We want to enable authentication on virtual users (i.e. using a login name which is not an Unix username), e.g. we want to use an email address as a login name.

We want the same authentication schema to work on both authenticated SMTP sumbission (sending mail via Postfix) and on POP3/IMAP (incoming mail via Courier daemons).

Into the configuration file /etc/courier/authdaemonrc we add the module authuserdb to the authmodulelist, beside the standard Unix PAM (i.e. the passwd and shadow files ):

authmodulelist="authuserdb authpam"

The virtual users password file /etc/courier/userdb must be created, with all the relevant information for each user (do not inser newlines!):

name.surname@domain.org    uid=1086|gid=1086|home=/home/name|shell=/bin/false
    |systempw=$1$GiNkrEZX$UTOWQkZZf0pp2TEOuyEu1/|mail=/home/name/Maildir

The Courier Authdaemon can be used through a socket which lives into a directory with the following permissions:

drwxrwxr-x 3 root    courier 220 Oct 12 12:17 /var/run/courier/
drwxr-x--- 2 courier courier 100 Oct 12 12:17 /var/run/courier/authdaemon/

To use that socket from the Postfix chroot, it is necessary to move it under the chroot /var/spool/postfix/

# Stop the Courier AuthDaemon.
systemctl stop courier-authdaemon.service
# Create the socket directory into the Postfix chroot:
mkdir -p /var/spool/postfix/var/run/courier/authdaemon
# Assign the same permission as the original.
chown root:courier    /var/spool/postfix/var/run/courier/
chmod 0775            /var/spool/postfix/var/run/courier/
chown courier:courier /var/spool/postfix/var/run/courier/authdaemon/
chmod 0750            /var/spool/postfix/var/run/courier/authdaemon/
# Add into the Debian packaging system the info about custom directories.
dpkg-statoverride --add root    courier 775 /var/spool/postfix/var/run/courier
dpkg-statoverride --add courier courier 750 /var/spool/postfix/var/run/courier/authdaemon

To verify that the dpkg-statoverride settings are in place, execute:

dpkg-statoverride --list

To have the socket available also under the original directory we can do a bind mount, this is command required (it does not survive a reboot):

mount /var/run/courier/authdaemon \
    /var/spool/postfix/var/run/courier/authdaemon \
    -t bind -o defaults,nodev,bind

Now it is possibile to restart the Authdaemon service and have it accessible at the original location and under the Postfix chroot:

systemctl start courier-authdaemon.service

To enable the bind mount at bootstrap we define a systemd mount service creating the file /etc/systemd/system/var-spool-postfix-var-run-courier-authdaemon.mount with the following content:

[Unit]
Description=Mount Courier Authdaemon into Postfix chroot
Wants=courier-authdaemon.service

[Mount]
What=/run/courier/authdaemon
Where=/var/spool/postfix/var/run/courier/authdaemon
Type=bind
Options=defaults,nodev,bind

[Install]
WantedBy=postfix.service

NOTICE: The weak dependency Wants=courier-authdaemon.service is preferable than the stronger ones Requires= and After=. In Debian 12 the strong dependencies cause a Systemd ordering cycle problem, see Problem with systemd-tmpfiles-setup service.

This is a systemd mount unit, we need to reload the systemd daemon and enable that unit for the next reboot:

systemctl daemon-reload
systemctl enable var-spool-postfix-var-run-courier-authdaemon.mount

Finally the postfix process must be into the courier group, so it can read and write to the socket:

adduser postfix courier
systemctl restart postfix

• Systemd Syntax
• Systemd Unit
• Systemd Mount

Install the spamassassin Debian package.

The package provides two Systemd units: spamd.service and spamassassin-maintenance.timer; both should be enabled to have the daemon running and the rules updated once a day.

To enable and start both, execute:

systemctl enable --now spamassassin-maintenance.timer
systemctl enable spamassassin-maintenance.service
systemctl start spamassassin-maintenance.service

Then you can check timer schedule with:

systemctl list-timers --all

The timer will call the spamassassin-maint which in turn will call the sa-update program to download the updated SpamAssassin rules and reload the spamd daemon.

The SpamAssassin rules are saved into /var/lib/spamassassin/.

Install the Debian packages clamav, clamav-daemon, clamdscan and clamav-freshclam. Ensure that the Systemd units clamav-daemon.service and clamav-freshclam.service are enabled and started.

The Freshclam program will update the database of signatures stored into /var/lib/clamav/ and will log into /var/log/clamav/freshclam.log.