ankush grover
2007-Mar-18 07:27 UTC
[CentOS] Need help in securing maildir so that root user should not able to read anyother user's mail
Hi friends, My company is currently using Exchange Servers for Mail Server solutions but now they want to move to Linux Servers due to heavy cost involved with the Exchange Users.We will be using the latest version of Centos. So the kind of solution we are looking is below: a) Postfix or Sendmail as MTA. b) Dovecot or Cyrus Imap with Quota as Pop & Imap server. c) Security of Maildir means even root user should not be able to read any user's mail. d) Global Address Book on Ldap or any other. e) Using samba/ldap for client authentication. Most concerned part here is part c as we don't want any user to be able to read any other user's mail including root. Regards Ankush
Morten Torstensen
2007-Mar-18 10:36 UTC
[CentOS] Need help in securing maildir so that root user should not able to read anyother user's mail
ankush grover wrote:> c) Security of Maildir means even root user should not be able to read > any user's mail.You can do that with SElinux... you would have to limit filesystem access AND user access so that root just not su to a user and access it from there. But someone who have physical access to the server will be able to get access. Administrative routines need access too, for stuff like backup and restore. So for c) I would limit what I can and then have audit routines to map usage. -- //Morten Torstensen //Email: morten at mortent.org //IM: Cartoon at jabber.no morten.torstensen at gmail.com And if it turns out that there is a God, I don't believe that he is evil. The worst that can be said is that he's an underachiever.
Feizhou
2007-Mar-18 11:29 UTC
[CentOS] Need help in securing maildir so that root user should not able to read anyother user's mail
> c) Security of Maildir means even root user should not be able to read > any user's mail. > > Most concerned part here is part c as we don't want any user to be > able to read any other user's mail including root.What is the point of having an administrator that you cannot trust? How are you going to recover mails say in case a user leaves or is otherwise incapable of digging out the mails for the company? Do you lock the Exchange administrator out of all users mail too?
Matthew Miller
2007-Mar-18 11:36 UTC
[CentOS] Need help in securing maildir so that root user should not able to read anyother user's mail
On Sun, Mar 18, 2007 at 12:57:21PM +0530, ankush grover wrote:> c) Security of Maildir means even root user should not be able to read > any user's mail.I think the real answer here is "be more careful who has root access". -- Matthew Miller mattdm at mattdm.org <http://mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>
John Summerfield
2007-Mar-18 20:40 UTC
[CentOS] Need help in securing maildir so that root user should not able to read anyother user's mail
ankush grover wrote:> Hi friends, > > My company is currently using Exchange Servers for Mail Server > solutions but now they want to move to Linux Servers due to heavy cost > involved with the Exchange Users.We will be using the latest version > of Centos. > > So the kind of solution we are looking is below: > > > a) Postfix or Sendmail as MTA. > b) Dovecot or Cyrus Imap with Quota as Pop & Imap server. > c) Security of Maildir means even root user should not be able to read > any user's mail.How could you back it up?> d) Global Address Book on Ldap or any other. > e) Using samba/ldap for client authentication.You can authenticate against AD. In principal you could use standard LDAP tools to extract the info and insert it into openldap, but I don't know about passwords, and probably you will want to keep AD anyway.> > Most concerned part here is part c as we don't want any user to be > able to read any other user's mail including root.Root must be able to "become" the imap server, otherwise you couldn't start it. Being able to do that, even if root couldn't read it directly, it would be possible by "su cyrus" Is this less secure than Windows? Give me the right to boot a CD of my choice and five minutes and we'll see. -- Cheers John -- spambait 1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu Please do not reply off-list
Reasonably Related Threads
- Any one have a good example...
- Problem in Mounting Exaclibur 4GB USB Pen Drive on Centos4.0
- ERROR 1045 (28000) when trying to login into the mysql through user test1
- vsftpd virtual users not able to delete the files (second time post)
- Cross Network Based CD/DVD Burning Software