Postfix : root and system user authentication

Wed Mar 15 16:06:50 UTC 2023

>>> However, when we have a postfix server on the same machine, that delegates authentication to dovecot SASL ... we can indeed log in as root on the postfix server.

>> You are not logging into Dovecot with root, you are connecting to Postfix for submission.
>> 
>> When you connect to dovecot using linux users (PAM) the process running takes on the UID of the login user to give file permissions to read that users home directory where email could be stored. The risk being if someone had root UID:0 they could read anything on the server, not just the home directory of a user.
>> 
>> But you aren't logging into Dovecot, you are connecting to Postfix. You aren't
>> checking mail or reading directories. You are only submitting an email to
>> Postfix for submission services. Postfix runs as its own Postfix UID no matter
>> who you authenticate as. So even though you are authenticating yourself with
>> root credentials, you aren't doing so as the root UID, you aren't reading email,
>> and you aren't accessing any file systems like Dovecot would be.

> I agree that this is absolutely not the same in terms of security.
> 
> The thing I'm worrying about is a lot less dangerous than what you're describing, no arguing about that. It's just, if we imagine that we have disabled root ssh access, and password ssh connection (allowing only keypair connection), this situation provides the port 465 as another way to test passwords, for instance. I would just like to be able to implement on port 465 more or less the same requirements I have implemented on port 22, and on port 993 as well through the use of {first,last}_valid_{u,g}id : a static, and well-known set of users that are allowed to try and authenticate, even though, as you say (and I agree), that the risk is absolutely not the same as with SSH or IMAPS.
> 
> So, am I to understand from your answer that the fact that login with root or with users not respecting {first,last}_valid_{u,g}id is only applicable to dovecot direcly, not to other processes that have delegated authentication to dovecot ? In other words, that this is a feature and not a bug ?

Me personally, this is why i prefer to use virtual users stored in a database for email and never use linux users. I have ultimate control over what users can be authenticated or receive email. I can add flags to the DB query to fail an otherwise valid user. Why would i want a root@ email address? Why would i want my system to accept email for httpd from some stranger on the internet? Why would i want to have to create a linux user at the OS level just to add a mailbox?