John Allen wrote:
As far as I recall, IMAP servers generally don't allow access to root.
According to the Dovecot wiki, this is hard-coded in the binary:
http://wiki.dovecot.org/MainConfig see under "first_valid_uid"
If the root user is receiving emails, these need to be redirected to
another user so they can be read via IMAP.
---
I guess the source needs a patch.
Why would dovecot choose to play nursemaid to people who want to read
root email remotely via IMAPS?
I can log in via SSH, so why not allow it with secure IMAP? I suppose
really, if someone wants to run as root with no password dovecot should be
**configurable** to allow this -- as we can't always understand the needs
of end users.
Example. You have a system on which root uid=0 means nothing (assigns no
privs -- all assigned via privilege/capability bits).
This means dovecot is hardcoded to lock out a user that may have no
privileges, but has no prob permitting access to those with full
Capability/priv sets.
That is NOT remotely a secure design -- Not that it "allows login to those
w/caps", but that it bogusly tries to invalidate site-security policies
that it doesn't like
Samba has done this and actually disparages people who don't use
conventional security policies 'insecure', when those same people can
point out a multitude of ways samba can be easily -- in the ways that the
samba team, _recommend_, that samba can be accidentally or surreptitiously
configured insecurely. When it is asked why alternate security
policies are
insecure -- they change the subject and agree grudgingly to re-allow
'banned' commands under options like "allow insecure XXXX"...
Trying to 'play nursemaid' to users is a bad security policy -- since as
soon you (like samba team leader said, "we had to make it impossible to
configure samba insecurely", you are asking for trouble; cuz then users
think they don't have to worry about how they config things, it will
always be secure...and we know that is very untrue!
