Hi all, Inspired by a recent thread on this list I decided to set up a mailserver with pop3 access over ssl. It's working now, but I'd appreciate some comments on its security. My setup is as follows:
- I'm using stunnel+popa3d for pop3-ssl (/usr/sbin/stunnel -d pop3s -p /etc/ssl/certs/pop3s.pem -l \ /usr/sbin/popa3d) with Exim as my MTA. - I've recompiled popa3d to support virtual users. It uses one authentication file per user to control 1) the system user that popa3d will use to fetch mail for the user 2) the password for the user (like in /etc/shadow) I've set it up to run as the user for real users and as 'mail' for virtual users. It fetches mail from the mailboxes configured in exim (see below). - I've changed the local_delivery transport in /etc/exim/exim.conf to deliver to /home/virtual/popa3d/127.0.0.1/mail/${local_part} for real users and I've added a new transport called local_virtual_delivery for virtual users: local_virtual_delivery: driver = appendfile user = mail check_owner = false group = mail mode = 0660 mode_fail_narrower = false envelope_to_add = true return_path_add = true file = /home/virtual/popa3d/127.0.0.1/mail/${local_part} This new transport is used by the director virtualuser that I've also added as the last director in the file: virtualuser: driver = aliasfile transport = local_virtual_delivery file = /etc/virtualusers search_type = lsearch /etc/virtualusers just contains the names of the virtual users I want to allow. - The current permissions for the mailboxes /home/virtual/popa3d/127.0.0.1/mail/${local_part} are like: -rw-rw---- 1 mail mail 0 Dec 7 17:33 test -rw-rw---- 1 tve mail 0 Dec 7 17:30 tve where tve is a normal system user and test is a virtual user. These are just examples of course. What I'd like to know is: 1) What do you think of the permissions for the mail files? 2) How are the passwordhashes in /etc/shadow generated from the salt+password? I can't use 'passwd' to update popa3d's auth files, so I need to generate them some other way. 3) Any other comments? Thanks, Tim -- Tim van Erven <[EMAIL PROTECTED]> OpenPGP Key ID: 712CB811 Fingerprint: F6C9 61EE 242C C012 36D5 BBF8 6310 D557 712C B811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]