Re: ownership of mailboxes with dovecot
On Wednesday, 1 January 2020 23:16:40 -03 Sean Kamath wrote: > On Dec 31, 2019, at 08:30, Roderick wrote: > > As said, I had UW imap serving system user mailboxes, and now > > cyrus imap serving virtual users. You have to decide. With > > dovecot I have no other experience than compiling it. > > > > I think, I would preffer now UW Imap, because I have only few and trusted > > users, and because it is very simple, no much configuration and > > mantainance needed: it just publishes the mailboxes with imap, > > accessed with the system user/password. > > So I’ve been running Dovecot for I don’t know how long (but started on > Solaris, so at least that long ago). I used to have LDAP running, but > decided it was overkill since I’m the only one who logs into the boxes, the > other three people only read email. > > Dovecot can seem complex, but it’s not at all. It pretty much works out of > the box, with very few changes necessary (and works well with Lets Encrypt > certs as well). > > My first OpenBSD configuration was based on > https://frozen-geek.net/openbsd-email-server-1/ > > My next will be based on > https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-> > dovecot-and-rspamd/, because I want to used rspamd instead of all the stuff > loaded in the first (for some reason, one of the daemons doesn’t start on > boot — it does if I start it manually. Frankly, my machine never reboots, > so I keep forgetting even which one it is that doesn’t start.). I got a > little tripped up doing the 6.4 migration, so I have some catching up to > do. I agree that this is the more informative page, which is somewhat logical - Gilles Chehade. Of course he aims a lot higher than I would dare to. > > Looking at > https://www.tumfatig.net/20150620/opensmtpd-and-dovecot-on-openbsd-5-7/, > it’s a little too copy-pasta for my taste. But even so, it doesn’t > configure dovecot for non-system users, so it’s unclear how virtual users > were set up with Dovecot. Yes and that's where I tripped and ended up having system users which are also virtual users. That is silly. I certainly need somewhat of a book to better get the whole picture. > > Anyway, having run UW imap, cyrus, and dovecot — I run dovecot. I also use > sdbox, BTW, which I believe no one but ancient MH people use. My > non-default configs are pretty much limited to per-host configuration (like > hostname), sieve and SSL. > > I think the biggest hurdle was getting used to LMTP. > > Sean I'll close the lid on this issue for now until I have sorted out and remedied my mistakes. Eike -- Eike Lantzsch ZP6CGE Casilla de Correo 13005 1749 Asuncion / Paraguay Land-line: +595-21-553984 SIP-gate: +49 4131 9279632 Cell-phone: +595-971-696909 Skype: eikelan WIRE @eikelan
Re: ownership of mailboxes with dovecot
On Dec 31, 2019, at 08:30, Roderick wrote: > As said, I had UW imap serving system user mailboxes, and now > cyrus imap serving virtual users. You have to decide. With > dovecot I have no other experience than compiling it. > > I think, I would preffer now UW Imap, because I have only few and trusted > users, and because it is very simple, no much configuration and > mantainance needed: it just publishes the mailboxes with imap, > accessed with the system user/password. So I’ve been running Dovecot for I don’t know how long (but started on Solaris, so at least that long ago). I used to have LDAP running, but decided it was overkill since I’m the only one who logs into the boxes, the other three people only read email. Dovecot can seem complex, but it’s not at all. It pretty much works out of the box, with very few changes necessary (and works well with Lets Encrypt certs as well). My first OpenBSD configuration was based on https://frozen-geek.net/openbsd-email-server-1/ My next will be based on https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/, because I want to used rspamd instead of all the stuff loaded in the first (for some reason, one of the daemons doesn’t start on boot — it does if I start it manually. Frankly, my machine never reboots, so I keep forgetting even which one it is that doesn’t start.). I got a little tripped up doing the 6.4 migration, so I have some catching up to do. Looking at https://www.tumfatig.net/20150620/opensmtpd-and-dovecot-on-openbsd-5-7/, it’s a little too copy-pasta for my taste. But even so, it doesn’t configure dovecot for non-system users, so it’s unclear how virtual users were set up with Dovecot. Anyway, having run UW imap, cyrus, and dovecot — I run dovecot. I also use sdbox, BTW, which I believe no one but ancient MH people use. My non-default configs are pretty much limited to per-host configuration (like hostname), sieve and SSL. I think the biggest hurdle was getting used to LMTP. Sean
