Hi list I am just experimenting with seting up my own email server. I want some tips and hints on how to secure my setup to prevent unauthorised assess to my email. I have read through the wiki and have not found many tips. I hope to improve the wiki with tips gathered from the emailing list. :-) A basic measurement I could take right now would be to set more secure file premissions on my setup. My setup is based on http://wiki.dovecot.org/HowTo/VirtualhostingWithExim with a few addittions: fetchmail and exim4 deliver mail to my maildir and dovecot grants me access through imap. dovecot authenticates against /home/postmaster/passwd.digest and ./passwd.cram -- Daniel Aleksandersen <aleksandersen at runbox.no>
Sendt: Tue, 24 Feb 2009 22:28:07 +0100 (CET) Fra: "Daniel Aleksandersen"> I am just experimenting with seting up my own email server. I want some tips > and hints on how to secure my setup to prevent unauthorised assess to my email. > I have read through the wiki and have not found many tips. I hope to > improve the wiki with tips gathered from the emailing list. :-) > A basic measurement I could take right now would be to set more secure > file premissions on my setup. > My setup is based on http://wiki.dovecot.org/HowTo/VirtualhostingWithExim > with a few addittions: > fetchmail and exim4 deliver mail to my maildir and dovecot grants me access > through imap. dovecot authenticates against /home/postmaster/passwd.digest > and ./passwd.cramI have tried different options on my maildirs. Dovecot gives me permission errors unless I set it to 775. I have seen that many mention 660 as the best permission setting for maildirs when used in setups similar to my own. Can anyone explain why my maildir must be executable and accessible to everyone? -- Daniel
On 24.02.2009 23:54 Daniel Aleksandersen wrote:> I have tried different options on my maildirs. Dovecot gives me permission errors > unless I set it to 775. I have seen that many mention 660 as the best permission > setting for maildirs when used in setups similar to my own. Can anyone explain > why my maildir must be executable and accessible to everyone?No, they must not be accessible for everyone, only for the user, that owns the maildir. For example: el-negro 70014 # ll -d Maildir drwx------ 21 70014 70002 4096 2009-02-24 19:36 Maildir el-negro 70014 # ll -d Maildir/.INBOX.Lists.Dovecot drwx------ 5 70014 70002 4096 2009-02-24 23:56 Maildir/.INBOX.Lists.Dovecot el-negro 70014 # ll Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro\,W\=3966\:2\,Sa -rw------- 1 70014 70002 3886 2009-02-24 23:55 Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro,W=3966:2,Sa But this may require a root-setuid deliver binary, when using multiple virtual UIDs. See http://wiki.dovecot.org/LDA#multipleuids Regards, Pascal -- Ubuntu is an ancient African word meaning ?I can?t install Debian.? -- unknown
Sendt: Wed, 25 Feb 2009 00:09:10 +0100 Fra: Pascal Volk> On 24.02.2009 23:54 Daniel Aleksandersen wrote: > > I have tried different options on my maildirs. Dovecot gives me permission errors > > unless I set it to 775. I have seen that many mention 660 as the best permission > > setting for maildirs when used in setups similar to my own. Can anyone explain > > why my maildir must be executable and accessible to everyone? > > No, they must not be accessible for everyone, only for the user, that > owns the maildir. For example: > > el-negro 70014 # ll -d Maildir > drwx------ 21 70014 70002 4096 2009-02-24 19:36 Maildir > el-negro 70014 # ll -d Maildir/.INBOX.Lists.Dovecot > drwx------ 5 70014 70002 4096 2009-02-24 23:56 Maildir/.INBOX.Lists.Dovecot > el-negro 70014 # ll Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro\,W\=3966\:2\,Sa > -rw------- 1 70014 70002 3886 2009-02-24 23:55 Maildir/.INBOX.Lists.Dovecot/cur/1235516104.M562448P18642.el-negro,W=3966:2,Sa > > But this may require a root-setuid deliver binary, when using > multiple virtual UIDs. See http://wiki.dovecot.org/LDA#multipleuidsThe recepie assumes I have a group called secmail. I don?t. Am I supposed to create a special group for this purpose? -- Daniel
On 25.02.2009 00:25 Daniel Aleksandersen wrote:> The recepie assumes I have a group called secmail. I don?t. Am I supposed to create > a special group for this purpose?Yes, if the group does not exists, you have to create it. You could call it whatever you want. Regards, Pascal -- Ubuntu is an ancient African word meaning ?I can?t install Debian.? -- unknown
Sendt: Wed, 25 Feb 2009 00:29:17 +0100 Fra: Pascal Volk> On 25.02.2009 00:25 Daniel Aleksandersen wrote: > > The recepie assumes I have a group called secmail. I don?t. Am I supposed to create > > a special group for this purpose? > > Yes, if the group does not exists, you have to create it. You could call > it whatever you want.I created the group and set the permissions to deliver as described in the recepie. I then added just about every user to that group. I still get permission errors when dovecot tries to access my maildir. Setting permissions of the maildir to 777 ?fixes? the problem. Other suggestions? :-) -- Daniel
On 25.02.2009 00:38 Daniel Aleksandersen wrote:> > I created the group and set the permissions to deliver as described in the recepie. I > then added just about every user to that group. I still get permission errors when > dovecot tries to access my maildir. Setting permissions of the maildir to 777 ?fixes? > the problem. > > Other suggestions? :-)According to your mail <http://dovecot.org/list/dovecot/2009-February/037726.html>: your users login with uid=postmaster gid=postmaster? In this case the owner of the maildirs should be also postamster. If you execute deliver with your postmaster-user all should be fine. Regards, Pascal -- Ubuntu is an ancient African word meaning ?I can?t install Debian.? -- unknown
Sendt: Wed, 25 Feb 2009 01:36:00 +0100 (CET) Fra: "Daniel Aleksandersen"> Sendt: Tue, 24 Feb 2009 19:11:43 -0500 > Fra: Timo Sirainent > > On Wed, 2009-02-25 at 00:38 +0100, Daniel Aleksandersen wrote: > > > Sendt: Wed, 25 Feb 2009 00:29:17 +0100 > > > Fra: Pascal Volk > > > > On 25.02.2009 00:25 Daniel Aleksandersen wrote: > > > > > The recepie assumes I have a group called secmail. I don?t. Am I supposed to create > > > > > a special group for this purpose? > > > > > > > > Yes, if the group does not exists, you have to create it. You could call > > > > it whatever you want. > > > > > > I created the group and set the permissions to deliver as described in the recepie. I > > > then added just about every user to that group. > > > > No, don't do that. The point of it was to make deliver executable only > > by your MTA, no one else. If other people were able to execute it, they > > could gain root privileges. > > I started added other users just to troubleshoot the problems I have been havnig. > It did not work anyways, so I have removed other users from theat group. > > The permissions still must be 777 or dovecot starts throwing permission errors. > > I have tried a variety of other permissions including 677, 767, 776. All fail but 777.ps -ef|grep exim shows that exim is run by user 101. A look into /etc/group reveals the user as libuuid. Debian-exim is user 103. Could this be what is causing my problems? How do I change what user exim is run as? -- Daniel