This is an old revision of the document!
Table of Contents
Postfix with Courier Authdaemon in Debian 12
Configuring the Courier Authdaemon
We want to enable authentication on virtual users (i.e. using a login name which is not an Unix username), e.g. we want to use an email address as a login name.
Into the configuration file /etc/courier/authdaemonrc we add the module authuserdb to the authmodulelist, beside the standard Unix PAM (i.e. the passwd
and shadow
files ):
authmodulelist="authuserdb authpam"
The virtual users password file /etc/courier/userdb must be created, with all the relevant information for each user (do not inser newlines!):
name.surname@domain.org uid=1086|gid=1086|home=/home/name|shell=/bin/false |systempw=$1$GiNkrEZX$UTOWQkZZf0pp2TEOuyEu1/|mail=/home/name/Maildir
Moving the Courier Authdaemon socket into the Postfix chroot
The Courier Authdaemon can be used through a socket which lives into a directory with the following permissions:
drwxrwxr-x 3 root courier 220 Oct 12 12:17 /var/run/courier/ drwxr-x--- 2 courier courier 100 Oct 12 12:17 /var/run/courier/authdaemon/
To use that socket from the Postfix chroot, it is necessary to move it under the chroot /var/spool/postfix/
# Stop the Courier AuthDaemon. systemctl stop courier-authdaemon.service # Create the socket directory into the Postfix chroot: mkdir -p /var/spool/postfix/var/run/courier/authdaemon # Assign the same permission as the original. chown root:courier /var/spool/postfix/var/run/courier/ chmod 0775 /var/spool/postfix/var/run/courier/ chown courier:courier /var/spool/postfix/var/run/courier/authdaemon/ chmod 0750 /var/spool/postfix/var/run/courier/authdaemon/ # Add into the Debian packaging system the info about custom directories. dpkg-statoverride --add root courier 775 /var/spool/postfix/var/run/courier dpkg-statoverride --add courier courier 750 /var/spool/postfix/var/run/courier/authdaemon
To verify that the dpkg-statoverride settings are in place, execute:
dpkg-statoverride --list
To have the socket available also under the original directory we can do a bind mount, this is command required (it does not survive a reboot):
mount /var/run/courier/authdaemon \ /var/spool/postfix/var/run/courier/authdaemon \ -t bind -o defaults,nodev,bind
Now it is possibile to restart the Authdaemon service and have it accessible at the original location and under the Postfix chroot:
systemctl start courier-authdaemon.service
To enable the bind mount at bootstrap we create a systemd mount service creating the file /etc/systemd/system/var-spool-postfix-var-run-courier-authdaemon.mount with the following content:
[Unit] Description=Mount Courier Authdaemon into Postfix chroot Requires=courier-authdaemon.service After=courier-authdaemon.service [Mount] What=/var/run/courier/authdaemon Where=/var/spool/postfix/var/run/courier/authdaemon Type=bind Options=defaults,nodev,bind [Install] WantedBy=postfix.service
This is a systemd mount unit, we need to reload the systemd daemon and enable that unit for the next reboot:
systemctl daemon-reload systemctl enable var-spool-postfix-var-run-courier-authdaemon.mount
Finally the postfix process must be into the courier group, so it can read and write to the socket:
adduser postfix courier systemctl restart postfix
Spamassassin
Install the spamassassin Debian package.
The package provides two Systemd units: spamd.service and spamassassin-maintenance.timer; both should be enabled to have the daemon running and the rules updated once a day.
To enable the update timer execute:
systemctl enable --now spamassassin-maintenance.timer
Then you can check timer schedule with:
systemctl list-timers --all