[Dovecot] When should dictionary entries for the expire plugin be added/updated?
Ralph Seichter
dovecot-ml at seichter.de
Wed Aug 25 17:07:02 EEST 2010
On 25.08.10 15:03, Timo Sirainen wrote:
> The group way I mentioned would avoid problems with them, but of
> course not security problems related to Dovecot processes themselves.
There are users with shell access to the Dovecot server, and as long as
all these users require write permissions for the dict socket, I see
some potential for trouble.
> the whole point of expire database is that a single command can quickly
> see what users have mails to expunge. So this needs to be a shared
> dictionary across users.
Does it really? I use something like this for cleanup:
for user in $MAILUSERS; do
doveadm expunge -u $user ...
done
As I loop over users anyway, I don't think that a per-user dictionary
would be a bad idea. "doveadm expunge -A" might be different, but I
think that even with "-A" you'll need to iterate over users.
If I understand the current implementation correctly, there is one
expire dictionary (one SQLite DB in my case), and the lookups are
performed with a primary key consisting of username-mailbox-pairs. I
suggest using one dictionary/DB per username and using only the mailbox
as primary key within this dictionary.
The difference, performance-wise, would be that multiple databases need
to be opened and closed, which could hurt performance on systems with a
large number of users unless the DB connections are cached. Personally,
I'd be inclined to accept a performance penalty if this was the price to
pay for improved security by means of better user dictionary separation.
-Ralph
More information about the dovecot
mailing list