Solved Interface between Postfix in Jail 1 and Dovecot in Jail 2

Hello,

I currently have a mail server with Postfix and Dovecot installed in the same jail. I was considering breaking the jail down to a dedicated mail server (jail) with the other jail the running Postfix.

I know that on the same server or jail the configuration is fairly easy, but I haven't been able to find much documentation on breaking them out. Is it simply setting up the Postfix jail as a relay which requires authentication? If so, is it simple to allow for the authentication to use the same account credentials used in Dovecot?

If someone has a simple example or manual reference that they could forward me to, please let me know. Also, I'd like an opinion on if this makes sense from a security standpoint or if I'm just wasting my time on a project like this. I believe the isolated Postfix jail makes sense as I would assume that would likely be the preferred attack vector for sending spam or malware if compromised.
 
Any reason why you want to split that up? With both running in the same jail you can use much more efficient sockets for communication / mail transfer between the two. If postfix is configured as an open relay or infected user machines are sending spam it doesn't make any difference if it runs on its own jail; it is still sending spam...

If they are running in separate jails the configuration would be just the same as if they are running on separate hosts - use ip sockets instead of the unix sockets for communication between the services.
 
So if I did go down this road, I'd just have to use ip sockets for postfix to dovecot and dovecot to postfix, correct? It's currently setup to use user authentication to send mail out.

I was originally thinking that if postfix had a vulnerability, the dovecot jail would remain secure, but the points you brought up call into question if it's worth the hassle, especially if you have a compromised client sending spam out. I suppose it could protect the existing emails from being read, but all the emails going out after the vulnerability was exploited would be fair game...
 
How is Dovecot supposed to access your mailstorage if it's located on another server? And if your answer is a nullfs mount then wouldn't that somewhat defeat the purpose for separation? In my opinion this scenario will give you more administrative headaches than it's worth.

Heck, when properly setup there shouldn't be much risk of one service contaminating the other. Assuming both are running using different user id's.
 
but my idea was DoveCot/Mailstore (Jail 1) Postfix (Jail 2).
Yet that doesn't answer my question ;) It's the same problem: how is Postfix going to store any incoming mail into the mail storage on Jail 2 so that users can access it using Dovecot?

Both Jails will act as separate virtual entities and by default will not be able to access each others userspace nor that of the host (other than their own system root of course). There's really nothing academic about this, just the simple problem of one jail which needs to physically access the other to make your scenario work.

(edit)

Unless of course you plan to use Sendmail within Jail 1 and Postfix as some kind of mail relay. That would theoretically work, but that will bring us back to my initial comment: you'd be creating an administrative headache and in the end don't gain any real advantage at all. The only difference would be Postfix which got changed out for Sendmail.
 
Just to confirm for my own understanding of Dovecot, can't it interface with Postfix via ip socket (as noted by sko)? If so, wouldn't that address the incoming portion of the question? (I feel like I'm missing something here.)

Outgoing would be a separate issue as I would want the same user authentication used on Dovecot to be used on Postfix.
 
how is Postfix going to store any incoming mail into the mail storage on Jail 2 so that users can access it using Dovecot?

In a Postfix + Dovecot configuration, Postfix should always be configured as a relay and only deliver malis to dovecot, which then handles the actual storing of mail. This way there is a clear separation of mail transfer (postfix) and mail delivery/storing/access (dovecot), which not only simplifies configuration, debugging and adding secondary MXes, but also prevents weird edge-cases like dovecot trying to access files that postfix is currently writing to (actually haven't seen this in production, but theoretically possible).
The main reason from user perspective for this configuration: Filtering mail with sieve only works if the mails were delivered to/via dovecot, not if postfix just splats them to disk.

With postfix acting as a pure relay, the only difference between a local and separate dovecot server/jail would be using smtp to the dovecot host instead of lmtp to the unix socket as the transport mechanism.
So essentially you'd configure that "local" postfix in the jail just like any secondary MX on a completely different machine (which is also just a relay to dovecot).

For authentication you could just let postfix and dovecot do their own queries to the DB server(s), which has the small advantage of postfix still accepting mails even if dovecot is temporarily down e.g. for updates/maintenance.
However, I'd highly recommend using SASL for authentication. If dovecot should be temporarily unavailable, incoming mails would be rejected by postfix with a tempfail and proper MTAs (i.e. not spammers) will re-send those mails anyways; so except for a slight delay there really is no problem with that and definately no mails are lost in this scenario. The huge advantage of using SASL is, you can lock down you user/password-DB very tightly as only dovecot needs to access that database. This is IMHO the absolute preferred way of setting up authentication from a security perspective.
For additional information you might want to query with postfix (e.g. user aliases, forwards, black/whitelists etc pp) just set up another DB or - especially on high-traffic postfix servers - periodically generate local maps for postfix from DB entries, as those are cached in RAM and much faster than probably hundreds or thousands of DB-queries (to another machine!) per minute...

Using SASL with external postfix instances is pretty easy; just let the service listen on an external port instead of only the local unix socket. See the example configuration at the very bottom of this page: https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL -> "Dovecot authentication via TCP"
 
In a Postfix + Dovecot configuration, Postfix should always be configured as a relay and only deliver malis to dovecot, which then handles the actual storing of mail.
That is not a relay within the context of MTA's, it's merely setting up local delivery. A relay refers to sending the e-mail to another MTA.

And you also never actually answered my question. A rhetorical question I might add, it was meant for the OP to think about the situation. It's like you said: Postfix would need to act as relay (which is NOT local delivery!), and since Dovecot doesn't support SMTP you would need another MTA within the other Jail.

Ergo, and this is the last time I'm repeating myself, you wouldn't "fix" anything by separating both processes because the MDA (Dovecot) always needs an MTA (in this case Postfix).
 
Postfix would need to act as relay (which is NOT local delivery!), and since Dovecot doesn't support SMTP you would need another MTA within the other Jail.

Sorry, my mistake. Has been a while since I configured such a setup from ground up. Yes, dovecot doesn't support delivery via SMTP. LMTP can be used on TCP sockets to receive mail from an externally running MTA (postfix). However, there is no authentication involved and the comments in the config file even warn you about making it visible to the internet. So this should really and absolutely only be used on e.g. a bridge interface connecting the two jails but *never* on an external interface, but for OPs setup this might be a viable solution.

I also just had a quick look on my last installation of multiple postfix hosts + single dovecot server, and I've also put another postfix onto the dovecot hosts, which only accepts incoming mail from both DNS-listed MX postfix servers and relays it to dovecot via LMTP on a local socket. The postfix on the dovecot host is also used for outgoing mail. I can't remember the exact reasons for this configuration from the top of my head; but regarding the problem of delivery to dovecot, this might be the only reasonable solution for a multi-host setup without private networking, as dovecot basically blindly trusts everything it receives via LMTP...
 
Thank you both for the discussion.

For my needs, I don't see myself breaking out the Dovecot from Postfix due to the above noted issues, but I wanted to fully understand the drawbacks as there was little to no documentation for an approach like this which I would have believed to have been more of a common occurrence.

edit:

In summary, the solution would have to be: Dovecot + Postfix (Jail 1) Postfix (Jail 2).

Thanks again!
 
Back
Top