On 2023-05-09 11:14, Marc wrote:
so far I had a setup where Dovecot was using a passwd file as
userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for
Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
If I understood correctly the question, you ask why do not add the ldap users to system ( like using pam ldap plugin) .
This will certainly work but I consider more secure to have pure e-mail
I am always surprised to read such statement. The fact is that user authentication/authorisation is a core task of linux. Dovecots core tasks are related to handling mail. How on earth would you come to conclude that dovecot should be able to handle such tasks better than linux? Afaik even dovecot is utilizing the use of different uid's in a virtual environment to store files.
users, not system users - which can have shell, local folder and so on ( sure it can be restricted but why bother if nobody will ssh on that server).
? Imho are these just arguments for people not being able to setup an environment correctly.
I do not intend to start a flame on this topic, it is just my opinion. It's not about the correct environment (you can google for it and you will found a pretty good setup even when you are newbie) but about the potential vulnerabilities related to each component of the system: if the system has less components the probability to have issues is smaller. Also you can have cases when you really want to have system users ( like using the same server as samba server or so) and in this case the opposite approach is better.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org