Hi --
On 15.03.2012 22:05, Timo Sirainen wrote:
On 15.3.2012, at 22.48, Michael Grimm wrote:
Actually it's a bad idea to use root for ssh from a security point of view. A hacked root account isn't fun. Thus, normally one needs to explicitly change the config of the sshd daemon to allow root logins (at least with FreeBSD what I'm using). Thus, I do recommend to use an unprivileged user like vmail.
Then again it's safer to use system user accounts than a single vmail account that has access to everyone's emails.
Root has access to everyone's mail as well.
And if you allow ssh login only with public key authentication I don't think there are much security issues. And finally, it would be possible to write a small wrapper that allows the root's public key auth to only execute dsync-user.sh script that can't do anything except sync a specified user's mails.
All those safety measures can be applied for the vmail user as well. Actually, that's what I did in my case, plus allowing ssh only between both mail servers (firewall rule).
Regards, Michael