We want to enable authentication on virtual users (i.e. using a login name which is not an Unix username), e.g. we want to use an email address as a login name.

Into the configuration file /etc/courier/authdaemonrc we add the module authuserdb to the authmodulelist, beside the standard Unix PAM (i.e. the passwd and shadow files ):

authmodulelist="authuserdb authpam"

The virtual users password file /etc/courier/userdb must be created, with all the relevant information for each user (do not inser newlines!):

name.surname@domain.org    uid=1086|gid=1086|home=/home/name|shell=/bin/false
    |systempw=$1$GiNkrEZX$UTOWQkZZf0pp2TEOuyEu1/|mail=/home/name/Maildir

The Courier Authdaemon can be used through a socket which lives into a directory with the following permissions:

drwxrwxr-x 3 root    courier 220 Oct 12 12:17 /var/run/courier/
drwxr-x--- 2 courier courier 100 Oct 12 12:17 /var/run/courier/authdaemon/

To use that socket from the Postfix chroot, it is necessary to move it under the chroot /var/spool/postfix/

# Stop the Courier AuthDaemon.
systemctl stop courier-authdaemon.service
# Create the socket directory into the Postfix chroot:
mkdir -p /var/spool/postfix/var/run/courier/authdaemon
# Assign the same permission as the original.
chown root:courier    /var/spool/postfix/var/run/courier/
chmod 0775            /var/spool/postfix/var/run/courier/
chown courier:courier /var/spool/postfix/var/run/courier/authdaemon/
chmod 0750            /var/spool/postfix/var/run/courier/authdaemon/
# Add into the Debian packaging system the info about custom directories.
dpkg-statoverride --add root    courier 775 /var/spool/postfix/var/run/courier
dpkg-statoverride --add courier courier 750 /var/spool/postfix/var/run/courier/authdaemon

To verify that the dpkg-statoverride settings are in place, execute:

dpkg-statoverride --list

To have the socket available also under the original directory we can do a bind mount, this is command required (it does not survive a reboot):

mount /var/run/courier/authdaemon \
    /var/spool/postfix/var/run/courier/authdaemon \
    -t bind -o defaults,nodev,bind

Now it is possibile to restart the Authdaemon service and have it accessible at the original location and under the Postfix chroot:

systemctl start courier-authdaemon.service

To enable the bind mount at bootstrap we create a systemd mount service creating the file /etc/systemd/system/var-spool-postfix-var-run-courier-authdaemon.mount with the following content:

[Unit]
Description=Mount Courier Authdaemon into Postfix chroot
Requires=courier-authdaemon.service
After=courier-authdaemon.service

[Mount]
What=/var/run/courier/authdaemon
Where=/var/spool/postfix/var/run/courier/authdaemon
Type=bind
Options=defaults,nodev,bind

[Install]
WantedBy=postfix.service

This is a systemd mount unit, we need to reload the systemd daemon and enable that unit for the next reboot:

systemctl daemon-reload
systemctl enable var-spool-postfix-var-run-courier-authdaemon.mount

Finally the postfix process must be into the courier group, so it can read and write to the socket:

adduser postfix courier
systemctl restart postfix

Install the spamassassin package. The package provides two Systemd units: spamd.service and spamassassin-maintenance.timer; both should be enabled to have the daemon running and the rules updated once a day.