On Wed, 2010-08-25 at 13:00 +0200, Ralph Seichter wrote: > On 25.08.10 01:52, Timo Sirainen wrote: > > > Mail processes connect to dict socket, so all mail users executing > > mail processes need to have access to it. > > Just as I thought when I configured "mode = 0666". I am uneasy about > userA being potentially able to modify dict entries of userB.
Do you have system users? The group way I mentioned would avoid problems with them, but of course not security problems related to Dovecot processes themselves. > One can > already define per-user sieve scripts in Dovecot 2.0, and I wonder if > you have considered per-user dictionaries? Well, the whole point of expire database is that a single command can quickly see what users have mails to expunge. So this needs to be a shared dictionary across users. Of course, having some kind of user authentication would be nice across Dovecot processes.. But I'm not sure if there's a way to make that work.
