[Slackbuilds-users] UID/GID for another Dovecot case
Slacker
slacker at slaphappygeeks.com
Sun Feb 15 23:42:46 UTC 2015
On 02/14/2015 09:08 PM, Thomas Szteliga wrote:
> On 02/15/2015 03:36 AM, Rob McGee wrote:
>> I never have understood why so many small-time users want to have
>> "virtual mail accounts." What is the appeal? "Gee whiz, all I do
>> when I add a domain is enter it in mysql." Well, uh, how often do
>> you add domains? I can see it if you're a large scale hosting
>> provider. Why is that so good if you're not?
>> In the small-timer case, delivery to system accounts is far more
>> powerful and flexible. You can keep all your mail in your $HOME;
>> you're able to run commands on certain incoming mail; you have many
>> more options for storing and sorting mail.
>
>
> I was running multiple Dovecot/Postfix instances for years, and
> I had the biggest problems with upgrading/migration etc. with
> system accounts. With virtual vmail accounts moving configs with
> e-mail storage among servers is much easier, so now I'm using
> vmail everywhere.
I have not run these myself before, but the migration and future
management requirements were what led me to it.
>
>
>> Furthermore, it's considerably less secure to have all mail under a
>> single UID/GID, as most of these virtual/mysql howtos seem to
>> advocate. A compromise of that user means all mail is at risk.
>> With system users, each recipient has her own UID, and compromises
>> are limited.
>
>
> Yes, but You already said "small-time users", so probably one-two
> domains, one owner, a single company etc. You can use multiple vmail
> users/groups (vmail1, vmail2) to separate customers.
> And when we're already in the subject of security, I would not
> give users access to their home dirs on an MTA.
> I would run an MTA in a separated vmachine instead of running
> multiple services on the same machine. And that's what I'm doing :-)
Yes, that is very close to my own case - access to the machine will be
strictly limited.
>
>
>> (Actually that can be done with virtual also; both Postfix and
>> Dovecot support map lookups for the UID & GID. But few howtos -- if
>> any? I don't think I have seen one -- show how this is done.)
>> So my concern here is twofold: one, it promotes "virtual mail" to
>> users who should not be using it; and two, it promotes the less
>> secure means of doing it, under a single UID/GID.
>
>
> As I already stated in this thread, I don't think that
> defining a vmail user/group in http://slackbuilds.org/uid_gid.txt
> is a good idea. IMO it's a bad idea and an unnecessary step :-)
> And uid 303 is really bad, because almost all howtos suggest 5000.
OK, I realize the lower uid/gids are generally reserved for daemon
processes, and there are a limited number of them... but really, it is
still just a number - there isn't actually anything "special" about
numbers in that range is there?
I am not arguing it, I want to understand it better - why is it such a
really bad idea?
Thanks
>
>
>
>
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - http://slackbuilds.org/faq/
>
More information about the SlackBuilds-users
mailing list