Postfix Virtual Users with maildrop
in [Postfix]
|
From: Emre Yazici on 20 Feb 2010 07:19 /dev/rob0 yazm?s,: > On Fri, Feb 19, 2010 at 07:32:27PM +0100, mouss wrote: > >> Wietse Venema a �crit : >> >>> Emre Yazici: >>> >>>> I want to is to dynamically set corresponding user so that >>>> Postfix can invoke maildrop with that user's permissions and >>>> mail delivery be made with the correct user rights. >>>> >>> Use the Postfix local(8) delivery agent, and execute the maildrop >>> command via the mailbox_command (or mailbox_command_maps) >>> mechanism. >>> >> alternatively, make sure maildrop is setuid (isn't this the >> default?) and run it as a "trusted user" (the list of trusted users >> is configured at maildrop build time). check maildrop docs. >> > > Another alternative to consider, since the mailbox scheme seemed > pretty simple, is to use virtual(8) with virtual_{gid,uid}_maps > populated as needed and desired. A simple scheme might be to use a > common group for all (such as "virtual_gid_maps=static:vmail") with > separate UIDs per domain. > > A more complex approach can be done, such as separate UIDs per > mailbox, and a shared GID per domain. Then you have to create your > maildirs with correct ownership when creating a new account. > > >> That said, I prefer Wietse suggestion... >> > > I do too, except I don't see the need for maildrop in this scenario. > Looks like a job for local(8) on its own. > Using separate UID and a common GID leads to problem with maldrop because I use custom mailfilter file for each virtual user. From the maildrop manual page: > maildrop is very paranoid: both $HOME/.mailfilters, and $HOME/.mailfilters/filterfile must be owned by the user, and may not have any group or world permissions.
From: mouss on 20 Feb 2010 08:15
Emre Yazici a �crit : > /dev/rob0 yazm?s,: >> On Fri, Feb 19, 2010 at 07:32:27PM +0100, mouss wrote: >> >>> Wietse Venema a �crit : >>> >>>> Emre Yazici: >>>> >>>>> I want to is to dynamically set corresponding user so that Postfix >>>>> can invoke maildrop with that user's permissions and mail delivery >>>>> be made with the correct user rights. >>>>> >>>> Use the Postfix local(8) delivery agent, and execute the maildrop >>>> command via the mailbox_command (or mailbox_command_maps) mechanism. >>>> >>> alternatively, make sure maildrop is setuid (isn't this the default?) >>> and run it as a "trusted user" (the list of trusted users is >>> configured at maildrop build time). check maildrop docs. >>> >> >> Another alternative to consider, since the mailbox scheme seemed >> pretty simple, is to use virtual(8) with virtual_{gid,uid}_maps >> populated as needed and desired. A simple scheme might be to use a >> common group for all (such as "virtual_gid_maps=static:vmail") with >> separate UIDs per domain. >> >> A more complex approach can be done, such as separate UIDs per >> mailbox, and a shared GID per domain. Then you have to create your >> maildirs with correct ownership when creating a new account. >> >> >>> That said, I prefer Wietse suggestion... >>> >> >> I do too, except I don't see the need for maildrop in this scenario. >> Looks like a job for local(8) on its own. >> > Using separate UID and a common GID leads to problem with maldrop > because I use custom mailfilter file for each virtual user. From the > maildrop manual page: > >> maildrop is very paranoid: both $HOME/.mailfilters, and > $HOME/.mailfilters/filterfile must be owned by the user, and may not > have any group or world permissions. > At the time I used maildrop, I didn't use $home/.mailfilter. Instead, I included the user file from the global /etc/maildroprc. something like: BASE=/some/path USER=$1 DOMAIN=$2 exception { include "${BASE}/${DOMAIN}/${USER}/maildrop.rc" } |