I have an “everything” Linux server currently running Slackware 15. Sometimes I need to create users in /etc/passwd for some particular use case, but both my Postfix and Dovecot authenticate against /etc/passwd to grant access.

It took a long time to figure out how to get that done. Finally I did it:

Postfix

Edit /etc/postfix/master.cf; comment out the original smtpd_recipient_restrictions and smtpd_relay_restrictions; and add new ones like this:

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=$mua_relay_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Then edit /etc/postifx/main.cf and add this line:

# I made up the "mua_relay_restrictions" key, used in master.cf
mua_relay_restrictions = check_sender_access regexp:/etc/postfix/sender_access, permit_sasl_authenticated, reject

Create /etc/postfix/sender_access with a regular expression to match the usernames to block:

/ops145/ REJECT

Don’t forget to do this after creating/changing sender_access:

postmap sender_access

If the changes work: this is what you get in the maillog when an unauthorized user attempts to send email:

Mar 15 02:45:02 littlesvr postfix/smtps/smtpd[2314]: NOQUEUE: reject: RCPT from unknown[84.239.27.157]: 554 5.7.1 ops145_asmith15@littlesvr.ca: Sender address rejected: Access denied; from=ops145_asmith15@littlesvr.ca to=external@domain.edited.out proto=ESMTP helo=<[10.6.18.78]>

Great! Now Dovecot needs work too, since its users authenticate differently.

References:

• http://www.postfix.org/RESTRICTION_CLASS_README.html
• [Postfix]: check_sender_access: How to catch envelope FROM with brackets?
• This one would have been great but I haven’t figured out how to do it: https://serverfault.com/questions/181270/postfixsasslauthdpam-how-can-i-deny-allow-specific-users-from-authenticating

Dovecot

This one was much easier to figure out, but it’s not a wildcard solution, I have to blacklist each user explicitly.

Edit /etc/dovecot/conf.d/10-auth.conf and comment out !include auth-deny.conf.ext

Note that auth-deny.conf.ext uses /etc/dovecot/deny-users

Create /etc/dovecot/deny-users with one blocked username per line. E.g.:

ops145_asmith15

After that the user will simply not be able to authenticate when connecting to the IMAP service. Strangely Dovecot doesn’t put anything in the maillog when this failed authentication happens.

References (unused):

• https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
• https://doc.dovecot.org/configuration_manual/authentication/pam/