[Dovecot] replication howto

/dev/rob0 rob0 at gmx.co.uk
Mon Mar 19 14:20:50 EET 2012 

On Mon, Mar 19, 2012 at 09:35:34AM +0100, Michael Grimm wrote:
> On 15.03.2012 22:05, Timo Sirainen wrote:
> >On 15.3.2012, at 22.48, Michael Grimm wrote:
> 
> >>Actually it's a bad idea to use root for ssh from a security
> >>point of view. A hacked root account isn't fun. Thus, normally
> >>one needs to explicitly change the config of the sshd daemon to
> >>to allow root logins (at least with FreeBSD what I'm using).
> >>Thus, I do recommend to use an unprivileged user like vmail.
> >
> >Then again it's safer to use system user accounts than a single 
> >vmail account that has access to everyone's emails.
> 
> Root has access to everyone's mail as well.

I think you are missing the point, that being: if all your mail are 
belong to vmail, somebody set up us the bomb if the vmail account is 
compromised.

(Obviously that's true with a root compromise as well, but that is 
unavoidable. Effects of a root compromise can be limited with 
technologies like Apparmor and SELinux, but that is difficult to 
configure properly and only provides limited benefit: compromised 
root can do everything real root was allowed to do.)

The point is: vmail has added a SECOND vulnerable point from which 
disaster can ensue. If mailbox ownership is distributed among 
multiple UID/GID, compromise of any one of those only endangers the 
mails to which it had access.

> >And if you allow ssh login only with public key authentication I 
> >don't think there are much security issues. And finally, it would 
> >be possible to write a small wrapper that allows the root's public 
> >key auth to only execute dsync-user.sh script that can't do 
> >anything except sync a specified user's mails.
> 
> All those safety measures can be applied for the vmail user as 
> well. Actually, that's what I did in my case, plus allowing ssh 
> only between both mail servers (firewall rule).

Sure, but there too, all your email eggs are in the vmail basket. No, 
disaster is not imminent nor even likely to ensue, but the fact 
stands that you and millions of other virtual-only sites do have this 
additional potential vulnerability.

It is well supported in Dovecot to be able to use a unique UID and 
GID for every virtual mailbox, but management of such a system 
presents more challenges than the single-vmail-user approach.
Consequently the popular virtual frontends don't support it.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the dovecot mailing list