====== Postfix with Courier Authdaemon in Debian 12 Bookworm ======

We want to enable authentication on **virtual users** (i.e. using a login name which is not an Unix username), e.g. we want to use an email address as a login name.

We want the same authentication schema to work on both authenticated SMTP sumbission (sending mail via Postfix) and on POP3/IMAP (incoming mail via Courier daemons).

===== Configuring the Courier Authdaemon =====

Into the configuration file **/etc/courier/authdaemonrc** we add the module **authuserdb** to the **authmodulelist**, beside the standard Unix PAM (i.e. the ''passwd'' and ''shadow'' files ):

<file>
authmodulelist="authuserdb authpam"
</file>

The virtual users password file **/etc/courier/userdb** must be created, with all the relevant information for each user (do not inser newlines!):

<file>
name.surname@domain.org    uid=1086|gid=1086|home=/home/name|shell=/bin/false
    |systempw=$1$GiNkrEZX$UTOWQkZZf0pp2TEOuyEu1/|mail=/home/name/Maildir
</file>

===== Moving the Courier Authdaemon socket into the Postfix chroot =====

The Courier Authdaemon can be used through a socket which lives into a directory with the following permissions:

<code>
drwxrwxr-x 3 root    courier 220 Oct 12 12:17 /var/run/courier/
drwxr-x--- 2 courier courier 100 Oct 12 12:17 /var/run/courier/authdaemon/
</code>

To use that socket from the Postfix chroot, it is necessary to move it under the chroot **/var/spool/postfix/**

<code bash>
# Stop the Courier AuthDaemon.
systemctl stop courier-authdaemon.service
# Create the socket directory into the Postfix chroot:
mkdir -p /var/spool/postfix/var/run/courier/authdaemon
# Assign the same permission as the original.
chown root:courier    /var/spool/postfix/var/run/courier/
chmod 0775            /var/spool/postfix/var/run/courier/
chown courier:courier /var/spool/postfix/var/run/courier/authdaemon/
chmod 0750            /var/spool/postfix/var/run/courier/authdaemon/
# Add into the Debian packaging system the info about custom directories.
dpkg-statoverride --add root    courier 775 /var/spool/postfix/var/run/courier
dpkg-statoverride --add courier courier 750 /var/spool/postfix/var/run/courier/authdaemon
</code>

To verify that the //dpkg-statoverride// settings are in place, execute:

<code>
dpkg-statoverride --list
</code>

To have the socket available also under the original directory we can do a **bind mount**, this is command required (it does not survive a reboot):

<code bash>
mount /var/run/courier/authdaemon \
    /var/spool/postfix/var/run/courier/authdaemon \
    -t bind -o defaults,nodev,bind
</code>

Now it is possibile to restart the Authdaemon service and have it accessible at the original location and under the Postfix chroot:

<code>
systemctl start courier-authdaemon.service
</code>

To enable the bind mount at bootstrap we define a **systemd mount service** creating the file **/etc/systemd/system/var-spool-postfix-var-run-courier-authdaemon.mount** with the following content:

<file>
[Unit]
Description=Mount Courier Authdaemon into Postfix chroot
Wants=courier-authdaemon.service

[Mount]
What=/run/courier/authdaemon
Where=/var/spool/postfix/var/run/courier/authdaemon
Type=bind
Options=defaults,nodev,bind

[Install]
WantedBy=postfix.service
</file>

**NOTICE**: The weak dependency ''Wants=courier-authdaemon.service'' is preferable than the stronger ones ''Requires='' and ''After=''. In Debian 12 the strong dependencies cause a Systemd ordering cycle problem, see **[[systemd_tmpfiles_problem]]**.

This is a **[[https://www.freedesktop.org/software/systemd/man/systemd.mount.html|systemd mount unit]]**, we need to reload the systemd daemon and enable that unit for the next reboot:

<code>
systemctl daemon-reload
systemctl enable var-spool-postfix-var-run-courier-authdaemon.mount
</code>

Finally the postfix process must be into the courier group, so it can read and write to the socket:

<code bash>
adduser postfix courier
systemctl restart postfix
</code>

  * **[[https://www.freedesktop.org/software/systemd/man/latest/systemd.syntax.html|Systemd Syntax]]**
  * **[[https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html|Systemd Unit]]**
  * **[[https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html|Systemd Mount]]**

====== Spamassassin ======

Install the **spamassassin** Debian package.

The package provides two Systemd units: **spamd.service** and **spamassassin-maintenance.timer**; both should be enabled to have the daemon running and the rules updated once a day.

To enable and start both, execute:

<code>
systemctl enable --now spamassassin-maintenance.timer
systemctl enable spamassassin-maintenance.service
systemctl start spamassassin-maintenance.service
</code>

Then you can check timer schedule with:

<code>
systemctl list-timers --all
</code>

The timer will call the **spamassassin-maint** which in turn will call the **sa-update** program to download the updated SpamAssassin rules and reload the spamd daemon.

The SpamAssassin rules are saved into **/var/lib/spamassassin/**.

====== ClamAV ======

Install the Debian packages **clamav**, **clamav-daemon**, **clamdscan** and **clamav-freshclam**. Ensure that the Systemd units **clamav-daemon.service** and **clamav-freshclam.service** are enabled and started.

The Freshclam program will update the database of signatures stored into **/var/lib/clamav/** and will log into **/var/log/clamav/freshclam.log**.