[TriLUG] Banging away at mail server setup

Greg Cox glcox at pobox.com
Tue Dec 11 20:51:07 EST 2001 

> I would think about just giving all the users
> accounts anyway.  This allows you to use the huge amount of software
> that's designed for normal *nix accounts, such as quotas, user management,
> etc, instead of a proprietary system.
> 
> You'll have to lock down the accounts of course -- restrict shell access
> (by setting the shell to /bin/true), make sure things like ftp and telnet
> are disabled, etc.

I didn't want to get into setting the shell to something dorked out in my
world, because that's nowhere near granular enough.  Some people need to
log in, but on foo and quux, but not bar, and etc.  My solution for a
small-scale setup at work was to dump all the humans into LDAP, and use
it for authentication.   We've got these needs:

                  SMTP-Rx SMTP-Tx POP SSHD
outside partners     Y      N      N    N    <- easy, virtusers
techs                Y      Y      Y    Y
management           Y      Y      Y    N
admin accounts       N      N      N    Y    <- easy, localuser per machine

My fix there was to use PAM on the machines to restrict access.  Like,
in /etc/pam.d/pop, to keep administrative accounts and outsiders from
having mail be popped, I added:

auth required  /lib/security/pam_listfile.so \
  item=user sense=allow file=/etc/mail/local_allowed_users onerr=fail

/etc/pam.d/sshd has:

account required /lib/security/pam_access.so accessfile=/etc/security/local_login_access.conf

To only let a select few in, which is a must on a mail server if you
give people true accounts.  Little tweaking to sendmail to allow relaying
upon authentication.

Oh, sure, it's extra files to deal with, but, they're simple, and if you
just wrap adduser, it's all happy (I ended up doing so, since the user
utils didn't want to play nice with the system once I moved users to LDAP).
It's not really that twisty once you get it working.  PAM's documentation
blows, but it's a 2 banana job.  The worst of it was getting my setup into
LDAP and then maintaining it (yes, there's scripts provided, but they need
tweaking).  Most all of it can be found with a little time on google.

More information about the TriLUG mailing list