[Dovecot] Question re: filesystem permissions

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 8 Jan 2014, Charles Marcus wrote:

> On 2014-01-07 1:46 PM, Charles Marcus <CMarcus at Media-Brokers.com> wrote:
>>> Anyway this is the default for Dovecot quite some time, so reckon someone 
>>> gave it a thought...
>> 
>> *What* is the default. Are you saying all of the permissions I showed are 
>> correct except the ones you mentioned?
>> 
>> But most importantly - *where is this documented*???

When I read your message, I thought about it. But: Dovecot supports 
virtual and system users, there are POSIX ACLs a.s.o. There are several 
message storage backends. Each combination might have other "least 
permissions" or required ones. You can split the files across various 
file systems, by domain, by users, ... .

I think, one can document a "rule of thumb" for some default 
installations, say virtual users with Maildir with indexes and control 
files in the same place, ... . Maybe to document the permissions for each 
mail storage is a great step already.

In the end, there is just one rule: The uid/gid Dovecot runs under when 
accessing the files, must be able to do so. Timo did a great logging 
_descriptive_ messages, what permission is missing for which file. If you 
want to get the least permissions for your paritcular situation, you'll 
need to remove all permissions, perform any action your users are able to 
do, watch the log file, and add the missing ones.

Kind regards,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUs1NTV3r2wJMiz2NAQJU8ggAtUAImb7xjkCJb84194MC5n4RtDkoUl7f
5N/gMWzzG5BjiLfPzGF9geJ8X9rSuG+a3EOSud76y5Ccm9qLT1ilcsbqcFyimQLc
BAJyfmvZPzuD89Fv3BYWwOpNfVd4NLlYqCYx0nqcya6CWTF05qQJuJCzzxfD08Zo
u1hg2WVe+h+6PvYibq/9GA/zLIOQTU7EWbRzxVhnwe6A4GOApJSbrwfHo0crxhyE
jTMAb3lgZk7vukLLJ6yjq6lCX71c/Y0Z3ZIPFgmajtYSHNqOdnjLtwcYcy08Zga7
hNYkJo4GB9zbNEDTP8icxBFcs+IFGU7vYPiew1MyDIxlXjVN41TlGg==
=VHQY
-----END PGP SIGNATURE-----