dovecot - Mar 2021 - Virtual users @ virtual domains / better documentation?

I have configured postfix so it will deliver mail to virtual mailboxes. For 
some reason, the mail is not delivered to the virtual mailboxes unless both 
$virtual_alias_domains and $virtual_alias_maps are left undefined: these 
directives are apparently for aliasing virtual users "@" virtual
domains to
"real" unix users on the local system.

--%%=# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
virtual_mailbox_domains = domain1.example.org domain2.example.com
virtual_transport = virtual
#virtual_alias_domains = domain1.example.org domain2.example.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
#virtual_alias_maps = hash:/etc/postfix/virtual
==%--

If the $virtual_alias_maps directive invalidates virtual mailboxes, then
"the
usual" aliases (postmaster@, etc.) for the virtual domains would have to be
listed in
    /etc/aliases
along with the non-virtual aliases, but this does not work either, and 
generates a warning when "newaliases" is run.

postalias: warning: /etc/aliases, line 99: name must be local

So as far as I can tell, no aliasing at all is available for 
"virtual_mailbox_domains" in postfix

I am still unsure how to authenticate the virtual users on postfix. PAM 
authentication works fine for non-virtual users. The following command 
gives two options for authentication: cyrus-sasl and dovecot-sasl.

    # postconf -a
    cyrus
    dovecot

Postfix also works with cyrus-sasl if the passwords are set in
"/etc/sasldb2"
via the "saslpasswd2" command, but dovecot doesn't seem to work
with
cyrus-sasl, and has its own type of sasl authentication.

I realize this is not a postfix list, so my real question here is, What do I 
need in order for dovecot to authenticate the virtual users and allow them to 
read their mail and obtain authorization to send mail via postfix on the same 
system?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210309/11751fe4/attachment.sig>

> I have configured postfix so it will deliver mail to virtual mailboxes. For
> some reason, the mail is not delivered to the virtual mailboxes unless both
> $virtual_alias_domains and $virtual_alias_maps are left undefined: these 
> directives are apparently for aliasing virtual users "@" virtual
domains to
> "real" unix users on the local system.
> 
> --%%=> # ADDRESS REDIRECTION (VIRTUAL DOMAIN)
> #
> # The VIRTUAL_README document gives information about the many forms
> # of domain hosting that Postfix supports.
> virtual_mailbox_domains = domain1.example.org domain2.example.com
> virtual_transport = virtual
> #virtual_alias_domains = domain1.example.org domain2.example.com
> virtual_mailbox_base = /var/mail/vhosts
> virtual_mailbox_maps = hash:/etc/postfix/vmailbox
> virtual_minimum_uid = 100
> virtual_uid_maps = static:5000
> virtual_gid_maps = static:5000
> #virtual_alias_maps = hash:/etc/postfix/virtual
> ==%--
First of all I won't recommend using native postfix 'virtual'
delivery agent, if you already have dovecot as the mailbox server.
It will work ok, as long as you use standard mailbox or maildir
store in dovecot, but does not allow to use some dovecot-specific
options, does not allow more modern storage formats (dbox),
does not update indexes at delivery time and does not allow to run
sieve scripts.

IMO it's better to use either dovecot-lda configured as
a postfix 'pipe' service, or LMTP.
> If the $virtual_alias_maps directive invalidates virtual mailboxes, then
"the
> usual" aliases (postmaster@, etc.) for the virtual domains would have
to be
> listed in
>     /etc/aliases
> along with the non-virtual aliases, but this does not work either, and 
> generates a warning when "newaliases" is run.
> 
> postalias: warning: /etc/aliases, line 99: name must be local
> 
> So as far as I can tell, no aliasing at all is available for 
> "virtual_mailbox_domains" in postfix
Yes, there's no easy way to do aliases in postfix for a domain
that's declared as virtual_mailbox. You can alias virtual_mailbox
domain addresses to local adresses, virtual_alias to virtual_mailbox,
but not virtual_mailbox to virtual_mailbox, if I am correct.

If you switch to dovecot-lda or LMTP, the aliases are best handled
on the dovecot side by appropriate userdb setup. Using a database
is handy. You could also setup virtual_mailbox_maps in postfix to
use the same database so you have the same source of data.
For my small setup I use sqlite, but one could use mysql.
> I am still unsure how to authenticate the virtual users on postfix. PAM 
> authentication works fine for non-virtual users. The following command 
> gives two options for authentication: cyrus-sasl and dovecot-sasl.
> 
>     # postconf -a
>     cyrus
>     dovecot
> 
Use smtpd_sasl_* settings and configure dovecot to provide
auth listener socket (either UNIX or TCP).

-- 
Piotr "Malgond" Auksztulewicz                     firstname at
lastname.net

Le Tue, 09 Mar 2021 08:47:12 -0900,
justina colmena ~biz <justina at colmena.biz> a ?crit :
> If the $virtual_alias_maps directive invalidates virtual mailboxes,
> then "the usual" aliases (postmaster@, etc.) for the virtual
domains
> would have to be listed in
>     /etc/aliases
> along with the non-virtual aliases, but this does not work either,
> and generates a warning when "newaliases" is run.
> 
> postalias: warning: /etc/aliases, line 99: name must be local
> 
> So as far as I can tell, no aliasing at all is available for 
> "virtual_mailbox_domains" in postfix
/etc/aliases for local alias only. Use "virtual_alias_maps
hash:$config_directory/virtual" for virtual addresses
(left-hand) resolution to virtual and or (local addresses if need to)
(right-hand) on this table.

Then set in postfix main.cf the *_transport:
virtual_transport = lmtp:unix:private/dovecot-lmtp # this path is
relative to /var/spool/postfix/
mailbox_transport = ${virtual_transport}
> I am still unsure how to authenticate the virtual users on postfix.
> PAM authentication works fine for non-virtual users. The following
> command gives two options for authentication: cyrus-sasl and
> dovecot-sasl.
> 
>     # postconf -a
>     cyrus
>     dovecot
> 
> Postfix also works with cyrus-sasl if the passwords are set in
> "/etc/sasldb2" via the "saslpasswd2" command, but
dovecot doesn't
> seem to work with cyrus-sasl, and has its own type of sasl
> authentication.
> 
> I realize this is not a postfix list, so my real question here is,
> What do I need in order for dovecot to authenticate the virtual users
> and allow them to read their mail and obtain authorization to send
> mail via postfix on the same system?
cyrus-sasl isn't needed if you're running dovecot (dovecot does provide
an SASL authentication socket).

From postfix view, use in main.cf:
smtpd_sasl_security_options = noanymous, noactive, nodictionary
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth # this path is relative to
/var/spool/postfix/

From dovecot view, configure a service auth:

service auth {
    unix_listener /var/spool/postfix/private/auth {
      group = postfix
      mode = 0660
      user = postfix
    }
}

Then for your virtual users, you'll need to maintain a virtual users
table backend (be it flat file, SQL, etc.):

<https://doc.dovecot.org/configuration_manual/authentication/>

-- 
matt [at] lv223.org
GPG key ID: 7D91A8CA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Signature digitale OpenPGP
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210315/95b3ceca/attachment-0001.sig>