We want to enable authentication on virtual users (i.e. using a login name which is not an Unix username), e.g. we want to use an email address as a login name.
We want the same authentication schema to work on both authenticated SMTP sumbission (sending mail via Postfix) and on POP3/IMAP (incoming mail via Courier daemons).
Into the configuration file /etc/courier/authdaemonrc we add the module authuserdb to the authmodulelist, beside the standard Unix PAM (i.e. the passwd
and shadow
files ):
authmodulelist="authuserdb authpam"
The virtual users password file /etc/courier/userdb must be created, with all the relevant information for each user (do not inser newlines!):
name.surname@domain.org uid=1086|gid=1086|home=/home/name|shell=/bin/false |systempw=$1$GiNkrEZX$UTOWQkZZf0pp2TEOuyEu1/|mail=/home/name/Maildir
The Courier Authdaemon can be used through a socket which lives into a directory with the following permissions:
drwxrwxr-x 3 root courier 220 Oct 12 12:17 /var/run/courier/ drwxr-x--- 2 courier courier 100 Oct 12 12:17 /var/run/courier/authdaemon/
To use that socket from the Postfix chroot, it is necessary to move it under the chroot /var/spool/postfix/
# Stop the Courier AuthDaemon. systemctl stop courier-authdaemon.service # Create the socket directory into the Postfix chroot: mkdir -p /var/spool/postfix/var/run/courier/authdaemon # Assign the same permission as the original. chown root:courier /var/spool/postfix/var/run/courier/ chmod 0775 /var/spool/postfix/var/run/courier/ chown courier:courier /var/spool/postfix/var/run/courier/authdaemon/ chmod 0750 /var/spool/postfix/var/run/courier/authdaemon/ # Add into the Debian packaging system the info about custom directories. dpkg-statoverride --add root courier 775 /var/spool/postfix/var/run/courier dpkg-statoverride --add courier courier 750 /var/spool/postfix/var/run/courier/authdaemon
To verify that the dpkg-statoverride settings are in place, execute:
dpkg-statoverride --list
To have the socket available also under the original directory we can do a bind mount, this is command required (it does not survive a reboot):
mount /var/run/courier/authdaemon \ /var/spool/postfix/var/run/courier/authdaemon \ -t bind -o defaults,nodev,bind
Now it is possibile to restart the Authdaemon service and have it accessible at the original location and under the Postfix chroot:
systemctl start courier-authdaemon.service
To enable the bind mount at bootstrap we define a systemd mount service creating the file /etc/systemd/system/var-spool-postfix-var-run-courier-authdaemon.mount with the following content:
[Unit] Description=Mount Courier Authdaemon into Postfix chroot Wants=courier-authdaemon.service [Mount] What=/run/courier/authdaemon Where=/var/spool/postfix/var/run/courier/authdaemon Type=bind Options=defaults,nodev,bind [Install] WantedBy=postfix.service
NOTICE: The weak dependency Wants=courier-authdaemon.service
is preferable than the stronger ones Requires=
and After=
. In Debian 12 the strong dependencies cause a Systemd ordering cycle problem, see Problem with systemd-tmpfiles-setup service.
This is a systemd mount unit, we need to reload the systemd daemon and enable that unit for the next reboot:
systemctl daemon-reload systemctl enable var-spool-postfix-var-run-courier-authdaemon.mount
Finally the postfix process must be into the courier group, so it can read and write to the socket:
adduser postfix courier systemctl restart postfix
Install the spamassassin Debian package.
The package provides two Systemd units: spamd.service and spamassassin-maintenance.timer; both should be enabled to have the daemon running and the rules updated once a day.
To enable and start both, execute:
systemctl enable --now spamassassin-maintenance.timer systemctl enable spamassassin-maintenance.service systemctl start spamassassin-maintenance.service
Then you can check timer schedule with:
systemctl list-timers --all
The timer will call the spamassassin-maint which in turn will call the sa-update program to download the updated SpamAssassin rules and reload the spamd daemon.
The SpamAssassin rules are saved into /var/lib/spamassassin/.
Install the Debian packages clamav, clamav-daemon, clamdscan and clamav-freshclam. Ensure that the Systemd units clamav-daemon.service and clamav-freshclam.service are enabled and started.
The Freshclam program will update the database of signatures stored into /var/lib/clamav/ and will log into /var/log/clamav/freshclam.log.