[Dovecot] Please help me resolve why mail isn't being delivered to virtual users

Timo Sirainen tss at iki.fi
Thu Jan 10 11:25:30 EET 2008


On Thu, 2008-01-10 at 09:32 +0100, mouss wrote:
> Pascal Volk wrote:
> > Am 09.01.2008 21:43 schrieb Asheesh Laroia:
> >> Not in the way I was describing:
> >>
> >> Let's say some person logs on to your Dovecot-based IMAP service and 
> >> figures out how to take over Dovecot to read and modify arbitrary files on 
> >> the system.  (Timo, I hope this doesn't happen - but bear with me.)  To be 
> >> clear, Dovecot's imap handler runs as the UNIX UID associated with the 
> >> user logging in, not root.
> 
> if there's a bug in dovecot that allows this, then there will also be
> bugs that give the whole server to the attacker...

Why? The mail handling code in Dovecot is the most complex one, so it's
most likely to have bugs.

> > If the setup is done right, each imap/pop user will have it's on UID.
> > And therefor each imap/pop process will run with the UID from the user.
> > 
> 
> using different uids means that the delivery agent needs some privilege
> to write to the mailboxes. In general, this is achieved by making the
> MDA suid.
> 
> and since we are talking about possible bugs, what do you think are the
> consequences of potential bugs in the MDA if it is suid?

I do agree that setuid binaries are bad and hopefully one day Dovecot
has LMTP server and there's no need for setuid-deliver. But even then
the recommended way to set up setuid-deliver is to place it in a
directory where only MTA can execute it, and again the (most complex)
mail handling code is execute only after all the permissions have been
dropped.

> Note that using different uids with virtual users don't bring much. one
> needs to make sure there is no uid collision with unix users (which
> means you must make sure adduser doesn't create an account with a uid
> used by a virtual mailbox). the only thing it brings is that the uid has
> no "name" and can't login.

It's more complex to set up, but it also does limit the damage that
security holes can do. Two of the four security holes found from Dovecot
already were completely prevented if each user used their own UID.

Or if you're just arguing about multiple UIDs for virtual users vs.
using system users (I just quickly scanned through this thread), then I
don't see much of a difference. From Dovecot's point of view there's
none.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080110/db49f5c4/attachment.bin 


More information about the dovecot mailing list