[Dovecot] Configure dovecot to provide SASL authentication
Ben Morrow
ben at morrow.me.uk
Tue May 21 05:16:33 EEST 2013
At 6PM +0200 on 19/05/13 you (Reindl Harald) wrote:
>
>
> Am 19.05.2013 17:51, schrieb Peter Skensved:
> > service auth {
> > unix_listener /var/spool/postfix/private/auth {
> > mode = 0666
> > }
>
> chmod 666 is always a very bad idea
While I would agree with you in principle, the documentation
(http://wiki2.dovecot.org/Services#auth) actually says
client: Only SASL authentication is allowed. This can be safely
exposed to entire world.
Given that the SASL auth service will eventually be exposed to untrusted
users via SMTP, the only additional risk from making this socket
world-readable is that (AFAIK, at least) there is no rate-limiting. This
makes the socket a password oracle, which can by used be any local user
with access to the socket to mount a dictionary attack.
However, given again that the permissions on /var/spool/postfix/private
should be 0700 postfix:wheel, and that (again AFAIK) all modern systems
check the permissions on the full path when connecting to a Unix-domain
socket, it doesn't actually matter what the permissions on the socket
are as long as postfix can connect, so 0666 is in this case entirely
safe.
Ben
More information about the dovecot
mailing list