summaryrefslogtreecommitdiffstats
path: root/doc/wiki/SecurityTuning.txt
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
commitf7548d6d28c313cf80e6f3ef89aed16a19815df1 (patch)
treea3f6f2a3f247293bee59ecd28e8cd8ceb6ca064a /doc/wiki/SecurityTuning.txt
parentInitial commit. (diff)
downloaddovecot-upstream.tar.xz
dovecot-upstream.zip
Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/wiki/SecurityTuning.txt')
-rw-r--r--doc/wiki/SecurityTuning.txt22
1 files changed, 22 insertions, 0 deletions
diff --git a/doc/wiki/SecurityTuning.txt b/doc/wiki/SecurityTuning.txt
new file mode 100644
index 0000000..90a2dfa
--- /dev/null
+++ b/doc/wiki/SecurityTuning.txt
@@ -0,0 +1,22 @@
+Security tuning
+===============
+
+Dovecot is pretty secure out-of-the box. It uses multiple processes and
+privilege separation to isolate different parts from each others in case a
+security hole is found from one part.
+
+Some things you can do more:
+
+ * Allocate each user their own UID and GID (see <UserIds.txt>)
+ * Use a separate /dovecot-auth/ user for authentication process (see
+ <UserIds.txt>)
+ * You can chroot authentication and mail processes (see <Chrooting.txt>)
+ * Compiling Dovecot with garbage collection ('--with-gc' configure option)
+ fixes at least in theory any security holes caused by double free()s.
+ However this hasn't been tested much and there may be problems.
+ * There are some security related SSL settings (see
+ <SSL.DovecotConfiguration.txt>)
+ * Set 'first/last_valid_uid/gid' settings to contain only the range actually
+ used by mail processes
+
+(This file was created from the wiki on 2019-06-19 12:42)