-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 8 Jan 2014, Charles Marcus wrote:
On 2014-01-07 1:46 PM, Charles Marcus CMarcus@Media-Brokers.com wrote:
Anyway this is the default for Dovecot quite some time, so reckon someone gave it a thought...
*What* is the default. Are you saying all of the permissions I showed are correct except the ones you mentioned?
But most importantly - *where is this documented*???
When I read your message, I thought about it. But: Dovecot supports virtual and system users, there are POSIX ACLs a.s.o. There are several message storage backends. Each combination might have other "least permissions" or required ones. You can split the files across various file systems, by domain, by users, ... .
I think, one can document a "rule of thumb" for some default installations, say virtual users with Maildir with indexes and control files in the same place, ... . Maybe to document the permissions for each mail storage is a great step already.
In the end, there is just one rule: The uid/gid Dovecot runs under when accessing the files, must be able to do so. Timo did a great logging _descriptive_ messages, what permission is missing for which file. If you want to get the least permissions for your paritcular situation, you'll need to remove all permissions, perform any action your users are able to do, watch the log file, and add the missing ones.
Kind regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUs1NTV3r2wJMiz2NAQJU8ggAtUAImb7xjkCJb84194MC5n4RtDkoUl7f 5N/gMWzzG5BjiLfPzGF9geJ8X9rSuG+a3EOSud76y5Ccm9qLT1ilcsbqcFyimQLc BAJyfmvZPzuD89Fv3BYWwOpNfVd4NLlYqCYx0nqcya6CWTF05qQJuJCzzxfD08Zo u1hg2WVe+h+6PvYibq/9GA/zLIOQTU7EWbRzxVhnwe6A4GOApJSbrwfHo0crxhyE jTMAb3lgZk7vukLLJ6yjq6lCX71c/Y0Z3ZIPFgmajtYSHNqOdnjLtwcYcy08Zga7 hNYkJo4GB9zbNEDTP8icxBFcs+IFGU7vYPiew1MyDIxlXjVN41TlGg== =VHQY -----END PGP SIGNATURE-----