This site is now 100% read-only, and retired.

Handling mail for non-system users with Exim4?

Posted by sabin on Thu 1 Dec 2005 at 11:50

I run Debian Sarge on my main server at home which provides different services. I also run exim4, courier-imap-(ssl), squirrelmail and spamd as my mail setup on this box. Now I am wondering how I could give different users email accounts whithout adding them system-wide as users.

I have setup exim4, imapd and squirrelmail to allow system users to use it. How would I make exim deliver mails for nonexistent system users to defined inboxes ?

I should mention that I have also mysql running which could be an option for authentificating users.

Does anyone know about an HOWTO, which fits my needs or can give me hints/help me with that?

I'd also like to make dspam work for every user I'd add.

Thanks alot in advance, Sabin

 

 


Re: Handling mail for non-system users with Exim4?
Posted by Anonymous (65.89.xx.xx) on Thu 1 Dec 2005 at 14:22
I found a excellent how to on this very subject a while ago.
http://www.tty1.net/virtual_domains_en.html
enjoy

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by Anonymous (62.252.xx.xx) on Thu 1 Dec 2005 at 15:14
read the exim docs on aliases - there's a way to set a global 'catch-all' account.

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by sabin (81.223.xx.xx) on Thu 1 Dec 2005 at 16:13
[ View Weblogs ]
Thanks alot guys for your replies. The howto seems to be exactly what I need. Let's see how it'll work!

./sabin -s

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by Anonymous (80.254.xx.xx) on Thu 1 Dec 2005 at 18:55

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by Anonymous (82.153.xx.xx) on Fri 2 Dec 2005 at 08:44
I have a smilar setup and was also looking to give people mail accounts and not much more.

However, instead of trying to convince exim and courier to use non-system accounts, I created a shell-users group and used the pam_access module to restrict ssh users as follows: In /etc/pam.d/ssh add the line:
account required pam_access.so accessfile=/etc/security/shell-access.conf
And then the file /etc/security/shell-access.conf contains:
+:shell-users:ALL
-:ALL:ALL
Now, I feel a lot safer from all the attempts to crack my server by guessing ssh passwords.

Still haven't found a good way to let these email users change their passwords yet ...

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by ineiti (81.221.xx.xx) on Fri 2 Dec 2005 at 15:52

I started with a simple system where you can have aliases for each domain (I also have multiple domains). Then I added the possibility to have virtual users. But as I (still) don't like databases, I did it in a more directory-oriented way. In
/etc/exim4/conf.d/router/360_exim4-local_vdom_aliases
I have the following:

#
# First we look up in /etc/exim4/virtual, if we have to do any aliasas,
# based on the virtual domains!
#
vdom_aliases:
      driver = redirect
      allow_defer
      allow_fail
      domains = dsearch;/etc/exim4/virtual
      data = ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domai n}}}
      retry_use_local_part
      pipe_transport   = address_pipe
      file_transport   = address_file

#
# Then, if there is no local delivery, let's go and look if we have
# a virtual domain defined at /var/mail/virtual
#
vdom_aliases_maildir:
      debug_print = "R: vdom_aliases_maildir for $local_part@$domain"
      driver = redirect
      allow_defer
      allow_fail
      domains = dsearch;/var/mail/virtual
      data = /var/mail/virtual/$domain/$local_part/
      directory_transport = address_directory
      pipe_transport   = address_pipe
      file_transport   = address_file
      user = vmail
      group = vmail

Now I have two possibilities to influence the mail-delivery of exim:

  1. Use /etc/exim4/virtual/domainname in a "alias"-style way
  2. Add a directory in /var/mail/virtual/domain/name to have mail delivered in there

If I'd have debian.org, I could have
/etc/exim4/virtual/debian.org:

postmaster : user@localhost
forwarding_adress : user@somewhere.else.org
* : trash@localhost

Furthermore I'd create the directories
/var/mail/virtual/debian.org/user
/var/mail/virtual/debian.org/bug
to have the users "user@debian.org" and "bug@debian.org". Both directories should be owned by user vmail.vmail.

As imap-server I use dovecot with the following line in
/etc/dovecot/dovecot.conf

default_mail_env = maildir:/var/mail/virtual/%d/%n/
and
auth_userdb = passwd-file /etc/passwd.imap
for the passwords. This serves mail as stored by exim. One can also add symbolic links in there in order to cover local users.

