I set the Postfix so that my mailboxes (maildir format) for my virtual users are set like this:
┌───┐
│ # │ root > myserver > ~
└─┬─┘
└─> ls -l /var/mail/
total 4
drwxr-sr-x 5 postfix postfix 4096 Dec 2 12:27 pistam.eu
┌───┐
│ # │ root > myserver > ~
└─┬─┘
└─> ls -l /var/mail/domain.eu/
total 12
drwx--S--- 5 postfix postfix 4096 Dec 2 12:10 user_1
drwx--S--- 5 postfix postfix 4096 Dec 1 22:35 user_2
┌───┐
│ # │ root > myserver > ~
└─┬─┘
└─> ls -l /var/mail/domain.eu/user_1/
total 12
drwx--S--- 2 postfix postfix 4096 Dec 2 12:27 cur
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 new
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 tmp
Now I am setting up Dovecot server (IMAPS/SASL) and I want to use one system user that will manage all the mailboxes for all the Postfix virtual users. I saw many articles where administrators create user vmail
like e.g.:
# useradd -r -m -d /home/vmail vmail
and they use it as the default Dovecot user by setting these two lines in /etc/dovecot/conf.d/10-master.conf
:
mail_access_groups = vmail
default_login_user = vmail
But in my case group postfix
has "setuid" bit which means that these folders will always be manipulated by user postfix
.
So what is the point in creating user vmail
? Why not just using user postfix
for Dovecot to do that instead? Are there any risks doing this? There are also these two users that Dovecot installation procedure created:
┌───┐
│ # │ root > myserver > ~
└─┬─┘
└─> cat /etc/passwd | grep dove
dovecot:x:112:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:113:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
Why not use one of those? There are also these two hints in the configuration file /etc/dovecot/conf.d/10-master.conf
:
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
It's the principle of separation of concerns, which here has security benefits.
After you give the responsibility to deliver mail to dovecot, it is no longer the responsibility of postfix, so postfix does not need that access.