0

I set the Postfix so that my mailboxes (maildir format) for my virtual users are set like this:

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/
total 4
drwxr-sr-x 5 postfix postfix 4096 Dec  2 12:27 pistam.eu

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/domain.eu/
total 12
drwx--S--- 5 postfix postfix 4096 Dec  2 12:10 user_1
drwx--S--- 5 postfix postfix 4096 Dec  1 22:35 user_2

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/domain.eu/user_1/
total 12
drwx--S--- 2 postfix postfix 4096 Dec  2 12:27 cur
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 new
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 tmp

Now I am setting up Dovecot server (IMAPS/SASL) and I want to use one system user that will manage all the mailboxes for all the Postfix virtual users. I saw many articles where administrators create user vmail like e.g.:

# useradd -r -m -d /home/vmail vmail

and they use it as the default Dovecot user by setting these two lines in /etc/dovecot/conf.d/10-master.conf:

mail_access_groups = vmail
default_login_user = vmail

But in my case group postfix has "setuid" bit which means that these folders will always be manipulated by user postfix.

So what is the point in creating user vmail? Why not just using user postfix for Dovecot to do that instead? Are there any risks doing this? There are also these two users that Dovecot installation procedure created:

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> cat /etc/passwd | grep dove
dovecot:x:112:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:113:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin

Why not use one of those? There are also these two hints in the configuration file /etc/dovecot/conf.d/10-master.conf:

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
71GA
  • 363
  • 1
  • 3
  • 10

1 Answers1

2

It's the principle of separation of concerns, which here has security benefits.

After you give the responsibility to deliver mail to dovecot, it is no longer the responsibility of postfix, so postfix does not need that access.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I understand. So should I create a new user `vmail` or should I use e.g. `dovenull` that is already on the system? – 71GA Dec 14 '20 at 21:23
  • @71GA Absolutely not! Don't do anything with the dovenull user. That is another separation of concerns security issue; it processes user logins. See the docs for an [explanation of Dovecot system users](https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/). – Michael Hampton Dec 15 '20 at 01:01
  • Oh thank you! I overlooked this documentation! So I will create a new user. – 71GA Dec 15 '20 at 07:16