[Slackbuilds-users] UID/GID for another Dovecot case

Slacker slacker at slaphappygeeks.com
Sun Feb 15 23:42:46 UTC 2015 


On 02/14/2015 09:08 PM, Thomas Szteliga wrote:
> On 02/15/2015 03:36 AM, Rob McGee wrote:
>> I never have understood why so many small-time users want to have
>> "virtual mail accounts."  What is the appeal?  "Gee whiz, all I do
>> when I add a domain is enter it in mysql."  Well, uh, how often do
>> you add domains?  I can see it if you're a large scale hosting
>> provider.  Why is that so good if you're not?
>> In the small-timer case, delivery to system accounts is far more
>> powerful and flexible.  You can keep all your mail in your $HOME;
>> you're able to run commands on certain incoming mail; you have many
>> more options for storing and sorting mail.
>
>
> I was running multiple Dovecot/Postfix instances for years, and
> I had the biggest problems with upgrading/migration etc. with
> system accounts. With virtual vmail accounts moving configs with
> e-mail storage among servers is much easier, so now I'm using
> vmail everywhere.

I have not run these myself before, but the migration and future 
management requirements were what led me to it.

>
>
>> Furthermore, it's considerably less secure to have all mail under a
>> single UID/GID, as most of these virtual/mysql howtos seem to
>> advocate.  A compromise of that user means all mail is at risk.
>> With system users, each recipient has her own UID, and compromises
>> are limited.
>
>
> Yes, but You already said "small-time users", so probably one-two
> domains, one owner, a single company etc. You can use multiple vmail
> users/groups (vmail1, vmail2) to separate customers.
> And when we're already in the subject of security, I would not
> give users access to their home dirs on an MTA.
> I would run an MTA in a separated vmachine instead of running
> multiple services on the same machine. And that's what I'm doing :-)

Yes, that is very close to my own case - access to the machine will be 
strictly limited.

>
>
>> (Actually that can be done with virtual also; both Postfix and
>> Dovecot support map lookups for the UID & GID.  But few howtos -- if
>> any?  I don't think I have seen one -- show how this is done.)
>> So my concern here is twofold: one, it promotes "virtual mail" to
>> users who should not be using it; and two, it promotes the less
>> secure means of doing it, under a single UID/GID.
>
>
> As I already stated in this thread, I don't think that
> defining a vmail user/group in http://slackbuilds.org/uid_gid.txt
> is a good idea. IMO it's a bad idea and an unnecessary step :-)
> And uid 303 is really bad, because almost all howtos suggest 5000.

OK, I realize the lower uid/gids are generally reserved for daemon 
processes, and there are a limited number of them... but really, it is 
still just a number - there isn't actually anything "special" about 
numbers in that range is there?

I am not arguing it, I want to understand it better - why is it such a 
really bad idea?

Thanks

>
>
>
>
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - http://slackbuilds.org/faq/
>

More information about the SlackBuilds-users mailing list