gatorparrots
~departed~
With the proliferation of mail server installation instructions here and elsewhere (postfix, sendmail, or otherwise) for Mac OS X/Darwin, tools for the server admin seem to be more and more necessary. This post aims to make administration of mail users just a little bit easier.
The attached file contains two shell scripts (substantially derived from testuser's FTP-only account scripts*):
addmailuser
delmailuser
These scripts intend to create and delete mail-only accounts. While not strictly "mail-only", they are called 'mail-only' users because these accounts are highly restricted, effectively limiting what these users can do on your Mac OS X/Darwin system. User accounts added with these scripts:
* do not appear in the login window
* cannot access your Mac via ssh
* cannot access your Mac via ftp
* cannot login to the Terminal
* are only granted write access to other user's drop boxes via AppleTalk
* will not have a home directory in the /Users directory tree
As testuser pointed out in his thread, such scripts provide a rapid way to add new mail user accounts via the command line. For example:
To add two new mail accounts stevewoz and sjobs
addmailuser stevewoz sjobs
to add 100 user names that are contained in the text file "users.txt"
addmailuser `cat users.txt`
Note: backquotes (`), not apostrophes (')
As is, the scripts do the following:
* creates a new user account
* sets their shell to /dev/null to eliminate the ability to login via the Terminal
* adds an entry to the /etc/ftpusers file to disallow ftp access
* sets their home directory to /dev/null to constrain them to the UNIX blackhole
Due to their lengthy nature, I will not include the entire text of the scripts in this post. Instead, they are attached as a downloadable file. The following are instruction on how to install these scripts:
1). Rename the downloaded file from "attachment.php" back to "mailaccounts.zip" (This is necessary due to a bug in the forum software.)
2). Decompress it with StuffIt Expander.
3). If you don't already have a binary executable directory, create one:
mkdir ~/bin
chmod 700 ~/bin
4). Move the addmailuser and delmailuser files into your "bin" directory (/Users/username/bin).
5). Make these files executable:
chmod 760 ~/bin/*mailuser
6) Optional: edit the addmailuser and/or delmailuser scripts to customize them to meet your particular requirements, especially in regards to ssh:
pico ~/bin/addmailuser
Step 6 is optional, but may be necessary for this important reason: the scripts were authored with a particular SSH configuration in mind. If your setup is different, you should edit the scripts and uncomment the sections pertaining to sshd. Briefly, I prefer to stricly enumerate SSH access to my server in my sshd_config file under the 'AllowUsers' section. For my server, I only have two users listed: myself and a trusted UNIX guru friend of mine who is unfamiliar yet curious about Mac OS X/Darwin. I don't want to allow any other user on the system to login via SSH. The 'AllowUsers' entry in the config file will supercede a 'DenyUsers' section, making it unnecessary to strictly enumerate denial entries for the users added by this script. In other words: only those users named after 'AllowUsers' have ssh access, so it is unnecessary to add anything to 'DenyUsers'. Your choice will depend on your server paradigm: a permissive server that has more ssh users than not should make use of 'DenyUsers' (and therefore a change would be in order to the scripts); a restrictive server that has few ssh users should make use of 'AllowUsers' (and therefore can use the scripts as provided, without modification).
*A great debt is owed to testuser in the creation of these scripts. They borrow heavily from his FTP-only accounts scripts; as such I make no claim about their originality. My only goal is that it would benefit the community. Enjoy.
The attached file contains two shell scripts (substantially derived from testuser's FTP-only account scripts*):
addmailuser
delmailuser
These scripts intend to create and delete mail-only accounts. While not strictly "mail-only", they are called 'mail-only' users because these accounts are highly restricted, effectively limiting what these users can do on your Mac OS X/Darwin system. User accounts added with these scripts:
* do not appear in the login window
* cannot access your Mac via ssh
* cannot access your Mac via ftp
* cannot login to the Terminal
* are only granted write access to other user's drop boxes via AppleTalk
* will not have a home directory in the /Users directory tree
As testuser pointed out in his thread, such scripts provide a rapid way to add new mail user accounts via the command line. For example:
To add two new mail accounts stevewoz and sjobs
addmailuser stevewoz sjobs
to add 100 user names that are contained in the text file "users.txt"
addmailuser `cat users.txt`
Note: backquotes (`), not apostrophes (')
As is, the scripts do the following:
* creates a new user account
* sets their shell to /dev/null to eliminate the ability to login via the Terminal
* adds an entry to the /etc/ftpusers file to disallow ftp access
* sets their home directory to /dev/null to constrain them to the UNIX blackhole
Due to their lengthy nature, I will not include the entire text of the scripts in this post. Instead, they are attached as a downloadable file. The following are instruction on how to install these scripts:
1). Rename the downloaded file from "attachment.php" back to "mailaccounts.zip" (This is necessary due to a bug in the forum software.)
2). Decompress it with StuffIt Expander.
3). If you don't already have a binary executable directory, create one:
mkdir ~/bin
chmod 700 ~/bin
4). Move the addmailuser and delmailuser files into your "bin" directory (/Users/username/bin).
5). Make these files executable:
chmod 760 ~/bin/*mailuser
6) Optional: edit the addmailuser and/or delmailuser scripts to customize them to meet your particular requirements, especially in regards to ssh:
pico ~/bin/addmailuser
Step 6 is optional, but may be necessary for this important reason: the scripts were authored with a particular SSH configuration in mind. If your setup is different, you should edit the scripts and uncomment the sections pertaining to sshd. Briefly, I prefer to stricly enumerate SSH access to my server in my sshd_config file under the 'AllowUsers' section. For my server, I only have two users listed: myself and a trusted UNIX guru friend of mine who is unfamiliar yet curious about Mac OS X/Darwin. I don't want to allow any other user on the system to login via SSH. The 'AllowUsers' entry in the config file will supercede a 'DenyUsers' section, making it unnecessary to strictly enumerate denial entries for the users added by this script. In other words: only those users named after 'AllowUsers' have ssh access, so it is unnecessary to add anything to 'DenyUsers'. Your choice will depend on your server paradigm: a permissive server that has more ssh users than not should make use of 'DenyUsers' (and therefore a change would be in order to the scripts); a restrictive server that has few ssh users should make use of 'AllowUsers' (and therefore can use the scripts as provided, without modification).
*A great debt is owed to testuser in the creation of these scripts. They borrow heavily from his FTP-only accounts scripts; as such I make no claim about their originality. My only goal is that it would benefit the community. Enjoy.