Restrict some local Linux users to not be able to do anything on the machine

Question

Long story short, I'm setting up a Dovecot mail server. Originally, I intended to use virtual users for the IMAP/POP3 authentication - basically making Dovecot look its own users up in a separate passwd file, meaning that our mail users would not be able to access the machine itself. That is preferable but turned out to be quite a pain to manage. That is troublesome, because one of the requirements I was given is a simple administration and anything beyond adduser isn't considered simple.

So, I started looking into another way of authenticating users in Dovecot and that is using Linux's own PAM. A mail user is looked up in the machine's own /etc/passwd database and authenticated against the /etc/shadow password hash automatically. This would also mean that users would be addable, modifiable and removable using Linux's default suit of tools for this job.

That would be perfectly simple to manage, except I need to make it also secure. I would like to completely restrict the mail users' access to the mail server itself. Don't allow them to login through SSH, don't allow them to login locally. They wouldn't need a home directory either, as mails are stored in a separate location. The size of the company would mean about 30 extra mail users and safe to say, I do not trust them with their passwords - they're going to be reused, they're going to get leaked. If I go down this path, I need to secure the server against it.

This is my idea of what to do so far:

1. Create a single normal, non-root user for administration (and SSH login) with a home directory, etc., name them administrator, for example.
2. In /etc/ssh/sshd_config set AllowUsers administrator to disallow everyone else from attempting to log in over SSH.
3. Add a mail user group addgroup mailusers.
4. Create new mail users using adduser --shell /sbin/nologin --no-create-home --ingroup mailusers (and possibly alias this to a command like addmailuser for easy usage).

Now my questions are:

1. Is using PAM authentication an acceptable practice in general?
2. Are the precautions I outlined sufficient?
3. And if they aren't, is the list of things I forgot exhaustive or is there too much potential for future issues I'm better off just abandoning this approach and opting for some other solution?