> However, when we have a postfix server on the same machine, that delegates authentication to dovecot SASL ... we can indeed log in as root on the postfix server.You are not logging into Dovecot with root, you are connecting to Postfix for submission. When you connect to dovecot using linux users (PAM) the process running takes on the UID of the login user to give file permissions to read that users home directory where email could be stored. The risk being if someone had root UID:0 they could read anything on the server, not just the home directory of a user. But you aren't logging into Dovecot, you are connecting to Postfix. You aren't checking mail or reading directories. You are only submitting an email to Postfix for submission services. Postfix runs as its own Postfix UID no matter who you authenticate as. So even though you are authenticating yourself with root credentials, you aren't doing so as the root UID, you aren't reading email, and you aren't accessing any file systems like Dovecot would be.
Aymeric Agon-Rambosson
2023-Mar-15 09:39 UTC
Postfix : root and system user authentication
Le mardi 14 mars 2023 ? 22:32, dovecot at ptld.com a ?crit :>> However, when we have a postfix server on the same machine, >> that delegates authentication to dovecot SASL ... we can indeed >> log in as root on the postfix server. > > > You are not logging into Dovecot with root, you are connecting > to Postfix for submission. > > When you connect to dovecot using linux users (PAM) the process > running takes on the UID of the login user to give file > permissions to read that users home directory where email could > be stored. The risk being if someone had root UID:0 they could > read anything on the server, not just the home directory of a > user. > > But you aren't logging into Dovecot, you are connecting to > Postfix. You aren't > checking mail or reading directories. You are only submitting an > email to > Postfix for submission services. Postfix runs as its own Postfix > UID no matter > who you authenticate as. So even though you are authenticating > yourself with > root credentials, you aren't doing so as the root UID, you > aren't reading email, > and you aren't accessing any file systems like Dovecot would be.I agree that this is absolutely not the same in terms of security. The thing I'm worrying about is a lot less dangerous than what you're describing, no arguing about that. It's just, if we imagine that we have disabled root ssh access, and password ssh connection (allowing only keypair connection), this situation provides the port 465 as another way to test passwords, for instance. I would just like to be able to implement on port 465 more or less the same requirements I have implemented on port 22, and on port 993 as well through the use of {first,last}_valid_{u,g}id : a static, and well-known set of users that are allowed to try and authenticate, even though, as you say (and I agree), that the risk is absolutely not the same as with SSH or IMAPS. So, am I to understand from your answer that the fact that login with root or with users not respecting {first,last}_valid_{u,g}id is only applicable to dovecot direcly, not to other processes that have delegated authentication to dovecot ? In other words, that this is a feature and not a bug ? Best, Aymeric