> Marc> Why? Just disallow login, and that is from the perspective that
> Marc> a mail user should be limited mail resources.
>
> If the user does NOT need to login to the dovecot/mail servers, then
> not having these users at all is more secure.
No, because there is a difference between a need to login and the presence of a
uid. Lots of daemons run under accounts that cannot login.
> Marc> I argue exactly the opposite. Keep as much as possible linux
> Marc> users. As linux has been engineered for allowing multiple user
> Marc> accounts, and most other virtual user providers that are used
> Marc> here, have not.
>
> I'm having a hard time to parse what you are saying here.
>
> I'm saying that if the mail/dovecot server is only providing mail
> services, then putting all the users (across multiple domains even)
> into a virtual user database is more secure
No it is not more secure, eg.
1. if a user does not exist on the os, how can processes be spawned as these
uid's. Everything is running under the same uid.
2. if you do not use separate users, everything is written under the same uid.
3. most amateurs use a crappy mysql as backend for virtual users. The likelihood
of that being compromised compared to the linux os is much and much higher.
4. Say you are more professional and setup an ldap server (with correct acls
(which is not trivial at all)) If you would have dovecot use it as a backend for
virtual users. Does dovecot relay that user auth information or does it need
some static bind. The static bind is already an increased attack surface. Better
is have the os use the ldap backend and have dovecot use the os.
5. I would even argue that having dovecot 'outsource' the user
management to the linux os is more secure. Because dovecot developers are more
experienced in programming the email application and have far less experience
with authorization, authentication than the linux developers. There is much more
scrutiny on the linux os than the dovecot user system.
> and more scalable.
Not relevant, that is different discussion.
> General users don't need accounts on the mail server, and security in
> depth argues that keeping them off the server entirely is a good
> thing.
>
You constantly apply incorrect logic. You think that "keeping them off the
server entirely" equals virtual user. "keeping them off the server
entirely" also includes /sbin/nologin.
According to your incorrect logic?s, you support my statement because in my case
users are kept off.
If your logic?s is incorrect, how can your conclusion be correct? Repeating this
does not make it true, the alternative is far worse.
Linux always does a better job on permissions, users, authentication than
whatever 3rd party software. And if you outsource this to linux you have even
more possibilities by using selinux rules.