[Dovecot] Dovecot v1.2 share user Maildir problems with %%h

Timo Sirainen tss at iki.fi
Wed Jun 17 19:32:43 EEST 2009


On Wed, 2009-06-17 at 16:38 +0200, Steffen Kaiser wrote:
> I've copied the default mail_location and changed its CONTROL and INDEX 
> settings:
> 
> namespace shared {
> ...

What does this "..." contain? :) Like prefix, separator?

> a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master 
> instead of /var/run/dovecot/auth-master used by deliver.

It connects to base_dir/var/run/dovecot/ where base_dir is the setting
in dovecot.conf.

> b) This socket needs to be r/w for every user, which is a security risk as 
> mentioned in the conf and the default permission is 0600.

It allows looking up userdb data, which is pretty similar to being able
to do cat /etc/passwd. So not a huge security risk, but..

> For deliver I changed the socket attr to permission 0660 and group=mail; 
> for making %%h work I added mail_access_groups=mail

I would have used a different group than "mail", since it's often used
by the system for other things too.

> There had been a suggestion of a special user-shared namespace a while 
> back. How about to add the base location in the shared-mailboxes.db? So 
> instead of "1" the value is the base of the shared location, e.g. 
> maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? 
> token takes the string from there. Because the path is known from the db 
> now, the other problems mentioned above do no longer apply.

And when the path is changed in userdb, it points to a wrong location.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090617/4ae13cdf/attachment.bin 


More information about the dovecot mailing list