Well, it's a bit hacky, but I wanted something easily extendable (and what is more easy than to write "mkdir -p newdomain.org/user") and I just love my filesystem. (Why does MS want to make the filesystem a DB? One should make the DB a filesystem ;)

Hope it helps,

ineiti

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by sabin (81.223.xx.xx) on Fri 2 Dec 2005 at 16:01
[ View Weblogs ]
good point there..
I think I should go for it and try it. my problem is, that I'm not that familiar with exim, so I'm sure it's gonna be a long night again!

thanks for your hint!

./sabin -s

[ Parent ]

1st Exim use
Posted by ineiti (81.221.xx.xx) on Fri 2 Dec 2005 at 17:01
So, if this is a first-timer, take care about the configuration of it: it's either in one file, or in different files. My explanation is for the "Split configuration into small files? - YES" configuration. You can change it with

dpkg-reconfigure exim4-config

Another useful tip is to use

exim4 -d+route -bt bug@debian.org (or whatever domain you're using it with)

and look how he "resolves" the address. Very, very useful when debugging ;)

Good luck with exim. Tell us whether it worked, and what I forgot to write in the message, <grin>...

Ineiti

[ Parent ]

Re: 1st Exim use
Posted by sabin (81.223.xx.xx) on Fri 2 Dec 2005 at 17:28
[ View Weblogs ]
1.

I did it so far like you described up there. I get the following error though:

sabin@mydomain.org is undeliverable:
Unrouteable address

when I hit "exim4 -d+route -bt sabin@mydomain.org"

note: mydomain.org is not my addy, I just replaced it.

2.

I wonder how I should tell courier to use a password file instead of pam.
concerning the mail directories I added this line:

MAILDIRPATH=/var/mail/virtual/%d/%n/

greets,

./sabin -s

[ Parent ]

Unroutable address
Posted by ineiti (81.221.xx.xx) on Fri 2 Dec 2005 at 18:55
Hi Sabin,

OK, I forgot something: 1st is because exim refuses to use not known domains. You have to tell it in 'dpkg-reconfigure exim4-config' under "Other destinations for which mail is accepted"

@:localhost:dsearch;/etc/exim4/virtual:dsearch;/var/mail/virtual

This tells exim to consider all files in /etc/exim4/virtual and /var/mail/virtual as domains for which to accept mails.

For 2nd, I don't know courier ;) Dovecot works fine for me...

Have fun,

Ineiti

[ Parent ]

Re: 1st Exim use
Posted by sabin (81.223.xx.xx) on Fri 2 Dec 2005 at 17:39
[ View Weblogs ]
However, when I replace /etc/exim4 with my backup files I created I get the following output:

domain = mydomain.org
errors_to=NULL
domain_data=NULL localpart_data=NULL
routed by dspam_router router
envelope to: sabin@mydomain.org
transport: dspam_spamcheck
sabin@mydomain.org
router = dspam_router, transport = dspam_spamcheck


./sabin -s

[ Parent ]

Re: 1st Exim use
Posted by bait (24.108.xx.xx) on Mon 5 Dec 2005 at 13:31
You might want to give this a try instead as it explains a bit more about whats needed to get exim4 to play nicely.

With a little cross referencing to the exim4 site docs you can set it up to use text files to replace the mysql back end.

It also goes into more details on courier-imap configuration.

http://www.xmn-berlin.de/~marte/exim/exim4_mysql_amavis_spamassas in.html

[ Parent ]

Re: Handling mail for non-system users with Exim4?
Posted by chris (217.8.xx.xx) on Thu 8 Dec 2005 at 09:59
[ View Weblogs ]
Interesting this.

Couple of things

How to get this to work when you have catchall addresses in the /etc/exim4/virtual files?

For example

/etc/exim4/virtual/domain.tld

contains

foo: foo@localhost
* : trash@localhost

then under /var/mail/virtual I have a directory domain.tld with a directory testuser

Mail to testuser@domain.tld is delivered to the trash@localhost address (I'm guessing this is because the vdom_aliases_maildir config is after vdom_aliases in the config file but I don't really know).

Secondly - regarding courier - you can set the name of the maildir directory in /etc/default/courier - but - the path is harder. It appears to assume $HOME. Some google hits suggest changing the authenticator to redefine $HOME to /var/mail/virtual (for me that would be playing in /etc/courier/authdaemonrc) - so this appears to be harder with courier.

