userdb{} or passdb{} sections. If dovecot can not find a match in any of the userdb{} or passdb{} it will reject the email as user unknown causing postfix to send a undeliverable notice email back to the envelope sender address, also known as back-scatter. I am not aware of a way to use wildcard addresses in dovecot userdb{}, i don't think its possible but i don't know what i don't know.
So I think this will be the main issue now - there's no way of knowing the addresses ahead of time, so it sounds like I'll need to add them to userdb{} when they hit postfix and before they get passed to dovecot.
For my sins I'm building this on Kubernetes so dovecot is on a separate "machine" at the moment. The userdb will be in postgres, as I'm using that for other things, so I guess I'll need to update that in postfix somewhere. This is a fairly low volume system, so I can probably take the hit of a DB query per email.
Currently postfix doesn't even seem to be attempting to talk to dovecot but that's one for the postfix list.
Thanks again for the help.
Cheers,
Felix
On Thu, 28 Oct 2021 at 08:29, Felix Ingram <f.ingram@gmail.com> wrote:
On Thu, 28 Oct 2021 at 00:15, <dovecot@ptld.com> wrote:
[...]
I think my "creating users" was me wanting to make sure that when
postfix passes an email for "barbaz@mydomain.com" to Dovecot, then Dovecot will store it and wait for someone to come along and impersonate barbaz. i.e. "barbaz" doesn't have to exist as a user already before Dovecot will store the mail.
If you are using LMTP dovecot will only accept emails from postfix that it can lookup the /directory/path to from one of the userdb{} or passdb{} sections. If dovecot can not find a match in any of the userdb{} or passdb{} it will reject the email as user unknown causing postfix to send a undeliverable notice email back to the envelope sender address, also known as back-scatter. I am not aware of a way to use wildcard addresses in dovecot userdb{}, i don't think its possible but i don't know what i don't know.
So I think this will be the main issue now - there's no way of knowing the addresses ahead of time, so it sounds like I'll need to add them to userdb{} when they hit postfix and before they get passed to dovecot.
Just to close the loop on this - I managed to get this working using postfix's virtual aliases. I use a postgresql function in the alias lookup that transforms ' tester@foobar.mydomain.com' into 'foobar@mydomain.com' and at the same time inserts 'foobar@mydomain.com' into the Dovecot users table. I then have a separate passdb for master users that can log in and impersonate the foobar user.
So far this seems to work.
Thanks again to everyone for the help.
Felix
On Wed, 27 Oct 2021, Felix Ingram wrote:
[...]
People would be able to send email to addresses that match the following format:
user1@foobar.mydomain.com user2@foobar.mydomain.com
user1@barbaz.mydomain.com user2@barbaz.mydomain.com
[...]
I will be creating a web interface for users to get/set their credentials, so can add those users on an adhoc basis, but I will need to have the "foobar", "barbaz", etc users created whenever an email arrives (we won't know ahead of time).
[...]
Further to the responses you have received already, I'd like to note that if you want to receive mail at {alias}@{user}.mydomain.com then, at the time of *sending* the e-mail there needs to be an MX record for user, as otherwise the sender won't be able to connect to your (postfix) server.
That means that the users will have to exist *before* postfix receives the message, and thus clearly before dovecot receives it.. so you may have to reconsider your requirement of adding users of on-the-fly.
Of course, you could use a wildcard MX, but my understanding is that this can cause problems (but I'd have to check in RFC1912 and RFC4592).
Cheers.
On Thu, 28 Oct 2021 at 07:40, Bernardo Reino <reinob@bbmk.org> wrote:
[...]
Further to the responses you have received already, I'd like to note that if you want to receive mail at {alias}@{user}.mydomain.com then, at the time of *sending* the e-mail there needs to be an MX record for user, as otherwise the sender won't be able to connect to your (postfix) server.
That means that the users will have to exist *before* postfix receives the message, and thus clearly before dovecot receives it.. so you may have to reconsider your requirement of adding users of on-the-fly.
Excellent point. So we are also using a DNS server with this (CoreDNS with some custom plugins). This means we are able to handle the dynamic MX records (plus also allowing us to expire domains if we need to).
Cheers,
Felix
participants (4)
-
Bernardo Reino
-
dovecot@ptld.com
-
Felix Ingram
-
justina colmena ~biz