Implications of LMTP socket being world readable and writable (0666) by default
I was surprised to find that the LMTP socket has permission mode 0666 by default and since configs are merged with defaults, there is no way to disable this AFAICS.
# doveconf -d ... service lmtp { unix_listener lmtp { group = mode = 0666 user = } ... }
Is this also how it is supposed to be used in production? I understand that LMTP is just for delivering new mails but is there really no need to restrict this further? To me it seems reasonable, to force all services on this machine to go through Postfix and not be able to just put e-mails in the users mailboxes via LMTP. Am I missing something?
My use case is a "small" NixOS mail server with Postfix, Nextcloud a.o. installed on the same machine. No chroot jails because of NixOS.
On Sun, 31 Mar 2024 12:55:09 +0200 da-dovecotlist-15--- via dovecot dovecot@dovecot.org wrote:
I was surprised to find that the LMTP socket has permission mode 0666 by default and since configs are merged with defaults, there is no way to disable this AFAICS.
# doveconf -d ... service lmtp { unix_listener lmtp { group = mode = 0666 user = } ... }
Is this also how it is supposed to be used in production? I understand that LMTP is just for delivering new mails but is there really no need to restrict this further? To me it seems reasonable, to force all services on this machine to go through Postfix and not be able to just put e-mails in the users mailboxes via LMTP. Am I missing something?
You are supposed to change that to a setting suitable for your setup.
# Change lmtp socket to safe mode for postfix service lmtp { unix_listener lmtp { mode = 0220 user = postfix group = postfix } }
For example like this.
-- Tuomo Soini tis@foobar.fi Foobar Linux services +358 40 5240030 Foobar Oy https://foobar.fi/
On 31/03/2024 13:55 EEST da-dovecotlist-15--- via dovecot dovecot@dovecot.org wrote: I was surprised to find that the LMTP socket has permission mode 0666 by default and since configs are merged with defaults, there is no way to disable this AFAICS. # doveconf -d ... service lmtp { unix_listener lmtp { group = mode = 0666 user = } ... } Is this also how it is supposed to be used in production? I understand that LMTP is just for delivering new mails but is there really no need to restrict this further? To me it seems reasonable, to force all services on this machine to go through Postfix and not be able to just put e-mails in the users mailboxes via LMTP. Am I missing something? My use case is a "small" NixOS mail server with Postfix, Nextcloud a.o. installed on the same machine. No chroot jails because of NixOS. Of course there is a way to change that. service lmtp { unix_listener lmtp { mode=0600 } } Aki
Ah yes. Thank you both. I did not think of just overwriting the lmtp
socket but was looking for a way to define a new socket with a different
name and disable the default one.
The main question remains open, though: Is the default setting insecure or am I missing something?
On 31/03/2024 14:47 EEST da-dovecotlist-15--- via dovecot
dovecot@dovecot.org wrote:
Ah yes. Thank you both. I did not think of just overwriting the
lmtp
socket but was looking for a way to define a new socket with a
different
name and disable the default one.
The main question remains open, though: Is the default setting
insecure
or am I missing something?
You can disable it with mode=0.
It depends a bit on what the default protocols list is. If it does not include
lmtp, lmtp is not enabled. Some distros also require installing dovecot-lmtpd
before it is even usable.
So. It depends. :)
Aki
participants (3)
-
Aki Tuomi
-
da-dovecotlist-15@abelonline.de
-
Tuomo Soini