dovecot - Apr 2010 - best choice of user database file to work with postfix?

I'm setting up a Postfix and Dovecot combination.  What I want to do is have
a user database that (1) is not running from some engine (so not LDAP or SQL
or such) ... and (2) is completely disassociated from system users (e.g.
most email users are not in /etc/passwd and most /etc/passwd users are not
email users).  Ideal would be a one-file solution, which can be managed by
text editing or simple command line tools.  But what I want is ONE file that
both Postfix (for valid recipients) and Dovecot (for user login
authentication) can use together.  An alternative is some way to get Postfix
to go through Dovecot to query for users (at the time of mail arriving on
SMTP so it doesn't queue anything that would later be rejected).  This is a
smallish setup on one server, with probably a max of 50 to 100 users and 50
or so role account mailboxes over the next year or two.  Any
recommendations?

build as passdb ( http://wiki.dovecot.org/AuthDatabase/PasswdFile )
and write a sript which builds an valid postfix lookuptable usable as
local_recipient_maps.

Andreas

Am 21.04.2010 10:32 schrieb Phil Howard:
> I'm setting up a Postfix and Dovecot combination.  What I want to do is
have
> a user database that (1) is not running from some engine (so not LDAP or
SQL
> or such) ... and (2) is completely disassociated from system users (e.g.
> most email users are not in /etc/passwd and most /etc/passwd users are not
> email users).  Ideal would be a one-file solution, which can be managed by
> text editing or simple command line tools.  But what I want is ONE file
that
> both Postfix (for valid recipients) and Dovecot (for user login
> authentication) can use together.  An alternative is some way to get
Postfix
> to go through Dovecot to query for users (at the time of mail arriving on
> SMTP so it doesn't queue anything that would later be rejected).  This
is a
> smallish setup on one server, with probably a max of 50 to 100 users and 50
> or so role account mailboxes over the next year or two.  Any
> recommendations?
-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
J?rg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen

I think /etc/passwd is as close as it gets to your requirements... why not just
add the users as system users, and set their shell to /bin/false?

Patrick

"Phil Howard" <ttiphil at gmail.com> wrote:
>I'm setting up a Postfix and Dovecot combination.  What I want to do is
have
>a user database that (1) is not running from some engine (so not LDAP or SQL
>or such) ... and (2) is completely disassociated from system users (e.g.
>most email users are not in /etc/passwd and most /etc/passwd users are not
>email users).  Ideal would be a one-file solution, which can be managed by
>text editing or simple command line tools.  But what I want is ONE file that
>both Postfix (for valid recipients) and Dovecot (for user login
>authentication) can use together.  An alternative is some way to get Postfix
>to go through Dovecot to query for users (at the time of mail arriving on
>SMTP so it doesn't queue anything that would later be rejected).  This
is a
>smallish setup on one server, with probably a max of 50 to 100 users and 50
>or so role account mailboxes over the next year or two.  Any
>recommendations?
--
Sent from my Android phone with K-9. Please excuse my brevity.

Set up the users in /etc/dovecot/passwd for Dovecot authentication and
/etc/postfix/vmailbox for postfix users. Not possible to use one file for two of
them because the formats are markedly different.

Alexander
----- Original Message ----- 
From: "Phil Howard" <ttiphil at gmail.com>
To: <dovecot at dovecot.org>
Sent: Wednesday, April 21, 2010 3:32 PM
Subject: [Dovecot] best choice of user database file to work with postfix?

> I'm setting up a Postfix and Dovecot combination.  What I want to do is
have
> a user database that (1) is not running from some engine (so not LDAP or
SQL
> or such) ... and (2) is completely disassociated from system users (e.g.
> most email users are not in /etc/passwd and most /etc/passwd users are not
> email users).  Ideal would be a one-file solution, which can be managed by
> text editing or simple command line tools.  But what I want is ONE file
that
> both Postfix (for valid recipients) and Dovecot (for user login
> authentication) can use together.  An alternative is some way to get
Postfix
> to go through Dovecot to query for users (at the time of mail arriving on
> SMTP so it doesn't queue anything that would later be rejected).  This
is a
> smallish setup on one server, with probably a max of 50 to 100 users and 50
> or so role account mailboxes over the next year or two.  Any
> recommendations?
>

postfix:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


dovecot:

auth default {
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      user = _postfix
      group = wheel
      mode = 0660
    }
  }
}

Then configure your favorite auth mechanism for dovecot.  Let bake for 20
minutes, add salt for taste.