[ Parent ]

Virtual domains and aliases
Posted by ineiti (83.77.xx.xx) on Thu 8 Dec 2005 at 10:43
Hi,

yes, this is not intuitive. But to inverse the order is not what you want, neither: this would mean that local adresses get delivered BEFORE any aliases are done, which is not good. The correct way would be:

1. do any aliases without the "catch-all"
2. search in /var/mail/virtual/$domain$/$name$
3. Test for "catch-alls" and eventually deliver

Sounds complicated ;) A simple workaround is to have all your adresses in the alias-file:

foo : foo@localhost
testuser : testuser@localhost
* : trash@localhost

Which makes it a bit more complicated to set up a new user:

DOMAIN=domain.tld; USER=newuser; \
mkdir -p /var/mail/virtual/$DOMAIN/$USER; \
echo $USER : $USER@localhost >> /etc/exim4/virtual/$DOMAIN

But well, it's not soo bad ;)

Have fun,

ineiti

[ Parent ]

Re: Virtual domains and aliases
Posted by chris (217.8.xx.xx) on Thu 8 Dec 2005 at 11:00
[ View Weblogs ]
Yes - this is do-able. At present the files under /etc/exim4/virtual are created by a perl script from an openldap setup (all remote forwards). We're looking at allowing some users to actually have a mail account - but no system account.

Oh - and one day - some fine day when I actually get the time to play - maybe just maybe I'll look at using LDAP directly :)

The only other issue I see here is that it appears that for dovecot or courier to work you have to symlink existing users Maildirs to the /var/exim/virtual directory structure - or have I misunderstood that point? In other words - if imap points to /var/exim/virtual/domain/local then all users must exist there - including local ones? And - if the imap authentication is via a separate user database file - then all local users passwords need to be duplicated there?

I did try a quick aptitude purge courier-imap; aptitude install dovecot - and it more or less worked (I could read all old mail in the inbox after the restart - but new mail didn't show - however I suspect the client).

I'm looking at migrating both pop and imap to dovecot to play with this a bit (not a major server - and learning a new package is sometimes fun) - but - exim is currently using courier authdaemon to handle SMTP auth - and I'm not sure how linked that is to the other courier parts (if you hadn't guessed - I got it working from a howto - and am still working on my understanding of the finer details). I really need to find out how that bit is working (and see if I can't get my father's mail client to play with something more than LOGIN or PLAIN).

[ Parent ]

Re: Virtual domains and aliases
Posted by ineiti (83.77.xx.xx) on Thu 8 Dec 2005 at 11:52
Local users
-----------

yes, I have symlinks in /var/mail/virtual to all Maildir-directories... For the passwords, read http://wiki.dovecot.org/Authentication , which states:

""
Dovecot 1.0-tests supports defining multiple password databases, so that if password doesn't match in the first database, it checks the next one. This can be useful if you want to easily support having both local system users in /etc/passwd but also virtual users. This isn't possible in 0.99 releases.
""

To prevent linking, you could have dovecot look in the standard home-directories, and give the virtual directories in the dovecot-password file.


New mail doesn't show up
------------------------

Be sure to have the appropriate uid and gid set in the virtual directories. Furthermore I have some troubles with mixing of .INBOX and INBOX (difference of a dot in front!) for all sub-directories (also .Trash and Trash). I didn't solve that one, yet :(


SMTP with exim
--------------

I searched around a lot, only to find this one, which works nicely, even with TLS:

http://www.debian-administration.org/articles/280

This site rocks ;)



Have fun,

Ineiti

[ Parent ]

Re: Virtual domains and aliases
Posted by chris (217.8.xx.xx) on Thu 8 Dec 2005 at 12:17
[ View Weblogs ]
Local/Virtual passwords - cool. I'll have to look into backports tho :( Nice that this can avoid symlinking actual users too.

New mail - the mail is in the Maildir (when I switched back to courier it showed). However - the mail client I have is the cvs copy of gnus with some heavy elisp customisation - I'm going to want to test again with some other clients before I say that it's dovecot that's at fault.

SMTP with exim - cool - will look at this

This site rocks - yes - agreed - all hail Steve :) If you really like the site then remember this link

[ Parent ]

Re: Virtual domains and aliases
Posted by chris (217.8.xx.xx) on Thu 8 Dec 2005 at 14:05
[ View Weblogs ]
Well - with the above discussion it looks pretty easy to get virtual users without use of a database working OK.

So - the only stage I need still to do is LDAP. For dovecot I can read up on the link posted above (with possible use of a backport or self-compiled). For sending though - SMTP auth - I've found the following

http://www.alios.org/exim4ldapauth.html

Now - anyone have any ideas how to change the config per virtual domain (different sites have different LDAP structures) ?

[ Parent ]