[Slackbuilds-users] UID/GID for another Dovecot case

Thomas Szteliga ts at websafe.pl
Sun Feb 15 04:08:06 UTC 2015 

On 02/15/2015 03:36 AM, Rob McGee wrote:
> I never have understood why so many small-time users want to have 
> "virtual mail accounts."  What is the appeal?  "Gee whiz, all I do 
> when I add a domain is enter it in mysql."  Well, uh, how often do 
> you add domains?  I can see it if you're a large scale hosting 
> provider.  Why is that so good if you're not?
> In the small-timer case, delivery to system accounts is far more 
> powerful and flexible.  You can keep all your mail in your $HOME; 
> you're able to run commands on certain incoming mail; you have many 
> more options for storing and sorting mail.


I was running multiple Dovecot/Postfix instances for years, and
I had the biggest problems with upgrading/migration etc. with
system accounts. With virtual vmail accounts moving configs with
e-mail storage among servers is much easier, so now I'm using
vmail everywhere.


> Furthermore, it's considerably less secure to have all mail under a 
> single UID/GID, as most of these virtual/mysql howtos seem to 
> advocate.  A compromise of that user means all mail is at risk.  
> With system users, each recipient has her own UID, and compromises 
> are limited.


Yes, but You already said "small-time users", so probably one-two
domains, one owner, a single company etc. You can use multiple vmail
users/groups (vmail1, vmail2) to separate customers.
And when we're already in the subject of security, I would not
give users access to their home dirs on an MTA.
I would run an MTA in a separated vmachine instead of running
multiple services on the same machine. And that's what I'm doing :-)


> (Actually that can be done with virtual also; both Postfix and 
> Dovecot support map lookups for the UID & GID.  But few howtos -- if 
> any?  I don't think I have seen one -- show how this is done.)
> So my concern here is twofold: one, it promotes "virtual mail" to 
> users who should not be using it; and two, it promotes the less 
> secure means of doing it, under a single UID/GID.


As I already stated in this thread, I don't think that
defining a vmail user/group in http://slackbuilds.org/uid_gid.txt
is a good idea. IMO it's a bad idea and an unnecessary step :-)
And uid 303 is really bad, because almost all howtos suggest 5000.


-- 
Thomas Szteliga


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3692 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20150215/841442d8/attachment.p7s>

More information about the SlackBuilds-users mailing list