I created a Client, then a Site (testsite.com), then a couple of users under that Site. I tried logging in to https://myispconfig:81/mailuser. Failed with myuser@testsite.com (postfix virtusertable), but succeeded with web3_myuser (system account). Why's that?

A quick check shows that ISPConfig reads the isp_isp_user table, probably completely ignoring the postfix virtusertable it wrote during user creation.

Also, IMAP doesn't work (from SquirrelMail). How does Courier-IMAP tie to Postfix's authentication?

I created a Client, then a Site (testsite.com), then a couple of users under that Site. I tried logging in to https://myispconfig:81/mailuser. Failed with myuser@testsite.com (postfix virtusertable), but succeeded with web3_myuser (system account). Why's that?
Because you must use the username of the user to whom the email address belongs. In your case it's web3_myuser.

A quick check shows that ISPConfig reads the isp_isp_user table, probably completely ignoring the postfix virtusertable it wrote during user creation.
Yes, ISPConfig does not read from /etc/postfix/virtusertable.

Also, IMAP doesn't work (from SquirrelMail). How does Courier-IMAP tie to Postfix's authentication?
Please post the output of netstat -tap

Because you must use the username of the user to whom the email address belongs. In your case it's web3_myuser.

Erm, I asked "Why's that?" Quick explanation for that strategy?

Yes, ISPConfig does not read from /etc/postfix/virtusertable

Then why does ISPConfig create that virtusertable file? How does ISPConfig use that, or does it use that?

Please post the output of `netstat -tap'

See attached netstat.out.gz

Erm, I asked "Why's that?" Quick explanation for that strategy?
Because ISPConfig creates system users, not virtual users. System users have names like web3_myuser.

Then why does ISPConfig create that virtusertable file? How does ISPConfig use that, or does it use that?
Postfix uses /etc/postfix/virtusertable, that's why ISPConfig creates it.

See attached netstat.out.gzCan you post the output in plain text here? That makes it easier for us.

Because ISPConfig creates system users, not virtual users. System users have names like web3_myuser.

But we can't expect mail users to login as web3_myuser, can we? That's odd. Users want to log in as "myuser@mydomain.com" instead.

Postfix uses /etc/postfix/virtusertable, that's why ISPConfig creates it

How does Postfix use it? PAM authentication perhaps? So why doesn't ISPConfig use it as well? A simple extrapolation from "helping Postfix do its job" to "actually integrating with Postfix".

The netstat output you requested:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:32770 *:* LISTEN 6872/hpiod
tcp 0 0 localhost:32771 *:* LISTEN 6882/python
tcp 0 0 localhost:mysql *:* LISTEN 7065/mysqld
tcp 0 0 *:netbios-ssn *:* LISTEN 7297/smbd
tcp 0 0 *:81 *:* LISTEN 7447/ispconfig_http
tcp 0 0 *:ftp *:* LISTEN 7638/proftpd: (acce
tcp 0 0 webmail.testsite:domain *:* LISTEN 7623/named
tcp 0 0 localhost:domain *:* LISTEN 7623/named
tcp 0 0 localhost:ipp *:* LISTEN 6838/cupsd
tcp 0 0 localhost:953 *:* LISTEN 7623/named
tcp 0 0 *:smtp *:* LISTEN 7583/master
tcp 0 0 *:microsoft-ds *:* LISTEN 7297/smbd
tcp 0 0 localhost:32770 localhost:48040 ESTABLISHED6872/hpiod
tcp 0 0 localhost:ipp localhost:38970 ESTABLISHED6838/cupsd
tcp 0 0 localhost:48040 localhost:32770 ESTABLISHED6882/python
tcp 0 0 localhost:38970 localhost:ipp ESTABLISHED7795/gnome-cups-ico
tcp6 0 0 *:imaps *:* LISTEN 6966/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 7007/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 6984/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 6943/couriertcpd
tcp6 0 0 *:www *:* LISTEN 7484/apache2
tcp6 0 0 ip6-localhost:953 *:* LISTEN 7623/named
tcp6 0 0 *:https *:* LISTEN 7484/apache2

How does Postfix use it? PAM authentication perhaps? So why doesn't ISPConfig use it as well? A simple extrapolation from "helping Postfix do its job" to "actually integrating with Postfix".