Re: ownership of mailboxes with dovecot
On Tue, 31 Dec 2019, Eike Lantzsch wrote: > system user XOR virtual user > That's what I have to setup now. Correct? As said, I had UW imap serving system user mailboxes, and now cyrus imap serving virtual users. You have to decide. With dovecot I have no other experience than compiling it. I think, I would preffer now UW Imap, because I have only few and trusted users, and because it is very simple, no much configuration and mantainance needed: it just publishes the mailboxes with imap, accessed with the system user/password. I installed cyrus imap because I wanted some integration with cyrus sasl and ldap that I also use for authentication in sendmail. Now I think it is for my purposes an exageration. Indexing may be nice, but there is not a lot of emails. I do not know the state of UW imap today and if it is considered secure by OpenBSD people. I would also be glad to hear oppinions. Rodrigo
Re: ownership of mailboxes with dovecot
On 2019-12-31 14:10, Kevin Chadwick wrote: > I believe the mail boxes are chrooted into too. Actually that may be incorrect with the chroot being more broad than that as they should be owned by root otherwise!
Re: ownership of mailboxes with dovecot
On Tuesday, 31 December 2019 10:25:30 -03 Jona Joachim wrote: > On 2019-12-31, Roderick wrote: > > On Tue, 31 Dec 2019, Eike Lantzsch wrote: > >> I'm using an IMAP mailserver with dovecot which is entirely limited to my > >> local network. > >> It pulls my external mail with fetchmail. [...] > >> user username1@foodomain.local.fantasea mailbox is owned by vmail [...] > >> Obviously dovecot has other ideas about security than OpenBSD. > > > > Is dovecot or fetchmail who create the mailboxes?! > > > >> Can I remedy this (then: how?) or should I go on to ignore this warning? > > > > Perhaps configuring fetchmail? > > Maybe the best approach would be to configure fetchmail to forward mail > to the Dovecot LDA, for example over LMTP. This way only Dovecot ever > writes to the mailbox and you have the added benefit of using additional > features such as sieve and indexed mailboxes. > > Best regards, > Jona This didn't occur to me. Another sign that I didn't get the whole picture. Will try to set this up after I got my system users versa virtual users approach correctly. Enfin it *was* useful to mention fetchmail. Thank you Jona! -- Eike Lantzsch ZP6CGE
Re: ownership of mailboxes with dovecot
On 2019-12-31 13:13, Eike Lantzsch wrote: > I regret having mentioned fetchmail. > It happens as part of setting up dovecot with virtual users. Do you need virtual users. I saw all the guides recommending this and wrote scripts to manage system users instead. Every box is owned by the login user and I believe the mail boxes are chrooted into too. Also means it inherited the system bcrypt login protection and it's maintenance for years. I don't have that many users though. Noone seems to discuss what the limits would actually be?
Re: ownership of mailboxes with dovecot
On Tuesday, 31 December 2019 10:36:38 -03 Roderick wrote: > On Tue, 31 Dec 2019, Eike Lantzsch wrote: > > > Is dovecot or fetchmail who create the mailboxes?! > > > > fetchmail doesn't configure anything, especially not mailboxes. > > I regret having mentioned fetchmail. > > It happens as part of setting up dovecot with virtual users. > > If they are virtual users, why are they also users in the system?! Good point! Shows me that I didn't understand the whole point of virtual users against users on the system correctly. system user XOR virtual user That's what I have to setup now. Correct? > > BTW, I installed many years ago UW Imap on FreeBSD, contained > today in alpine mail's source. It served out of the box the mailboxes > of the system users with imap. No configuration needed. > > Rod. Thank you Rod! -- Eike Lantzsch ZP6CGE
Re: ownership of mailboxes with dovecot
On Tue, 31 Dec 2019, Eike Lantzsch wrote: > > Is dovecot or fetchmail who create the mailboxes?! > fetchmail doesn't configure anything, especially not mailboxes. > I regret having mentioned fetchmail. > It happens as part of setting up dovecot with virtual users. If they are virtual users, why are they also users in the system?! BTW, I installed many years ago UW Imap on FreeBSD, contained today in alpine mail's source. It served out of the box the mailboxes of the system users with imap. No configuration needed. Rod.
