[Dovecot] Mail location security
I am not sure I understood this issue correctly... When using maildir with ie ldap. Suppose ldap attribute settings say gid 8 and uid 999, Those are the permissions for every email address. If so, someone who has access to one email user on the server, has access to all. If this is so, is using mailbox instead of maildir resolve this problem?
Thanks in advance
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 5 Feb 2014, Roman Gelfand wrote:
I am not sure I understood this issue correctly... When using maildir with ie ldap. Suppose ldap attribute settings say gid 8 and uid 999, Those are the permissions for every email address. If so, someone who has access to one email user on the server, has access to all. If this is so, is using mailbox instead of maildir resolve this problem?
If all users have the same uid and gid, there is no difference which mail storage format you use, as long as the security is concerned. You need to make sure, that no user may accidently or purposefully gain access to another userÅ› files. Actually, using the same ids will help you, if you want to _purposefully_ share files to another user ;-)
So: Do not let your users telnet, ftp, ssh, or whatever to your host, but restrict any access to IMAP, POP3, ManageSieve and other protocols, where you control which files they have access to.
Please understand: The uid/gid stuff applies to the plain Unix file permissions, no more no less. No IMAP ACLs, ... .
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvM54XD1/YhP6VMHAQI4FAf/etsweHGV7+km/ARF+LvZiYT4pIjFg7rF KuKfWLH5SMdm4k1MxA6sZ6Yl9QLX1FUl/np7VT1bFNxvDBQy1DJsT3+Sid5a69/i 3SVPAUbQnliMBlqOIltpV8qgDQJg9UGdSBbcVUj1yV2Y0muwo+jW357gspg+CFGA bT/wbYKT/hqzS05X43dT4tzr6EjS6/lsPOX/XBSL1raCc5pSI/1OT+aGobs0ybMg SmlSkUjF1IsbHQ5oKz48AV4sdA/gGsdLgZxlsQOMfEFkJWoqMFqw3mxCU+wxzdo3 BnQOACDpVwP+bciucxmbDdhqAkzVe6TDqt9RYJfxfbBSs4S+59DY8A== =Dgct -----END PGP SIGNATURE-----
participants (2)
-
Roman Gelfand
-
Steffen Kaiser