I'm trying to understand the correct approach to support email via Postfix/Dovecot for both network-authenticated users and various network services such as Gitlab.
My network-authentication server is Ubuntu 22.04, using OpenLDAP and Kerberos. My network-authenticated users all inherit from the posixAccount and PostfixBookMailAccount object classes while my service accounts only inherit from the latter. This is an attempt to only allow login on various machines from my users but not service accounts, but to support email for both.
I've tried configuring Dovecot to use the pam driver which has worked for user email but Gitlab didn't work. I modified the PAM configurations (which all utilized Kerberos but not LDAP) by adding LDAP ahead of Kerberos. This included configuring PAM LDAP to search based on mailEnabled instead of posixAccount for user lookup but something may be off as it still worked for users but not services.
I also tried configuring Dovecot to use the ldap driver and similarly search for mailEnabled but something is also off as it did not work for any account.
It seems I could potentially capitulate and just make user accounts for services like Gitlab but this tickles my security paranoia.
Before spinning my wheels too much farther or going in the wrong direction, I would first like to understand if it makes sense to distinguish these two email sources or if I'm just overthinking it. If I should distinguish, can someone point me to reference materials that outline this approach or provide some pointers if there are / what considerations to make when configuring Postfix/Dovecot. So far I have no combination that suits both account types. My web searching has not turned up anything on what approach to take and therefore any relevant material.
My 10-auth.conf contains:
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
where the keytab was populated with imap, nslcd, and smtp principals.
When configured for PAM, my auth-network.conf.ext looks like:
passdb {
driver = pam
}
userdb {
driver = passwd
args = uid=vmail gid=vmail home=/srv/vmail/%u mail=maildir:/srv/vmail/%u/Maildir
}
and when configured for LDAP it's:
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}