Postfix simply reads /etc/postfix/virtusertable (i.e. /etc/postfix/virtusertable.db); it doesn't have to authenticate to read its own files.
ISPConfig stores everything in its MySQL database, and ISPConfig's backend then reads from the database and writes everything into the appropriate configuration file.

Postfix simply reads /etc/postfix/virtusertable (i.e. /etc/postfix/virtusertable.db); it doesn't have to authenticate to read its own files.

I see. So Postfix reads the virtusertable to know that an incoming email with "To:" header "myuser@mydomain.com" should go to inbox of system user say "web3_myuser". Right? Postfix doesn't do any authentication at all? So what does? Courier's POP?

ISPConfig stores everything in its MySQL database, and ISPConfig's backend then reads from the database and writes everything into the appropriate configuration file.

Actually, that's part of a problem. ISPConfig stores mailuser info in its backend, but is mostly (always?) oblivous to actual system files that actually denote the system users. In short, ISPConfig replicates much of the system files' info redundantly. This makes it difficult for a system with ISPConfig to work with 'root' user admin work. A typical advice I would issue for ISPConfig users is "try to do everything with ISPConfig (even if some things are not yet possible with it), and don't do any root admin work like adding users manually".

A simple analogy. Say I'm a middleman (like ISPConfig) that deals with delivering your letters to addresses. I keep my own database of recipients (with physical addresses). And then there is the government's DEFINITIVE address book that everyone can look up. Still, I use my own database. Therefore, whenever a recipient changes address, and the government address book is modified, my database gets stale. There is no contract between government and me to synchronize our disparate databases, though I do update the government's database whenever I meet a new recipient who just bought a new address through (my other business). Therefore, the only way we can assure agreement between the disparate database is if ALL citizens buy new addresses through me. Same case with ISPConfig, users are advised to create new users (mailusers and system users) through ISPConfig.

But that's another discussion altogether. How's my netstat output?

I see. So Postfix reads the virtusertable to know that an incoming email with "To:" header "myuser@mydomain.com" should go to inbox of system user say "web3_myuser". Right? Postfix doesn't do any authentication at all? So what does? Courier's POP?
If you're sending from outside (i.e. not from localhost), authentication is done through saslauthd.
If you fetch emails (that's different from sending!) than you have to authenticate against your POP3/IMAP daemon.



Actually, that's part of a problem. ISPConfig stores mailuser info in its backend, but is mostly (always?) oblivous to actual system files that actually denote the system users. In short, ISPConfig replicates much of the system files' info redundantly. This makes it difficult for a system with ISPConfig to work with 'root' user admin work. A typical advice I would issue for ISPConfig users is "try to do everything with ISPConfig (even if some things are not yet possible with it), and don't do any root admin work like adding users manually".

A simple analogy. Say I'm a middleman (like ISPConfig) that deals with delivering your letters to addresses. I keep my own database of recipients (with physical addresses). And then there is the government's DEFINITIVE address book that everyone can look up. Still, I use my own database. Therefore, whenever a recipient changes address, and the government address book is modified, my database gets stale. There is no contract between government and me to synchronize our disparate databases, though I do update the government's database whenever I meet a new recipient who just bought a new address through (my other business). Therefore, the only way we can assure agreement between the disparate database is if ALL citizens buy new addresses through me. Same case with ISPConfig, users are advised to create new users (mailusers and system users) through ISPConfig.

When you open /etc/postfix/virtusertable, you'll see this line at the bottom:
#### MAKE MANUAL ENTRIES BELOW THIS LINE! #### You can add your own entries below that line, they won't be overwritten! I guess this solves the problem you have?
ISPConfig cannot simply write directly to all configuration files due to permissions. The frontend runs as user admispconfig, not as root. If it ran as root, it would be a security problem...


But that's another discussion altogether. How's my netstat output?It's ok. Did you enable Maildir in ISPConfig (Management -> Server -> Settings -> Email)?

You can add your own entries below that line, they won't be overwritten! I guess this solves the problem you have?
Yes, it does allow 'root' user to do manual (and quick) creations of mail users. But wouldn't I also need to tell ISPConfig's backend about it as well? That's my problem, what I do as 'root', ISPConfig ignores and goes back to its own not-so-updated records.

