This is an old revision of the document!
Table of Contents
Postfix with Courier Authdaemon in Debian 12 Bookworm
Configuring the Courier Authdaemon
We want to enable authentication on virtual users (i.e. using a login name which is not an Unix username), e.g. we want to use an email address as a login name.
Into the configuration file /etc/courier/authdaemonrc we add the module authuserdb to the authmodulelist, beside the standard Unix PAM (i.e. the passwd
and shadow
files ):
authmodulelist="authuserdb authpam"
The virtual users password file /etc/courier/userdb must be created, with all the relevant information for each user (do not inser newlines!):
name.surname@domain.org uid=1086|gid=1086|home=/home/name|shell=/bin/false |systempw=$1$GiNkrEZX$UTOWQkZZf0pp2TEOuyEu1/|mail=/home/name/Maildir
Moving the Courier Authdaemon socket into the Postfix chroot
The Courier Authdaemon can be used through a socket which lives into a directory with the following permissions:
drwxrwxr-x 3 root courier 220 Oct 12 12:17 /var/run/courier/ drwxr-x--- 2 courier courier 100 Oct 12 12:17 /var/run/courier/authdaemon/
To use that socket from the Postfix chroot, it is necessary to move it under the chroot /var/spool/postfix/
# Stop the Courier AuthDaemon. systemctl stop courier-authdaemon.service # Create the socket directory into the Postfix chroot: mkdir -p /var/spool/postfix/var/run/courier/authdaemon # Assign the same permission as the original. chown root:courier /var/spool/postfix/var/run/courier/ chmod 0775 /var/spool/postfix/var/run/courier/ chown courier:courier /var/spool/postfix/var/run/courier/authdaemon/ chmod 0750 /var/spool/postfix/var/run/courier/authdaemon/ # Add into the Debian packaging system the info about custom directories. dpkg-statoverride --add root courier 775 /var/spool/postfix/var/run/courier dpkg-statoverride --add courier courier 750 /var/spool/postfix/var/run/courier/authdaemon
To verify that the dpkg-statoverride settings are in place, execute:
dpkg-statoverride --list
To have the socket available also under the original directory we can do a bind mount, this is command required (it does not survive a reboot):
mount /var/run/courier/authdaemon \ /var/spool/postfix/var/run/courier/authdaemon \ -t bind -o defaults,nodev,bind
Now it is possibile to restart the Authdaemon service and have it accessible at the original location and under the Postfix chroot:
systemctl start courier-authdaemon.service
To enable the bind mount at bootstrap we create a systemd mount service creating the file /etc/systemd/system/var-spool-postfix-var-run-courier-authdaemon.mount with the following content:
[Unit] Description=Mount Courier Authdaemon into Postfix chroot Wants=courier-authdaemon.service # The "Requires=" and "After=" dependencies may be too strong # and they can generate and ordering cycle problem. #Requires=courier-authdaemon.service #After=courier-authdaemon.service [Mount] What=/var/run/courier/authdaemon Where=/var/spool/postfix/var/run/courier/authdaemon Type=bind Options=defaults,nodev,bind [Install] WantedBy=postfix.service
This is a systemd mount unit, we need to reload the systemd daemon and enable that unit for the next reboot:
systemctl daemon-reload systemctl enable var-spool-postfix-var-run-courier-authdaemon.mount
Finally the postfix process must be into the courier group, so it can read and write to the socket:
adduser postfix courier systemctl restart postfix
Spamassassin
Install the spamassassin Debian package.
The package provides two Systemd units: spamd.service and spamassassin-maintenance.timer; both should be enabled to have the daemon running and the rules updated once a day.
To enable and start both, execute:
systemctl enable --now spamassassin-maintenance.timer systemctl enable spamassassin-maintenance.service systemctl start spamassassin-maintenance.service
Then you can check timer schedule with:
systemctl list-timers --all
The timer will call the spamassassin-maint which in turn will call the sa-update program to download the updated SpamAssassin rules and reload the spamd daemon.
The SpamAssassin rules are saved into /var/lib/spamassassin/.
ClamAV
Install the Debian packages clamav, clamav-daemon, clamdscan and clamav-freshclam. Ensure that the Systemd units clamav-daemon.service and clamav-freshclam.service are enabled and started.
The Freshclam program will update the database of signatures stored into /var/lib/clamav/ and will log into /var/log/clamav/freshclam.log.