Minimal Postfix configuration
This page describes the necessary steps and modifications to your Postfix configuration so that in the end all will work together.
Setuid root copy of the Dovecot LDA for Postfix
For security reasons the permissions in the domain/user directories will be very restricted.
Each user will get its own unique UID and the GID from the domain. So it will be only possible for a user of the domain to access the domain directory (read only) and the user will get granted read write access only for its home directory.
![/!\](/_vti_bin/modernized/img/alert.png "/!\"){kind=small}
It is really considered insecure to set the setuid-root attribute on deliver (the Dovecot LDA), if it is accessible for all (untrusted) users.
For this reason it is necessary to provide a setuid-root copy of the Dovecot LDA for Postfix.
Because Postfix will refuse to execute commands with root privileges, or with the privileges of the mail system owner (normally postfix) you should nobody let do the job. Therefore the permissions will be set very restrictive again. Only nobody will be able to execute the setuid-root copy of deliver.
On BSD and Gentoo Linux systems the user nobody belongs to the group nobody, not nogroup.
mkdir -p /usr/local/lib/dovecot chmod 700 /usr/local/lib/dovecot chown nobody /usr/local/lib/dovecot cp /usr/lib/dovecot/deliver /usr/local/lib/dovecot/ chown root:`id -g nobody` /usr/local/lib/dovecot/deliver chmod u+s,o-rwx /usr/local/lib/dovecot/deliver
master.cf
Add the service dovecot to Postfix's master process configuration file. Append this lines:
dovecot unix - n n - - pipe
flags=DORhu user=nobody argv=/usr/local/lib/dovecot/deliver -f ${sender}
-d ${user}@${nexthop} -n -m ${extension}For more details about the flags mentioned above see: pipe(8). All other arguments are explained in the Dovecot LDA documentation.
main.cf
Add or replace the following settings in the global Postfix configuration file.
# relocated users from the database #relocated_maps = pgsql:/etc/postfix/pgsql-relocated_maps.cf # virtual domains virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual_mailbox_domains.cf virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual_alias_maps.cf transport_maps = pgsql:/etc/postfix/pgsql-transport.cf virtual_minimum_uid = 70000 virtual_uid_maps = pgsql:/etc/postfix/pgsql-virtual_uid_maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql-virtual_gid_maps.cf virtual_mailbox_base = / virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual_mailbox_maps.cf # dovecot LDA dovecot_destination_recipient_limit = 1 virtual_transport = dovecot: # dovecot SASL smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes # Keep smtpd_sasl_local_domain identical to Dovecot's auth_default_realm: empty. # Both are empty by default. Let it commented out. # Read more at: http://wiki.dovecot.org/Authentication/Mechanisms/DigestMD5 #smtpd_sasl_local_domain = smtpd_sasl_security_options = noplaintext, noanonymous #smtpd_sasl_security_options = noanonymous #broken_sasl_auth_clients = yes # minimal recipient restrictions smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
For more details of the Postfix configuration parameters see postconf(5).