On Wed, 2010-10-06 at 16:19 +0200, Ralf Hildebrandt wrote:
Yeah, you can make the service user=root, but give only vmail user permission to it so only processes running as vmail can connect to it.
Good. The question is: which user will connect to the socket?
dovecot-lda will assume the UID of the user it's trying to deliver to. So any user must be able to connect to the socket?
Yes. Although you could also play with groups, like make deliver always run with dovemail group enabled for the process (mail_access_groups=dovemail from deliver's side, but might be problematic from Postfix's side).
An alternative to running as root would be to use LMTP to deliver the "over quota" mail to user and use some trick to disable quota for this. Maybe something like:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
Ugh.
You're already using dovecot-lda to deliver the out-of-quota mails? How do you do this there then?