On 2010 Apr 21 (Wed) at 10:32:36 -0400 (-0400), Phil Howard wrote:
:I'm setting up a Postfix and Dovecot combination.  What I want to do is
have
:a user database that (1) is not running from some engine (so not LDAP or SQL
:or such) ... and (2) is completely disassociated from system users (e.g.
:most email users are not in /etc/passwd and most /etc/passwd users are not
:email users).  Ideal would be a one-file solution, which can be managed by
:text editing or simple command line tools.  But what I want is ONE file that
:both Postfix (for valid recipients) and Dovecot (for user login
:authentication) can use together.  An alternative is some way to get Postfix
:to go through Dovecot to query for users (at the time of mail arriving on
:SMTP so it doesn't queue anything that would later be rejected).  This is a
:smallish setup on one server, with probably a max of 50 to 100 users and 50
:or so role account mailboxes over the next year or two.  Any
:recommendations?

-- 
Banectomy, n.:
	The removal of bruises on a banana.
		-- Rich Hall, "Sniglets"

On Wed, Apr 21, 2010 at 10:32:36AM -0400, Phil Howard
wrote:
> Ideal would be a one-file solution, which can be managed by
> text editing or simple command line tools.  But what I want is ONE file
that
> both Postfix (for valid recipients) and Dovecot (for user login
> authentication) can use together.  An alternative is some way to get
Postfix
> to go through Dovecot to query for users (at the time of mail arriving on
> SMTP so it doesn't queue anything that would later be rejected).  This
is a
> smallish setup on one server, with probably a max of 50 to 100 users and 50
> or so role account mailboxes over the next year or two.  Any
> recommendations?
If you can't get postfix to read dovecot's virtual users, try switching
to
exim.  I found exim can be configured to read pretty much any format you
like.  For example, I got exim to read courier-imap's userdb.dat files:

# Lookup in userdb. If the address lookup succeeds, then we set
# address_data. If it's forced to fail, we'll drop through to the next
# router. If a temporary error occurs (e.g. file not readable), we'll defer.

reset_address_data:
  driver                = redirect
  address_data            data                  
userdb_lookup:
  driver                = redirect
  condition             = ${if ! def:address_data}
  address_data          = source=userdb ${sg \
        {${lookup {$local_part@$domain} dbmnz {/path/to/userdb.dat} {$value} \
                {${lookup {@$domain} dbmnz {/path/to/userdb.dat} \
                        {$value} fail }} }} \
        {([^=]+)=([^|]+)\\|?} {\$1=\${quote:\$2\} } }
  # note space between \$2\} and the next }
  data                  
Then use ${extract {home} {$address_data} ...} to get field "home"
from the
userdb entry.

Basically what it's doing is finding the the .dat entry with key user at
domain
or @domain (wildcard), finding a value of the form foo=bar|baz=qux and
rewriting it to foo="bar" baz="qux", which the ${extract}
function expects.

This sort of coding in exim's configure file is not pretty, but it works
well.

With only 50-100 users you'd be fine with a plain text file rather (lsearch)
than a .dat

HTH,

Brian.

On Wed, Apr 21, 2010 at 10:47 AM, Patrick Nagel <mail at
patrick-nagel.net>wrote:
> I think /etc/passwd is as close as it gets to your requirements... why not
> just add the users as system users, and set their shell to /bin/false?
>
There would be conflicts in this, especially with multiple domain names
(sorry, forgot to mention that ... there will be about 10 domain names).

On Wed, Apr 21, 2010 at 10:58 AM, Peter Hessler <phessler at theapt.org>
wrote:
> postfix:
>
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
>
>
> dovecot:
>
> auth default {
>  socket listen {
>    client {
>      path = /var/spool/postfix/private/auth
>      user = _postfix
>      group = wheel
>      mode = 0660
>    }
>  }
> }
>
> Then configure your favorite auth mechanism for dovecot.  Let bake for 20
> minutes, add salt for taste.
>
This looks interesting.  That would basically be run through Dovecot with a
named socket I take it.  How would the lookup table type be specified for
local_recipient_maps in Postfix to use this?

