Well, I can show you my config. It's pretty quick and pretty dirty. The high-level overview is that clients will connect to Postfix and offer credentials, Postfix will pass the credentials to Dovecot over a socket, and Dovecot will confirm the validity of the credentials using PAM.
This is what I've appended to /etc/postfix/main.cf
:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject
smtpd_tls_cert_file = /etc/pki/tls/certs/mx.*****.combined.crt
smtpd_tls_key_file = /etc/pki/tls/private/mx.*****.key
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_note_starttls_offer = yes
I suppose you could ignore the TLS options if you really don't need encryption.
And these are my non-default options in Dovecot:
$ doveconf -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-327.3.1.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core)
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
ssl = required
ssl_cert = </etc/pki/tls/certs/mail.*****.combined.crt
ssl_key = </etc/pki/tls/private/mail.*****.key
ssl_protocols = !SSLv2 !SSLv3
userdb {
driver = passwd
}
The Dovecot options are spread throughout several different files, which are parsed in order of file name. From the modified date of the files, I see that I changed 10-auth.conf
, 10-mail.conf
, 10-master.conf
, and 10-ssl.conf
. It probably would have been better for maintainability to put these options in a new file like 11-custom.conf
. Again, you can probably just ignore the SSL options if you really don't need encryption.
Then you will do something like the following to add the user:
# useradd admin
# passwd admin
# # and it may also be wise to disable shell login for this user
# usermod -s /sbin/nologin admin
Note that with this config your mail user does need a home directory to store received mail.
I can give additional information or clarification if need be.