[Dovecot] replication howto

Michael Grimm trashcan at odo.in-berlin.de
Mon Mar 19 10:35:34 EET 2012


Hi --

On 15.03.2012 22:05, Timo Sirainen wrote:
> On 15.3.2012, at 22.48, Michael Grimm wrote:

>> Actually it's a bad idea to use root for ssh from a security point
>> of view. A hacked root account isn't fun. Thus, normally one needs
>> to explicitly change the config of the sshd daemon to allow root
>> logins (at least with FreeBSD what I'm using). Thus, I do recommend
>> to use an unprivileged user like vmail.
>
> Then again it's safer to use system user accounts than a single vmail
> account that has access to everyone's emails.

Root has access to everyone's mail as well.

> And if you allow ssh login only with public key authentication I
> don't think there are much security issues. And finally, it would
> be possible to write a small wrapper that allows the root's public
> key auth to only execute dsync-user.sh script that can't do anything
> except sync a specified user's mails.

All those safety measures can be applied for the vmail user as well.
Actually, that's what I did in my case, plus allowing ssh only between
both mail servers (firewall rule).

Regards,
Michael



More information about the dovecot mailing list