ISPConfig cannot simply write directly to all configuration files due to permissions. The frontend runs as user admispconfig, not as root. If it ran as root, it would be a security problem...
True. But the virtusertable was written by 'root' (chmod 644). Perhaps ISPConfig runs a world-executable script to write into virtusertable? I appreciate your effort to make ISPConfig secure. A very important aspect to me.

Did you enable Maildir in ISPConfig (Management -> Server -> Settings -> Email)?

Yes I did enable the Maildir in "Management -> Server -> Settings -> Email".

Hmm. It seems that I can login with "web3_myuser", but not "myuser@mydomain.com". Is this a problem with ISPConfig or with Postfix? The virtusertable file contains the mapping from "myuser@mydomain.com" to "web3_myuser".

True. But the virtusertable was written by 'root' (chmod 644). Perhaps ISPConfig runs a world-executable script to write into virtusertable? I appreciate your effort to make ISPConfig secure. A very important aspect to me.

ISPConfig runs a daemon script for the tasks that has to be done as root user. This is independant from the web interface.

Yes, it does allow 'root' user to do manual (and quick) creations of mail users. But wouldn't I also need to tell ISPConfig's backend about it as well? That's my problem, what I do as 'root', ISPConfig ignores and goes back to its own not-so-updated records.
As I said ISPConfig reads from its MySQL database so it can't know about your changes.



Hmm. It seems that I can login with "web3_myuser", but not "myuser@mydomain.com". Is this a problem with ISPConfig or with Postfix? The virtusertable file contains the mapping from "myuser@mydomain.com" to "web3_myuser".Where do you log in? Which application?

Where do you log in? Which application?
SquirrelMail.

Can you confirm that SquirrelMail or Thunderbird or any other mail client WILL NOT be allowed to login as "myuser@mydomain.com" instead of (or in addtion to) "web3_myuser"? That is, the way ISPConfig manages Postfix and Courier-IMAP, mail users will be forced to login with a system account rather than an email address. I need to make a decision and proceed with some server installation tasks. Thanks!

It s not a question if a program will be alowed to use the email address as username or not. The username is not the email address and @ signs are not allowed in linux systemuser names. For authentication you will have to use the username and password.

ISPConfig creates system users like web1_user1, therefore you must use these usernames in any email application. The only exception is the webmail package from ispconfig.org where you can use the emaiul address, because the email address is then looked up in the ISPConfig database and mapped to the real username.

Till: It s not a question if a program will be alowed to use the email address as username or not.

Actually, it is. A control panel (like ISPConfig) may use a Courier-like virtual mailuser system (userdb.dat format). I am using such a control panel right now (Zervex DSM). In such a case, this control panel works with virtual mailusers, and will allow logins of "myuser@mydomain.com" rather than (or even IN ADDITION TO) "myuser" (still not a system account, just that default Courier domain is set to "@mydomain.com").

Any intention to support Courier's userdb.dat format for virtual mailusers? ISPConfig is already using Courier-IMAP. No reason it shouldn't support Courier's userdb.dat as well?

Falko: ISPConfig creates system users like web1_user1, therefore you must use these usernames in any email application.

Alright. Which means a single machine cannot support more than one email domain. Ie, we can't have "myuser@mydomain.com" and "myuser@otherdomain.com" on the same machine, since both accounts would want to use system user "myuser". (More on prefix "web1_" below).

About the prefix "web1_", can I remove that? Is there a setting in ISPConfig to do this?

Falko: The only exception is the webmail package from ispconfig.org

You mean UebiMiau Webmail?

Falko: because the email address is then looked up in the ISPConfig database and mapped to the real username

Seems a strange "workaround". Courier's userdb (authlib?) is already on the system that comes installed with ISPConfig. That should be where ISPConfig gets its virtual mailuser functionality. By "twisting the arm" of the webmail client to support ISPConfig's very own database structure for virtual mailusers, you're making UebiMiau Webmail work ONLY with ISPConfig. There are possibly hundreds of email clients out there. Seems a very inefficient strategy to get all of them to support ISPConfig's form of "virtual mailusers", when ISPConfig's core Courier already supports virtual mailusers inherently.

Any intention to support Courier's userdb.dat format for virtual mailusers? ISPConfig is already using Courier-IMAP. No reason it shouldn't support Courier's userdb.dat as well?

