Postfix : root and system user authentication

Aymeric Agon-Rambosson aymeric.agon at yandex.com
Wed Mar 15 09:39:50 UTC 2023 

Le mardi 14 mars 2023 à 22:32, dovecot at ptld.com a écrit :

>> However, when we have a postfix server on the same machine, 
>> that delegates authentication to dovecot SASL ... we can indeed 
>> log in as root on the postfix server.
>
>
> You are not logging into Dovecot with root, you are connecting 
> to Postfix for submission.
>
> When you connect to dovecot using linux users (PAM) the process 
> running takes on the UID of the login user to give file 
> permissions to read that users home directory where email could 
> be stored. The risk being if someone had root UID:0 they could 
> read anything on the server, not just the home directory of a 
> user.
>
> But you aren't logging into Dovecot, you are connecting to 
> Postfix. You aren't
> checking mail or reading directories. You are only submitting an 
> email to
> Postfix for submission services. Postfix runs as its own Postfix 
> UID no matter
> who you authenticate as. So even though you are authenticating 
> yourself with
> root credentials, you aren't doing so as the root UID, you 
> aren't reading email,
> and you aren't accessing any file systems like Dovecot would be.

I agree that this is absolutely not the same in terms of security.

The thing I'm worrying about is a lot less dangerous than what 
you're describing, no arguing about that. It's just, if we imagine 
that we have disabled root ssh access, and password ssh connection 
(allowing only keypair connection), this situation provides the 
port 465 as another way to test passwords, for instance. I would 
just like to be able to implement on port 465 more or less the 
same requirements I have implemented on port 22, and on port 993 
as well through the use of {first,last}_valid_{u,g}id : a static, 
and well-known set of users that are allowed to try and 
authenticate, even though, as you say (and I agree), that the risk 
is absolutely not the same as with SSH or IMAPS.

So, am I to understand from your answer that the fact that login 
with root or with users not respecting {first,last}_valid_{u,g}id 
is only applicable to dovecot direcly, not to other processes that 
have delegated authentication to dovecot ? In other words, that 
this is a feature and not a bug ?

Best,

Aymeric

More information about the dovecot mailing list