dovecot - Jul 2004 - Newbie question: configuration for virtual users

Hi!

I'm looking forward to deploying dovecot as an IMAP server. I did some
research into the various options and it looks like dovecot is the right
daemon for me. I'll be using it with Exim.

I am running a few tens of users on my server, most of them small
numbers of people part of a small company, e.g. example.com.

At present I have exim delivering to mbox in each virtual user's mail
folder. So, for chris, john and mandy @ example.com, I have

    /home/example/Mail/
        chris
        john
        mandy

All of the users in example.com run under the same uid and gid
(example). I like to separate these 'virtual' users from the real system
users for security reasons. I presently serve up these mboxes via
teapop, which allows for per-domain configuration. I couldn't find a
similar setup after a cursory read of the config file examples on the
dovecot website.

I'd like some advice on how to support different non-system users under
dovecot, ideally storing mail in a similar configuration to above,
except (presumably?) that the user files will be under each user name?
Thus:

    /home/example/Mail/
        chris/
        john/
        mandy/

I may use postgresql to store user configuration data if appropriate.

Advice gratefully received.
Rory
-- 
Rory Campbell-Lange 
<rory at campbell-lange.net>
<www.campbell-lange.net>

Hi

I've not done this but dovecot should be capable of doing what you want.

Try in dovecot.conf something like:

	default_mail_env = mbox:/home/example/Mail/%u

(assumes each user's INBOX is actually called INBOX, otherwise add the
:INBOX= option)

That sorts out the location bit - best to chroot the imap server process
and deny full filesystem access so they can't get to each other's mail.

That just leaves the authentication/userdb bit (shamelessly lifted from
docs)

	auth_userd = pgsql /etc/dovecot-pgsql.conf
	auth_passdb = pgsql /etc/dovecot-pgsql.conf

and in dovecot-pgsql.conf:
	connect = host=sql.example.com dbname=virtual user=virtual
		password=blarg	
 	user_query = SELECT home, 501 AS uid, 501 AS gid FROM users
		WHERE userid = '%u'
	password_query = SELECT password FROM users WHERE userid = '%u'
	default_pass_scheme = PLAIN

The user_query =  is pretty much just showing the username is valid or
not and forcing the UID/GID. You *could* store the location of the
mail directory as "home" the use mbox:%h instead - or in my example
not
bother.

I'll offer some out of band advice - if your users are fairly static, I
would advise storing dovecot's user list and passwords in a flat file
which can be auto-generated from Postgres regularly. It just makes it
easier to take the database offline for maintenance without forcing
everything to a halt. Live DB driven services are good for sites with
high data turnover like portals or ISPs - giving an instant reposnse to
things like a new user registering - but sometimes it's more trouble
than it's worth.

We used to tie exim into postgres - but if postgres fell over for a
night we got a big pile of trouble in the form of mega mail queues.


Munge that lot to fit your server/table layouts etc and common UID/GID

You have the choice of holding the plain passwd, a PLAIN-MD5, DIGEST-MD5
or a crypt version in the database. However - choose wisely based on
what the mail clients will support - there's a lot of variation.
Sylpheed will do PLAIN or CRAM-MD5 only. You may find that despite the
obvious issues, PLAIN is the best to use as everything can use it. Or if
the user's already authenticate via some other mechanism, use that if
dovecot supports it.

Hope that helps.

Tim

On Tue, 20 Jul 2004 23:41:13 +0100
Rory Campbell-Lange <rory at campbell-lange.net> wrote:
> Hi!
> 
> I'm looking forward to deploying dovecot as an IMAP server. I did some
> research into the various options and it looks like dovecot is the
> right daemon for me. I'll be using it with Exim.
> 
> I am running a few tens of users on my server, most of them small
> numbers of people part of a small company, e.g. example.com.
> 
> At present I have exim delivering to mbox in each virtual user's mail
> folder. So, for chris, john and mandy @ example.com, I have
> 
>     /home/example/Mail/
>         chris
>         john
>         mandy
> 
> All of the users in example.com run under the same uid and gid
> (example). I like to separate these 'virtual' users from the real
> system users for security reasons. I presently serve up these mboxes
> via teapop, which allows for per-domain configuration. I couldn't find
> a similar setup after a cursory read of the config file examples on
> the dovecot website.
> 
> I'd like some advice on how to support different non-system users
> under dovecot, ideally storing mail in a similar configuration to
> above, except (presumably?) that the user files will be under each
> user name? Thus:
> 
>     /home/example/Mail/
>         chris/
>         john/
>         mandy/
> 
> I may use postgresql to store user configuration data if appropriate.
> 
> Advice gratefully received.
> Rory
> -- 
> Rory Campbell-Lange 
> <rory at campbell-lange.net>
> <www.campbell-lange.net>

-- 
Tim Southerwood

Hi Tim

I'm very grateful for your advice.

On 21/07/04, Tim Southerwood (ts at doc.ic.ac.uk) wrote:
> I've not done this but dovecot should be capable of doing what you
want.
Great stuff! I'll look into the configuration you suggest.
...
> I'll offer some out of band advice - if your users are fairly static, I
> would advise storing dovecot's user list and passwords in a flat file
> which can be auto-generated from Postgres regularly. It just makes it
> easier to take the database offline for maintenance without forcing
> everything to a halt. Live DB driven services are good for sites with
> high data turnover like portals or ISPs - giving an instant reposnse to
> things like a new user registering - but sometimes it's more trouble
> than it's worth.
Yes, I'm running a lot of services off Postgres, and been caught out by
an apt-get update once or twice!
...
> You have the choice of holding the plain passwd, a PLAIN-MD5, DIGEST-MD5
> or a crypt version in the database. However - choose wisely based on
> what the mail clients will support - there's a lot of variation.
> Sylpheed will do PLAIN or CRAM-MD5 only. You may find that despite the
> obvious issues, PLAIN is the best to use as everything can use it. Or if
> the user's already authenticate via some other mechanism, use that if
> dovecot supports it.
I'm mainly supporting OSX Mail and XP Outlook users. Are they OK at
supporting DIGEST-MD5 or crypt? Maybe I should use IMAPS and plain?

Sorry for the questions in response to your answers!

Many thanks,
Rory

-- 
Rory Campbell-Lange 
<rory at campbell-lange.net>
<www.campbell-lange.net>