[Dovecot] Mail location security

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Feb 2014, Roman Gelfand wrote:

> I am not sure I understood this issue correctly...  When using maildir
> with ie ldap.  Suppose ldap attribute settings say gid 8 and uid 999,
> Those are the permissions for every email address.  If so, someone who
> has access to one email user on the server, has access to all.  If
> this is so, is using mailbox instead of maildir resolve this problem?

If all users have the same uid and gid, there is no difference which mail 
storage format you use, as long as the security is concerned. You need to 
make sure, that no user may accidently or purposefully gain access to 
another userś files. Actually, using the same ids will help you, if you 
want to _purposefully_ share files to another user ;-)

So: Do not let your users telnet, ftp, ssh, or whatever to your host, but 
restrict any access to IMAP, POP3, ManageSieve and other protocols, where 
you control which files they have access to.

Please understand: The uid/gid stuff applies to the plain Unix file 
permissions, no more no less. No IMAP ACLs, ... .

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUvM54XD1/YhP6VMHAQI4FAf/etsweHGV7+km/ARF+LvZiYT4pIjFg7rF
KuKfWLH5SMdm4k1MxA6sZ6Yl9QLX1FUl/np7VT1bFNxvDBQy1DJsT3+Sid5a69/i
3SVPAUbQnliMBlqOIltpV8qgDQJg9UGdSBbcVUj1yV2Y0muwo+jW357gspg+CFGA
bT/wbYKT/hqzS05X43dT4tzr6EjS6/lsPOX/XBSL1raCc5pSI/1OT+aGobs0ybMg
SmlSkUjF1IsbHQ5oKz48AV4sdA/gGsdLgZxlsQOMfEFkJWoqMFqw3mxCU+wxzdo3
BnQOACDpVwP+bciucxmbDdhqAkzVe6TDqt9RYJfxfbBSs4S+59DY8A==
=Dgct
-----END PGP SIGNATURE-----