[Dovecot] Please help me resolve why mail isn't being delivered to virtual users

Asheesh Laroia asheesh at asheesh.org
Wed Jan 9 22:17:22 EET 2008


On Wed, 9 Jan 2008, Charles Marcus wrote:

> On 1/9/2008, Asheesh Laroia (asheesh at asheesh.org) wrote:
>> Basically - the above is a reason to use 'adduser', not a reason to use 
>> virtual users!  If I'm wrong, please clarify my understanding. 
>
> My understanding is using Virtual Users is inherently more secure, since the 
> users do not have system accounts, much less shell accounts.

There should be a straightforward way to set their shell to something that 
prevents shell login but allows Dovecot login.  Then they have their own 
separate security contexts (i.e., UID), so in the case that Dovecot goes 
horribly awry each user's data is isolated from the other's.

I believe /bin/false will work for this; since it is not listed in 
/etc/shells, shell login will fail even with e.g. ssh user at host /bin/sh, 
but PAM should authorize the user for Dovecot.  I would double-check this 
before using it in production.

-- Asheesh.

-- 
Life is difficult because it is non-linear.


More information about the dovecot mailing list