Hi all,
Still waiting on an answer on the dovecot list, but I think there are
more than a few dovecot users here too, so...
I just migrated my 9+ year old gentoo mail server to a shiny new gentoo
VM. Had to do some adjustments (see below if curious), but once I worked
all of that out, it went rather smoothly and is now working very well.
Something I neglected to confirm, though, and I want to deal, with this
now, is I want to make sure the filesystem permissions are correct, and
secure as possible.
This is a virtual hosting setup only (no system users), and dovecot is
currently running in high performance mode (I'm thinking I want to
change that too, so wondering if that would affect the permissions)...
/var/vmail (and everything under it) is owned by vmail:vmail.
Current permissions are:
Top-level dir:
/var/vmail 755
Virtual domain dirs:
/var/vmail/example1.com 777
/var/vmail/example2.com 777
Users home dirs (all others are the same):
/var/vmail/example1.com/user1 755
Users Maildirs (all others are the same):
/var/vmail/example1.com/user1/Maildir 700
All files inside the users Maildirs are 600, with the exception of the
dovecot-uidvalidity.blahblah files, which are all 444
So... is this right? Anything need to be changed?
************************************
If anyone is interested, the adjustments I wanted/needed to make were:
1. the users Maildirs were also their home
I had to mv everything in .../example.com/user to
.../example.com/user/Maildir
2. the filesystem ownership/permissions were wrong for using the
dovecot LDA
chown -R vmail:vmail /var/vmail
3. I wanted to get rid of the old legacy courier-imap INBOX prefix, but
had to figure out how to provide compatibility settings so users
wouldn't see any changes in their folders in their clients when I
flipped the switch and had time to make the client changes before I
remove the compatibility settings, etc.
If anyone is interested I can provide the exact settings...
4. I wanted to switch my instructions for setting up new mail clients
from using SSL/TLS on port 993 to STARTTLS on port 143.
Simple, tell dovecot to start listening on 143 and open up 143 on the
firewall, and change the instructions.
Last of course I had to write up instructions for the users on how to
change these settings so I can remove the compatibility settings - and
of course, I'm very detail oriented, so the first instructions I sent
out were overly complicated (had a few complaints from the people who
don't know how to read) - so I removed all of the explanatory text and
re-sent simplified instructions.
I'll keep the compatibility settings for a week or two, and won't remove
them until I stop seeing connections on 993 (toward the end of the week
I'll start grepping the logs and fixing the stragglers).
Anyway, once I figured out how to do the above, everything went very
smoothly. Clients with the legacy INBOX prefix (Thunderbird, iPhones,
Android/K9 clients, etc) all didn't notice a thing when I flipped the
DNS switch.
When users change their settings to remove the INBOX prefix and change
the security/port settings to STARTTLS/143, Thunderbird users have to
re-accept the SSL Cert (we use self-signed certs), but iPhone clients
interestingly didn't. I think my Android did, but can't remember now...
Anyway, took a lot of prep work to make the transition so seamless, but
it was worth it.
