Virtual users with LMTP in FreeBSD
In previous releases, e-mail addresses were only available to system users. This may or may not be a good idea depending on the scope of the e-mail system we are implementing, but what is certain is that implementing virtual users is practically essential.
With this premise we will make both OpenSMTPd and Dovecot integrate using LMTP together with a file that will contain the list of virtual users and their passwords.
Configuration
Create the user vmail
We need this user, who will be the one to store the mail of all virtual users.
mkdir /var/vmail
adduser
Username: vmail
Full name:
Uid (Leave empty for default):
Login group [vmail]:
Login group is vmail. Invite vmail into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: nologin
Home directory [/home/vmail]: /var/vmail
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]: yes
Lock out the account after creation? [no]: yes
Username : vmail
Password : <blank>
Full Name :
Uid : 1002
Class :
Groups : vmail
Home : /var/vmail
Home Mode :
Shell : /usr/sbin/nologin
Locked : yes
OK? (yes/no): yes
adduser: INFO: Successfully added (vmail) to the user database.
adduser: INFO: Account (vmail) is locked.
Add another user? (yes/no): no
Goodbye!
And we give you the ownership of your directory $HOME.
chown -R vmail:vmail /var/vmail
Configure LMTP for OpenSMTPd
We need to install an OpenSMTPd extension that allows you to use the username and password file mentioned above.
pkg install -y opensmtp-extras-table-passwd
Edit /usr/local/etc/mail/smtpd.conf
and include.
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
In addition to redirecting local which handles incoming mail to send it to LMTP which will use these files to check the validity of these virtual users as a destination.
action "local" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <virtuals>
And we also need to change the authentication to use the passwd file that we are going to use.
listen on lo1 smtps pki mail.correo.com auth <passwd>
listen on lo1 port submission tls-require pki mail.correo.com auth <passwd>
We are missing the alias for vmail by editing /etc/mail/aliases
.
vmail: /dev/null
Configure LMTP for Dovecot
Now it is Dovecot’s turn. We need a replica of the previous configurations, but to be used by Dovecot.
We change the authentication by editing /usr/local/etc/dovecot/conf.d/10-auth.conf
.
#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
We change the user and password sources in /usr/local/etc/dovecot/conf.d/auth-passwdfile.conf.ext
.
passdb {
driver = passwd-file
args = scheme=CRYPT /etc/mail/passwd
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
# Default fields that can be overridden by passwd-file
#default_fields = quota_rule=*:storage=1G
# Override fields from passwd-file
#override_fields = home=/home/virtual/%u
}
Mail pickup at /usr/local/etc/dovecot/conf.d/10-mail.conf
.
mail_location = maildir:/var/vmail/%d/%n
Here a hierarchical structure will be generated inside /var/vmail
with the following structure.
/var/vmail
├── dominio1
│ ├── usuario1
├── dominio2
│ ├── usuario1
Create virtual users
File /etc/mail/passwd
has the following format.
usuario@dominio.correo:la contraseña enciptada va aquí::::::
So we need to generate user passwords. To do so.
smtpctl encrypt
You will be silently prompted for the plain text password.
supersecreta
$6$eXaww4eIZKR9711q$lM0HOy.W1dAvUscZ1pB9H1odNqZCJA8G3rvIoVSxhe3SIltI5iask.xWXJKkS0vsJXBK6ucRn4TxAzaEveH6U1
This last hash, in this case SHA512, is the one we will enter for the virtual user.
Finally, we need to map it to the vmail user so that the mail is delivered to his mailbox. We edit /etc/mail/virtuals
.
usuario@dominio.correo vmail
Restart the demons
service restart opensmtpd
service restart dovecot
Tests
Now we can configure our mail client and use these credentials to do some tests by sending and receiving emails with it.
Conclusions
Together with the other two entries already published, this one closes the core of the implementation of an email server. It is obvious that issues like securization, DKIM, DMARC, spam handling, greylisting, webmail, etc… are missing. This is already out of the basic functionality but I may address some of them in future posts.