[Dovecot] help needed with dovecot authentication

Professa Dementia professa at dementianati.com
Thu Feb 28 23:51:20 EET 2013 

On 2/28/2013 12:50 PM, peter lawrie wrote:
> Hi
> I have been asked to configure an dedicated rhel6 server for a customer.
> I did not realise when I took this on how complicated it was going to be!
> The purpose of the server is to host a group of websites for small
> businesses.
> It came with postfix-2.6.6-2.2  dovecot-2.0.9 and mysql-2.1.67-1
> I have installed virtualmin 3.98, usermin1.540-1 and horde 5
> About a dozen currently inactive websites have been set up, mail is in
> /home/<domain>/Maildir
> My problem is that I can telnet to postfix to send and receive emails and
> can see these within postfix in webmin
> I have been having many problems getting dovecot to connect successfully to
> postfix.
> I have also installed horde 5 which requires to authenticate to an imap
> server - that is dovecot.
> This one server is intended to provide all services, so plain
> authentication is fine.

Do consider that since you have been tasked with setting up the server, 
you are responsible for doing it correctly.  I see this configuration 
all the time and it is why so many servers get hacked.

Only necessary services should be run in a single environment.  The 
problem is that the more services that are run together, the more likely 
one will be found with a flaw, which then can be exploited to take down 
the whole server.  It does no good to run Dovecot in a chroot jail when 
Apache has access to the whole filesystem.

Best: separate hardware - one web server, one DNS server (if you need to 
run DNS), one mail server, on SQL server, etc.

Good: some virtualizer, like Xen and run virtual instances of each of 
the above.

OK: run all servers daemons carefully chroot jailed, with no common 
filesystem sharing.  Interprocess communication can easily be 
accomplished via sockets.

Bad: Run everything in a big soup.

The traps is that for a small company, the belief is that no one want to 
target them.  That may be true sort of, but opportunistic hackers will 
take any third party machine because it gives them anonymity when 
attacking other more valuable targets.  Put a sniffer on your Internet 
connection and you will see an average of three attacks / scans / probes 
per minute.

As Simon and Reindl have already covered some of your configuration 
questions, I will not repeat their answers.

Best of luck.

Dem

More information about the dovecot mailing list