I often see tutorials for setting up Postfix with the virtual mailbox delivery agent on Linux that instruct to create a new disabled-login user and group to own virtual mailboxes in /home/example_username. This, of course, makes sense and is a viable option.
In the virtual mailbox example in the Postfix documentation he uses the following settings, but does not discuss what, if any, user(s) have been created:
http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox
/etc/postfix/main.cf
virtual_mailbox_base = /var/mail/vhosts
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
Debian, by default, includes a mail user and group, uid 8 and gid 8, with home directory /var/mail. Is there any reason not to use this user and group to own the virtual mailboxes? Perhaps adjusting the above example as follows. I know the point of the virtual_minimum_uid is to be a safety mechanism to prevent mail being written to sensitive files, but if the uid and gid are defined as static entries, is there any danger in using this setup?
/etc/postfix/main.cf
virtual_mailbox_base = /var/mail/vhosts
virtual_minimum_uid = 8
virtual_uid_maps = static:8
virtual_gid_maps = static:8
Yes, there are good reasons why Debian does not use uid 8 and gid 8 for Postfix.
You could install other binaries, which use those groups and this could theoretically result in security problems, especially if they run suid mail.
Postfix should use its own gid and uid for security reasons, period.