I have a solution to my problem.
For reference, I am putting it here :
I recall that my issue is that postfix authorises login with root
(or other users), even though authentication is delegated to
dovecot, and the documentation about {first,last}_valid_{g,u}id
seems to say that is should not be possible (and that
authentication to dovecot with root is also forbidden in a
hardcoded way).
I thank Mr. Ardley to have pointed out that dovecot delegates the
authentication to PAM.
What actually happens (in my case at least) is that dovecot
questions PAM about a specific authentication attempt, and
receives PAM's answer. Then, *and only for itself*, it applies its
own restrictions regarding root login and
{first,last}_valid_{g,u}id. When it authenticates on behalf of
postfix, it notifies postfix of success directly.
So the semantic of {first,last}_valid_{g,u}id should be understood
for dovecot only, not for other processes that have delegated
authentication to dovecot, which answers my first question.
Then, on how to effectively restrict postfix submission login
based on uids, the simple solution not involving virtual users is
to set these conditions in PAM directly.
The conditions that dovecot must match in order to succeed
authentication with PAM are in the file /etc/pam.d/dovecot (at
least on Debian) :
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
A simple way to restrict login based on uids is to modify the file
as such :
#%PAM-1.0
auth required pam_succeed_if.so uid > 500 quiet
@include common-auth
@include common-account
@include common-session
Now, in order for dovecot (and *for every process it authenticates
on behalf of* as well, which is what matters) to succeed
authentication, the uid will have to be greater than 500. It is
possible to specify other conditions as well, see
https://linux.die.net/man/8/pam_succeed_if.
Best regards to everyone,
Aymeric