In ISPConfig 3.

Alright. Which means a single machine cannot support more than one email domain. Ie, we can't have "myuser@mydomain.com" and "myuser@otherdomain.com" on the same machine, since both accounts would want to use system user "myuser". (More on prefix "web1_" below).

Thats completely wrong. The email address is independant from the username. You can have as many tom@anydomain.com in ISPConfig as you have domains.

About the prefix "web1_", can I remove that? Is there a setting in ISPConfig to do this?

Yes. Management > server > settings on the options tab.

Seems a strange "workaround". Courier's userdb (authlib?) is already on the system that comes installed with ISPConfig. That should be where ISPConfig gets its virtual mailuser functionality. By "twisting the arm" of the webmail client to support ISPConfig's very own database structure for virtual mailusers, you're making UebiMiau Webmail work ONLY with ISPConfig. There are possibly hundreds of email clients out there. Seems a very inefficient strategy to get all of them to support ISPConfig's form of "virtual mailusers", when ISPConfig's core Courier already supports virtual mailusers inherently.

1) You have forgotten that we support a bit more programs then just courier and courier does not come installed with ISPConfig.

2) Every mailclient works fine with ISPConfig. I'am using for example squirrelmail. UebiMiau is the defualt mailclient, bcause it is one of the few clients that work with pop3 as well as with imap and some ISP's wont provide Imap for their customers.

About the prefix "web1_", can I remove that? Is there a setting in ISPConfig to do this?

You can remove it, but you should have a look here to learn why it's not a good idea: http://www.howtoforge.com/forums/showthread.php?t=2677

Falko:You can remove it, but you should have a look here to learn why it's not a good idea

I read 5 minutes into that thread, but didn't completely understand how it relates to my case. But I'm guessing you're saying I will potentially encounter problems if I have 2 mailusers "myuser@mydomain.com" and "myuser@otherdomain.com", and both are using the same system account "myuser". Am I right? But then, ISPConfig wouldn't allow me to create 2 accounts with the same system account in the 1st place, so this problem is "checked and prevented".

Till:In ISPConfig 3
Oh, so the rumors are true. :) I'm sticking with ISPConfig then.

Till:Thats completely wrong. The email address is independant from the username. You can have as many tom@anydomain.com in ISPConfig as you have domains.
First, consider that the average mailuser would want a login ID of either "myuser@domain.com" or simply "myuser". Courier's userdb format allows this, with the 2nd case possible when you set a default email domain of "@mydomain.com" so that Courier appends that to any login ID missing the "@" sign.

Next, consider telling a new mailuser that he has to log in with "web1_andy" instead of "andy@mydomain.com" or simply "andy". He asks "why"? Then you say "because someone else has taken "andy@some-other-domain.com".

Now, consider the fact that many of us would want to install multiple email domains (at least multiple domains, usually) on a single machine. Why? Cost-effective. With multiple domains "mydomain1.com" to "mydomain100.com", we'd get a high chance of "namespace collision". There could be many "andy"s around.

As Falko had pointed out, removing the prefix "web1_" from the system account login ID is not a good idea. The limitation is obvious.

Fortunately, I serve a group of people who are willing to bend over backwards for this limitation; they also don't have "namespace collision"... yet. Also, given that you support virtual users (Courier userdb format?) in ISPConfig 3, I'm more than willing to stay with ISPConfig til then.

Till:Yes. Management > server > settings on the options tab.
Actually, it's Management > System Config > Settings on the "ISP Manager" tab. Thanks.

Till:1) You have forgotten that we support a bit more programs then just courier and courier does not come installed with ISPConfig.
I know what you're going through as an opensource team. This thread is really more for the benefit of my boss. :) I'm working on a "somewhat opensource basis" too. We don't always get to hire the best help available. And I often end up overworking on all spectrums of the tasks at hand.

Till:2) Every mailclient works fine with ISPConfig. I'am using for example squirrelmail.
Which works with IMAP, me too. The only problem is, I have multiple email domains on one machine. See above for explanation.

Till:UebiMiau is the defualt mailclient, bcause it is one of the few clients that work with pop3 as well as with imap and some ISP's wont provide Imap for their customers.
True that some ISPs won't provide IMAP. I'll definitely keep UebiMiau in mind. Thanks.