[Dovecot] replication howto
rob0 at gmx.co.uk
Mon Mar 19 14:20:50 EET 2012
On Mon, Mar 19, 2012 at 09:35:34AM +0100, Michael Grimm wrote:
> On 15.03.2012 22:05, Timo Sirainen wrote:
> >On 15.3.2012, at 22.48, Michael Grimm wrote:
> >>Actually it's a bad idea to use root for ssh from a security
> >>point of view. A hacked root account isn't fun. Thus, normally
> >>one needs to explicitly change the config of the sshd daemon to
> >>to allow root logins (at least with FreeBSD what I'm using).
> >>Thus, I do recommend to use an unprivileged user like vmail.
> >Then again it's safer to use system user accounts than a single
> >vmail account that has access to everyone's emails.
> Root has access to everyone's mail as well.
I think you are missing the point, that being: if all your mail are
belong to vmail, somebody set up us the bomb if the vmail account is
(Obviously that's true with a root compromise as well, but that is
unavoidable. Effects of a root compromise can be limited with
technologies like Apparmor and SELinux, but that is difficult to
configure properly and only provides limited benefit: compromised
root can do everything real root was allowed to do.)
The point is: vmail has added a SECOND vulnerable point from which
disaster can ensue. If mailbox ownership is distributed among
multiple UID/GID, compromise of any one of those only endangers the
mails to which it had access.
> >And if you allow ssh login only with public key authentication I
> >don't think there are much security issues. And finally, it would
> >be possible to write a small wrapper that allows the root's public
> >key auth to only execute dsync-user.sh script that can't do
> >anything except sync a specified user's mails.
> All those safety measures can be applied for the vmail user as
> well. Actually, that's what I did in my case, plus allowing ssh
> only between both mail servers (firewall rule).
Sure, but there too, all your email eggs are in the vmail basket. No,
disaster is not imminent nor even likely to ensue, but the fact
stands that you and millions of other virtual-only sites do have this
additional potential vulnerability.
It is well supported in Dovecot to be able to use a unique UID and
GID for every virtual mailbox, but management of such a system
presents more challenges than the single-vmail-user approach.
Consequently the popular virtual frontends don't support it.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the dovecot