[Dovecot] LDA vs. LMTP
Stan Hoeppner
stan at hardwarefreak.com
Wed Jul 31 11:25:43 EEST 2013
On 7/30/2013 8:37 PM, Ben Morrow wrote:
> At 3PM -0700 on 30/07/13 you (Joseph Tam) wrote:
>> Martin Burgraf writes:
>>
>>> And when it's running as root there is always the danger
>>> of privilege escalation. LDA only runs when it's needed and since it
>>> uses only user rights it shoudbe more harmless.
>>
>> I didn't contest the privilege separation aspect, as it a necessary
>> design trade-off that one daemon doing things for all user will need
>> overriding access. However, if this is a concern, you can virtualize
>> all your users. LMTP can theoretically be subverted, but at least won't
>> be as root. (I'm assuming LMTP stays as root, and not spawning off user
>> processes to do the real work.)
>
> It doesn't stay as root; Dovecot's LMTP switches down to the user's uid
> to perform delivery, including sieve scripts. The security concerns are
> in fact very similar to LDA: for LDA delivery with (say) Postfix, you
> have local(8) running as root and switching down to the user to invoke
> the LDA, while for LMTP the Postfix lmtp(8) process runs as an
> unprivileged Postfix user and the LMTP server runs as root and switches
> down.
>
> AFAICS the LMTP conversation itself happens as root, though, which is a
> shame; I might think twice about exposing it directly over the network.
Shouldn't a few iptables/pf rules be able to substantially mitigate this
potential problem? I.e. restrict which hosts a given host is allowed to
speak LMTP with.
--
Stan
More information about the dovecot
mailing list