Virtual users with LMTP in FreeBSD

In previous releases, e-mail addresses were only available to system users. This may or may not be a good idea depending on the scope of the e-mail system we are implementing, but what is certain is that implementing virtual users is practically essential.

With this premise we will make both OpenSMTPd and Dovecot integrate using LMTP together with a file that will contain the list of virtual users and their passwords.

Configuration

Create the user vmail

We need this user, who will be the one to store the mail of all virtual users.

mkdir /var/vmail
adduser
Shell

Username: vmail
Full name:
Uid (Leave empty for default):
Login group [vmail]:
Login group is vmail. Invite vmail into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: nologin
Home directory [/home/vmail]: /var/vmail
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]: yes
Lock out the account after creation? [no]: yes
Username   : vmail
Password   : <blank>
Full Name  :
Uid        : 1002
Class      :
Groups     : vmail
Home       : /var/vmail
Home Mode  :
Shell      : /usr/sbin/nologin
Locked     : yes
OK? (yes/no): yes
adduser: INFO: Successfully added (vmail) to the user database.
adduser: INFO: Account (vmail) is locked.
Add another user? (yes/no): no
Goodbye!
Text

And we give you the ownership of your directory $HOME.

chown -R vmail:vmail /var/vmail
Shell

Configure LMTP for OpenSMTPd

We need to install an OpenSMTPd extension that allows you to use the username and password file mentioned above.

pkg install -y opensmtp-extras-table-passwd
Shell

Edit /usr/local/etc/mail/smtpd.conf and include.

table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
Text

In addition to redirecting local which handles incoming mail to send it to LMTP which will use these files to check the validity of these virtual users as a destination.

action "local" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <virtuals>
Text

And we also need to change the authentication to use the passwd file that we are going to use.

listen on lo1 smtps pki mail.correo.com auth <passwd>
listen on lo1 port submission tls-require pki mail.correo.com auth <passwd>
Text

We are missing the alias for vmail by editing /etc/mail/aliases.

vmail: /dev/null
Text

Configure LMTP for Dovecot

Now it is Dovecot’s turn. We need a replica of the previous configurations, but to be used by Dovecot.

We change the authentication by editing /usr/local/etc/dovecot/conf.d/10-auth.conf.

#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
Text

We change the user and password sources in /usr/local/etc/dovecot/conf.d/auth-passwdfile.conf.ext.

passdb {
  driver = passwd-file
  args = scheme=CRYPT /etc/mail/passwd
}

userdb {
  driver = static 
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n

  # Default fields that can be overridden by passwd-file
  #default_fields = quota_rule=*:storage=1G

  # Override fields from passwd-file
  #override_fields = home=/home/virtual/%u
}
Text

Mail pickup at /usr/local/etc/dovecot/conf.d/10-mail.conf.

mail_location = maildir:/var/vmail/%d/%n
Text

Here a hierarchical structure will be generated inside /var/vmail with the following structure.

/var/vmail
├── dominio1
│   ├── usuario1
├── dominio2
│   ├── usuario1
Text

Create virtual users

File /etc/mail/passwd has the following format.

usuario@dominio.correo:la contraseña enciptada va aquí::::::
Text

So we need to generate user passwords. To do so.

smtpctl encrypt
Shell

You will be silently prompted for the plain text password.

supersecreta
$6$eXaww4eIZKR9711q$lM0HOy.W1dAvUscZ1pB9H1odNqZCJA8G3rvIoVSxhe3SIltI5iask.xWXJKkS0vsJXBK6ucRn4TxAzaEveH6U1
Text

This last hash, in this case SHA512, is the one we will enter for the virtual user.

Finally, we need to map it to the vmail user so that the mail is delivered to his mailbox. We edit /etc/mail/virtuals.

usuario@dominio.correo vmail
Text

Restart the demons

service restart opensmtpd
service restart dovecot
Shell

Tests

Now we can configure our mail client and use these credentials to do some tests by sending and receiving emails with it.

Conclusions

Together with the other two entries already published, this one closes the core of the implementation of an email server. It is obvious that issues like securization, DKIM, DMARC, spam handling, greylisting, webmail, etc… are missing. This is already out of the basic functionality but I may address some of them in future posts.