[Dovecot] Securing mailboxes and passwords
Hi list
I am just experimenting with seting up my own email server. I want some tips and hints on how to secure my setup to prevent unauthorised assess to my email. I have read through the wiki and have not found many tips. I hope to improve the wiki with tips gathered from the emailing list. :-) A basic measurement I could take right now would be to set more secure file premissions on my setup. My setup is based on http://wiki.dovecot.org/HowTo/VirtualhostingWithExim with a few addittions: fetchmail and exim4 deliver mail to my maildir and dovecot grants me access through imap. dovecot authenticates against /home/postmaster/passwd.digest and ./passwd.cram
Daniel Aleksandersen <aleksandersen@runbox.no>
Sendt: Tue, 24 Feb 2009 22:28:07 +0100 (CET) Fra: "Daniel Aleksandersen"
I am just experimenting with seting up my own email server. I want some tips and hints on how to secure my setup to prevent unauthorised assess to my email. I have read through the wiki and have not found many tips. I hope to improve the wiki with tips gathered from the emailing list. :-) A basic measurement I could take right now would be to set more secure file premissions on my setup. My setup is based on http://wiki.dovecot.org/HowTo/VirtualhostingWithExim with a few addittions: fetchmail and exim4 deliver mail to my maildir and dovecot grants me access through imap. dovecot authenticates against /home/postmaster/passwd.digest and ./passwd.cram
I have tried different options on my maildirs. Dovecot gives me permission errors unless I set it to 775. I have seen that many mention 660 as the best permission setting for maildirs when used in setups similar to my own. Can anyone explain why my maildir must be executable and accessible to everyone?
Daniel
On 24.02.2009 23:54 Daniel Aleksandersen wrote:
I have tried different options on my maildirs. Dovecot gives me permission errors unless I set it to 775. I have seen that many mention 660 as the best permission setting for maildirs when used in setups similar to my own. Can anyone explain why my maildir must be executable and accessible to everyone?
No, they must not be accessible for everyone, only for the user, that owns the maildir. For example:
el-negro 70014 # ll -d Maildir drwx------ 21 70014 70002 4096 2009-02-24 19:36 Maildir el-negro 70014 # ll -d Maildir/.INBOX.Lists.Dovecot drwx------ 5 70014 70002 4096 2009-02-24 23:56 Maildir/.INBOX.Lists.Dovecot el-negro 70014 # ll Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro\,W\=3966\:2\,Sa -rw------- 1 70014 70002 3886 2009-02-24 23:55 Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro,W=3966:2,Sa
But this may require a root-setuid deliver binary, when using multiple virtual UIDs. See http://wiki.dovecot.org/LDA#multipleuids
Regards, Pascal
Ubuntu is an ancient African word meaning “I can’t install Debian.” -- unknown
Sendt: Wed, 25 Feb 2009 00:09:10 +0100 Fra: Pascal Volk
On 24.02.2009 23:54 Daniel Aleksandersen wrote:
I have tried different options on my maildirs. Dovecot gives me permission errors unless I set it to 775. I have seen that many mention 660 as the best permission setting for maildirs when used in setups similar to my own. Can anyone explain why my maildir must be executable and accessible to everyone?
No, they must not be accessible for everyone, only for the user, that owns the maildir. For example:
el-negro 70014 # ll -d Maildir drwx------ 21 70014 70002 4096 2009-02-24 19:36 Maildir el-negro 70014 # ll -d Maildir/.INBOX.Lists.Dovecot drwx------ 5 70014 70002 4096 2009-02-24 23:56 Maildir/.INBOX.Lists.Dovecot el-negro 70014 # ll Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro\,W\=3966\:2\,Sa -rw------- 1 70014 70002 3886 2009-02-24 23:55 Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro,W=3966:2,Sa
But this may require a root-setuid deliver binary, when using multiple virtual UIDs. See http://wiki.dovecot.org/LDA#multipleuids The recepie assumes I have a group called secmail. I don’t. Am I supposed to create a special group for this purpose?
Daniel
On 25.02.2009 00:25 Daniel Aleksandersen wrote:
The recepie assumes I have a group called secmail. I don’t. Am I supposed to create a special group for this purpose?
Yes, if the group does not exists, you have to create it. You could call it whatever you want.