Re: ownership of mailboxes with dovecot
On 2019-12-31, Roderick wrote: > > On Tue, 31 Dec 2019, Eike Lantzsch wrote: > >> I'm using an IMAP mailserver with dovecot which is entirely limited to my >> local network. >> It pulls my external mail with fetchmail. [...] >> user username1@foodomain.local.fantasea mailbox is owned by vmail [...] >> Obviously dovecot has other ideas about security than OpenBSD. > > Is dovecot or fetchmail who create the mailboxes?! > >> Can I remedy this (then: how?) or should I go on to ignore this warning? > > Perhaps configuring fetchmail? Maybe the best approach would be to configure fetchmail to forward mail to the Dovecot LDA, for example over LMTP. This way only Dovecot ever writes to the mailbox and you have the added benefit of using additional features such as sieve and indexed mailboxes. Best regards, Jona
Re: ownership of mailboxes with dovecot
On Tuesday, 31 December 2019 09:47:03 -03 Roderick wrote: > On Tue, 31 Dec 2019, Eike Lantzsch wrote: > > I'm using an IMAP mailserver with dovecot which is entirely limited to my > > local network. > > It pulls my external mail with fetchmail. [...] > > user username1@foodomain.local.fantasea mailbox is owned by vmail [...] > > Obviously dovecot has other ideas about security than OpenBSD. > > Is dovecot or fetchmail who create the mailboxes?! fetchmail doesn't configure anything, especially not mailboxes. I regret having mentioned fetchmail. It happens as part of setting up dovecot with virtual users. > > > Can I remedy this (then: how?) or should I go on to ignore this warning? > > Perhaps configuring fetchmail? > > Rod. Here is an example of setting up dovecot: https://www.tumfatig.net/20150620/opensmtpd-and-dovecot-on-openbsd-5-7/ Of course this has to be adopted with care (5.7. hint hint) Thanks for considering my quest -- Eike Lantzsch ZP6CGE
Re: ownership of mailboxes with dovecot
On Tue, 31 Dec 2019, Eike Lantzsch wrote: > I'm using an IMAP mailserver with dovecot which is entirely limited to my > local network. > It pulls my external mail with fetchmail. [...] > user username1@foodomain.local.fantasea mailbox is owned by vmail [...] > Obviously dovecot has other ideas about security than OpenBSD. Is dovecot or fetchmail who create the mailboxes?! > Can I remedy this (then: how?) or should I go on to ignore this warning? Perhaps configuring fetchmail? Rod.
ownership of mailboxes with dovecot
Greetings, I'm using an IMAP mailserver with dovecot which is entirely limited to my local network. It pulls my external mail with fetchmail. There is no functional problem with the setup just this concern. I can't manage to get around this: /usr/libexec/security: "# Mailboxes should be owned by the user and unreadable. " but after the installation of dovecot i get this: Running security(8): Checking mailbox ownership. user vmail mailbox is -rw-r--r--, group vmail user username1@foodomain.local.fantasea mailbox is owned by vmail user username2@foodomain.local.fantasea mailbox is owned by vmail user username3@foodomain.local.fantasea mailbox is owned by vmail Obviously dovecot has other ideas about security than OpenBSD. Dovecot seems to require these mailboxes to be owned by vmail. Can I remedy this (then: how?) or should I go on to ignore this warning? Thank you for your time Eike Lantzsch ZP6CGE