But at least these daemon users own processes, i.e. the mysql database server, and of course, real objects like files and directories are owned by those users. In a well run environment these users do not have a password, so their account cannot be abused by somebody else, and almost always the shell that would be started if someone could log into this account is the binary /sbin/nologin, which does exactly what's on the tin, denying login.
|
And then there is another breed of users that seem to be ordinary fellows in the system and still do not exist as a user in the normal sense. These virtual users do have the ability to run certain programs, they all have a mailbox in which their private messages arrive and they all need a password to access their home directory, in which all their assets are being stored, but strangely enough there is no trace of them in the system's user base and password file.
But how can they own files and use a mailbox, just like other users do? |
Hunting down the virtual users
We all know that in order to have a mailbox, there has to be a mailbox file (usually in /var/spool/mail) that is owned by the user respectively. And if someone is attempting to read this mailbox, there has to be some kind of authentication, so the password must be stored somewhere. At this point a real (daemon) user comes into play, the postman Tom, who of course has a valid UID listed in the file /etc/passwd, which is in fact 555 on my system.Tom works at the heart of the mail delivery process, managing the virtual user's home directories and their mailboxes, and he is the only real user necessary to serve hundreds of virtual users on the system.
Virtual home directories and mailboxes
For every virtual user Tom creates a home directory that is used by IMAP to store the virtual user's inbox and various index and logfiles individually.
total 16
drwx------ 4 postman root 4096 Nov 16 16:56 .
drwxr-xr-x 5 root root 4096 Dec 1 15:10 ..
drwx------ 3 postman postman 4096 Nov 16 15:41 alice
drwx------ 3 postman postman 4096 Nov 16 15:19 ron
...
/kx/dovecot/home/alice/mail:
total 24
drwx------ 3 postman postman 4096 Nov 16 15:44 .
drwx------ 3 postman postman 4096 Nov 16 15:41 ..
drwx------ 4 postman postman 4096 Nov 16 15:44 .imap
-rw------- 1 postman postman 10 Nov 16 15:44 .subscriptions
-rw------- 1 postman postman 5318 Dec 11 18:34 sent-mail
All these files have been created by Tom for each of the virtual users. In order to provide this infrastructure, we have to make sure that Tom is able to use the virtual user's password when needed, and most importantly to handle the authentication process for them as well. The following lines of code show how the configuration of DOVECOT has to be changed for Virtual Domains.
mail_location = mbox:~/mail:INBOX=/kx/dovecot/mail/%n
auth default {
userdb static {
args = uid=postman gid=postman home=/kx/dovecot/home/%n
}
passdb passwd-file {
args = /kx/horde/htpasswd
}
user = apache
}
All passwords are stored in the file /kx/horde/htpasswd in the usual way required by the apache web server. This is important for two reasons, because the dovecot process can use this file to authenticate virtual users by changing permissions to apache for authentication, and simultaneously this file allows other web-based software to access the virtual user's homes with the same password. We will have a look at this later.
alice:ildPSIfh7EkT2
Getting all email in the right direction
By now we have managed to install mailbox access for virtual users via IMAP without the need of registration of all these users in the system's database. What we do not have in place is a mechanism to fill up the virtual user's mailboxes with incoming mail.As you may suspect another important part of the mail delivery process has to be adjusted to ensure that the virtual users who can have totally different email-addresses will receive their mail without hassle. This time we need to add a few lines to the POSTFIX configuration file and we have to create a mapping between the email addresses and the (real) virtual users, who are supposed to read the mail.
virtual_mailbox_base = /kx/dovecot/mail
virtual_mailbox_maps = hash:/kx/dovecot/virtual_mailbox_map
virtual_uid_maps = static:555
virtual_gid_maps = static:555
The pivotal point here is the text file "kx/dovecot/virtual_mailbox_map" in which each email address is followed by the virtual user's name. But before postfix can use this database to deliver mail it has to be hashed, i.e converted into a database file "kx/dovecot/virtual_mailbox_map.db" with the postmap command below.
alice@somedomain.ie alice
Leave a comment