Postfix mail accts & SSH/FTP access

I just want to know if there is a better way to do this.  There must be.

Basically, I want to create several email acct and since I'm using Postfix the accts are Unix accts.  Needless to say they are able to login to the server.  Here is what I'm trying to accomplish and what I have done, but it seems like there should be a better way.

Obviously, check for mail, deny SSH access and possibly deny/allow FTP access into the server.

I have have created a couple test accts and changed the /etc/passwd file to reflect /sbin/nologin instead of /bin/bash.  It seems to work.  Still can check email and can't log into the server.  

But it seems like there must be a better way.  This is the first time to use Postfix as the mail server.  In the past I have used Qmail.

Thanks for your suggestions.
seattlejimAsked:
Who is Participating?
 
mbarbosConnect With a Mentor Commented:
There are some other options, but you have to do some more work.

First, postfix is a MTA (only). This means that it only moves mail through SMTP from server to server. It doesn't have much to do with passwords and users (unless you want people to authenticate also when they send mail), it has to do only with mails, mail addresses and mailboxes.
If I get your question right, what you want is a "sealed server" in which the mail users have nothing in common with the system users.

All you need to do is to install a "postoffice" server, like cyrus or courier, using a different authentication method than the unix passwd/shadow. Both with cyrus and courier you have the option of using a separate user list. Anyway, what you are doing now is to use the default system pop3/imap servers (probably run from inet) to get mails to users. Just replace it :)
0
 
majorwooCommented:
its a fairly painless method - when you add the user, specify the nologin

useradd -s /sbin/nologin

then you dont have to go back and edit the password file
0
 
Gabriel OrozcoSolution ArchitectCommented:
majorwoo is right.

nologin is not present in all systems, altough.
then I use /bin/false as the shell, and I add it to /etc/shells.

just edit your /etc/passwd file and change their shell to the one majorwoo told you (/sbin/nologin) or if that shell does not exist, use /bin/false.

Regards
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Dave HoweSoftware and Hardware EngineerCommented:
I tend to make the default shell for nologin users passwd - that way, they can change their passwords themselves without shell access.
0
 
majorwooCommented:
yeah

/bin/false
/dev/null
/sbin/nologin

they will all serve the savme purpose in this case

(/deb/null is on almost every *nix system)
0
 
seattlejimAuthor Commented:
Thanks.  That makes a lot of sense.
0
All Courses

From novice to tech pro — start learning today.