Regards, Pascal
-- Ubuntu is an ancient African word meaning “I can’t install Debian.” -- unknown
Sendt: Wed, 25 Feb 2009 00:29:17 +0100 Fra: Pascal Volk
On 25.02.2009 00:25 Daniel Aleksandersen wrote:
The recepie assumes I have a group called secmail. I don’t. Am I supposed to create a special group for this purpose?
Yes, if the group does not exists, you have to create it. You could call it whatever you want.
I created the group and set the permissions to deliver as described in the recepie. I then added just about every user to that group. I still get permission errors when dovecot tries to access my maildir. Setting permissions of the maildir to 777 ‘fixes’ the problem.
Other suggestions? :-)
Daniel
On 25.02.2009 00:38 Daniel Aleksandersen wrote:
I created the group and set the permissions to deliver as described in the recepie. I then added just about every user to that group. I still get permission errors when dovecot tries to access my maildir. Setting permissions of the maildir to 777 ‘fixes’ the problem.
Other suggestions? :-)
According to your mail <http://dovecot.org/list/dovecot/2009-February/037726.html>: your users login with uid=postmaster gid=postmaster? In this case the owner of the maildirs should be also postamster. If you execute deliver with your postmaster-user all should be fine.
Regards, Pascal
Ubuntu is an ancient African word meaning “I can’t install Debian.” -- unknown
On Wed, 2009-02-25 at 00:38 +0100, Daniel Aleksandersen wrote:
Sendt: Wed, 25 Feb 2009 00:29:17 +0100 Fra: Pascal Volk
On 25.02.2009 00:25 Daniel Aleksandersen wrote:
The recepie assumes I have a group called secmail. I don’t. Am I supposed to create a special group for this purpose?
Yes, if the group does not exists, you have to create it. You could call it whatever you want.
I created the group and set the permissions to deliver as described in the recepie. I then added just about every user to that group.
No, don't do that. The point of it was to make deliver executable only by your MTA, no one else. If other people were able to execute it, they could gain root privileges.
Sendt: Tue, 24 Feb 2009 19:11:43 -0500 Fra: Timo Sirainent
On Wed, 2009-02-25 at 00:38 +0100, Daniel Aleksandersen wrote:
Sendt: Wed, 25 Feb 2009 00:29:17 +0100 Fra: Pascal Volk
On 25.02.2009 00:25 Daniel Aleksandersen wrote:
The recepie assumes I have a group called secmail. I don’t. Am I supposed to create a special group for this purpose?
Yes, if the group does not exists, you have to create it. You could call it whatever you want.
I created the group and set the permissions to deliver as described in the recepie. I then added just about every user to that group.
No, don't do that. The point of it was to make deliver executable only by your MTA, no one else. If other people were able to execute it, they could gain root privileges.
I started added other users just to troubleshoot the problems I have been havnig. It did not work anyways, so I have removed other users from theat group.
The permissions still must be 777 or dovecot starts throwing permission errors.
I have tried a variety of other permissions including 677, 767, 776. All fail but 777.
Daniel Aleksandersen <aleksandersen@runbox.no>
Sendt: Tue, 24 Feb 2009 19:11:43 -0500 Fra: Timo Sirainent
On Wed, 2009-02-25 at 00:38 +0100, Daniel Aleksandersen wrote:
On 25.02.2009 00:25 Daniel Aleksandersen wrote:
The recepie assumes I have a group called secmail. I don’t. Am I supposed to create a special group for this purpose? Yes, if the group does not exists, you have to create it. You could call it whatever you want. I created the group and set the permissions to deliver as described in the recepie. I
Sendt: Wed, 25 Feb 2009 00:29:17 +0100 Fra: Pascal Volk then added just about every user to that group. No, don't do that. The point of it was to make deliver executable only by your MTA, no one else. If other people were able to execute it, they could gain root privileges.
I started added other users just to troubleshoot the problems I have been havnig. It did not work anyways, so I have removed other users from theat group.
The permissions still must be 777 or dovecot starts throwing permission errors.
I have tried a variety of other permissions including 677, 767, 776. All fail but 777. A working virtual mail system doesn't need to be accessed by all the users. It just needs to be accessible by dovecot, and whatever deliver system you are using. I think you have config issues, or implementation issues, and not
on 2-24-2009 4:36 PM Daniel Aleksandersen spake the following: permission issues.
participants (5)
-
Daniel Aleksandersen
-
Daniel Aleksandersen
-
Pascal Volk
-
Scott Silva
-
Timo Sirainen