Hello Phil,

Phil Howard <ttiphil at gmail.com> (Mi 21 Apr 2010 16:32:36
CEST):
> I'm setting up a Postfix and Dovecot combination.  What I want to do is
have
> a user database that (1) is not running from some engine (so not LDAP or
SQL
> or such) ... and (2) is completely disassociated from system users (e.g.
> most email users are not in /etc/passwd and most /etc/passwd users are not
> email users).  Ideal would be a one-file solution, which can be managed by
> text editing or simple command line tools.  But what I want is ONE file
that
> both Postfix (for valid recipients) and Dovecot (for user login
A recent demonstration of a German postfix expert used a sed-Script to
convert (basically cut everything behind the first ?:?) the dovecot
passdb file to a postfix readable text file (and convert this to a
hash(?)).

I'm not sure, if postfix really can't read a passdb (passwd-like) file.
Probably it (postfix) isn't flexible enough for doing this, or the
expert didn't want to show it.

As an exim user I'd suggest using exim - and enjoing real flexiblity ;-)
The solution I'd prefer is (d) - it makes your exim independend on the
userdb/passdb used by dovecot, you're just talking to the auth-master.
(Something I'd implement additionally is a ?softfail? (4xx error) in
case the socket is not usable.)


# exim config snipped - the dovecot passdb is /etc/vmail/passwd

    # for better readability of the (d) alternative below (using
    # exims macro feature
    SOCKET  = /var/run/dovecot/auth-master
    REQUEST = VERSION\t1\t0\nUSER\t$pid\t$local_part\tservice=imap\n

    # local user router
    # chose (a), (b), (c), (d)
    vmail:
        driver = accept
        #(a) local_parts = lsearch;/etc/vmail/passwd
        #(b) condition = ${lookup{$local_part}lsearch{/etc/vmail/passwd}{true}}
        #(c) condition =
${lookup{$local_part@$domain}lsearch{/etc/vmail/passwd}{true}}
        #(d) condition = ${if match {${readsocket{SOCKET}{REQUEST}}}
{(?m)^USER}}
        transport = dovecot

    # dovecot transport
    # dovecot uses uid vmail for accessing all mailboxes (userdb static)
    dovecot:
        driver = pipe
        command = /usr/lib/dovecot/deliver -d $local_part@$domain
        user = vmail

(?)
> smallish setup on one server, with probably a max of 50 to 100 users and 50
> or so role account mailboxes over the next year or two.  Any
> recommendations?
Use Exim ;-)

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20100421/48f1d754/attachment-0002.bin>

On Wed, Apr 21, 2010 at 5:45 PM, Heiko Schlittermann <hs at
schlittermann.de>wrote:
> Hello Phil,
>
> Phil Howard <ttiphil at gmail.com> (Mi 21 Apr 2010 16:32:36 CEST):
> > I'm setting up a Postfix and Dovecot combination.  What I want to
do is
> have
> > a user database that (1) is not running from some engine (so not LDAP
or
> SQL
> > or such) ... and (2) is completely disassociated from system users
(e.g.
> > most email users are not in /etc/passwd and most /etc/passwd users are
> not
> > email users).  Ideal would be a one-file solution, which can be
managed
> by
> > text editing or simple command line tools.  But what I want is ONE
file
> that
> > both Postfix (for valid recipients) and Dovecot (for user login
>
> A recent demonstration of a German postfix expert used a sed-Script to
> convert (basically cut everything behind the first ?:?) the dovecot
> passdb file to a postfix readable text file (and convert this to a
> hash(?)).
>
Dozens, maybe millions, of ways to do that.  The "cut" command might
be
enough.  I do stuff in C, Bash, Pike, Awk, and even a little Python (just
started learning it), as needed.  I'd just integrate this copying and
conversion into the script used to add mail users.


I'm not sure, if postfix really can't read a passdb (passwd-like)
file.
> Probably it (postfix) isn't flexible enough for doing this, or the
> expert didn't want to show it.
>
It has the code to parse it.  It just assumes a specific file location (e.g.
the Unix system file /etc/passwd).


As an exim user I'd suggest using exim - and enjoing real flexiblity
;-)
> The solution I'd prefer is (d) - it makes your exim independend on the
> userdb/passdb used by dovecot, you're just talking to the auth-master.
> (Something I'd implement additionally is a ?softfail? (4xx error) in
> case the socket is not usable.)
>
I'm already more familiar with Postfix.  It's Dovecot and IMAP
that's new to
me right now.  I can make this work in Postfix.  But I'm just checking for
shortcuts I don't otherwise see.