?
Solved

Postfix mail accts & SSH/FTP access

Posted on 2003-02-23
6
Medium Priority
?
243 Views
Last Modified: 2010-04-22
I just want to know if there is a better way to do this.  There must be.

Basically, I want to create several email acct and since I'm using Postfix the accts are Unix accts.  Needless to say they are able to login to the server.  Here is what I'm trying to accomplish and what I have done, but it seems like there should be a better way.

Obviously, check for mail, deny SSH access and possibly deny/allow FTP access into the server.

I have have created a couple test accts and changed the /etc/passwd file to reflect /sbin/nologin instead of /bin/bash.  It seems to work.  Still can check email and can't log into the server.  

But it seems like there must be a better way.  This is the first time to use Postfix as the mail server.  In the past I have used Qmail.

Thanks for your suggestions.
0
Comment
Question by:seattlejim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Expert Comment

by:majorwoo
ID: 8012942
its a fairly painless method - when you add the user, specify the nologin

useradd -s /sbin/nologin

then you dont have to go back and edit the password file
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8020623
majorwoo is right.

nologin is not present in all systems, altough.
then I use /bin/false as the shell, and I add it to /etc/shells.

just edit your /etc/passwd file and change their shell to the one majorwoo told you (/sbin/nologin) or if that shell does not exist, use /bin/false.

Regards
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8056384
I tend to make the default shell for nologin users passwd - that way, they can change their passwords themselves without shell access.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 9

Expert Comment

by:majorwoo
ID: 8057938
yeah

/bin/false
/dev/null
/sbin/nologin

they will all serve the savme purpose in this case

(/deb/null is on almost every *nix system)
0
 
LVL 6

Accepted Solution

by:
mbarbos earned 200 total points
ID: 8075990
There are some other options, but you have to do some more work.

First, postfix is a MTA (only). This means that it only moves mail through SMTP from server to server. It doesn't have much to do with passwords and users (unless you want people to authenticate also when they send mail), it has to do only with mails, mail addresses and mailboxes.
If I get your question right, what you want is a "sealed server" in which the mail users have nothing in common with the system users.

All you need to do is to install a "postoffice" server, like cyrus or courier, using a different authentication method than the unix passwd/shadow. Both with cyrus and courier you have the option of using a separate user list. Anyway, what you are doing now is to use the default system pop3/imap servers (probably run from inet) to get mails to users. Just replace it :)
0
 

Author Comment

by:seattlejim
ID: 8175480
Thanks.  That makes a lot of sense.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question