summaryrefslogtreecommitdiffstats
path: root/doc/wiki/SystemUsers.txt
blob: 45b5fd903ffab0dfbe6f0473505bd8c81fea06cc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
System Users
============

System users are typically defined in '/etc/passwd' file, but this isn't
necessary. Using NSS [http://en.wikipedia.org/wiki/Name_Service_Switch] you can
configure the lookups to be done from elsewhere (e.g. LDAP). See <passwd>
[AuthDatabase.Passwd.txt] userdb configuration for how to set this up.
Especially if you're using nss_ldap you must set 'blocking=yes'.

System users usually have their own separate user IDs (UIDs). This is good from
security point of view, because it means that the kernel will also prevent
users from accessing each others' mails.

If the users have direct write access to the mail files (eg. the users have
shell access), they can easily cause all sorts of mailbox corruptions. That may
generate all kinds of error messages to Dovecot's error logs, so it may be
sometimes difficult to tell if there really is a problem or if user is just
doing something stupid.

If users are going to access the mailboxes with other software than Dovecot,
it's important to make sure that their mailbox accesses are compatible. This
mostly means that with mboxes you must make sure that everyone uses the <same
locking methods in the same order> [MailboxFormat.mbox.txt].

Authentication
--------------

Admins often wish to use different passwords for IMAP and POP3 than for other
services (eg. SSH), because IMAP and POP3 clients often send the password
unencrypted over the internet without even bothering to give users any
warnings. Dovecot can easily support non-system passwords for system users.

If you wish to use system passwords, you'll want to use one of these passdbs:

 * <PAM> [PasswordDatabase.PAM.txt]: Most commonly used in Linux and BSDs
   nowadays.
 * <BSDAuth> [PasswordDatabase.BSDAuth.txt]: BSD authentication is used by
   OpenBSD.
 * <Passwd> [AuthDatabase.Passwd.txt]: System users (NSS, '/etc/passwd', or
   similiar). This may work instead of PAM (mostly in some BSDs).
 * <Shadow> [PasswordDatabase.Shadow.txt]: Shadow passwords for system users
   (NSS,'/etc/shadow' or similiar). Deprecated by PAM nowadays, but it should
   work with Linux and Solaris.

If you wish to use non-system passwords, you can use pretty much any of the
Dovecot's <password databases> [PasswordDatabase.txt], but for simple
installations you'll probably want to use <passwd-file>
[AuthDatabase.PasswdFile.txt].

<User database> [UserDatabase.txt] for system users is always <passwd>
[AuthDatabase.Passwd.txt].

Mail Location
-------------

Usually UNIX systems are configured by default to deliver mails to
'/var/mail/username' or '/var/spool/mail/username' mboxes. You may decide to
use these, or use <maildir> [MailboxFormat.Maildir.txt] format instead.

Dovecot detects the mailbox format and location automatically if
'mail_location' setting isn't set, but it's still a good idea to explicitly
tell Dovecot where to find the mails. This makes it sure that Dovecot behaves
correctly also when the user's mailbox doesn't exist at the moment (eg. a new
user). If Dovecot can't figure out where the existing mails are, it simply
gives an error message and quits. It never tries to create a missing mailbox
when autodetection is used.

See <MailLocation.txt> for more information how to configure the mailbox
location. Below are the highlights for mbox and maildir.

mbox
----

The '/var/mail/username' mbox is called user's INBOX. IMAP protocol supports
multiple mailboxes however, so Dovecot needs some directory where to store the
other mailboxes. Typically they're stored in '~/mail/' or '~/Mail/' directory.
All of these locations are included in mailbox location autodetection. You can
specify them manually with:

---%<-------------------------------------------------------------------------
mail_location = mbox:~/mail:INBOX=/var/mail/%u
---%<-------------------------------------------------------------------------

Remember that the first path after 'mbox:' is the mailbox root directory, never
try to give 'mbox:/var/mail/%u' because that just isn't going to work (unless
you really want to store mails under '/var/mail/%u/' directory).

If you're also using other software than Dovecot to access mboxes, you should
try to figure out what locking methods exactly they're using and update
'mbox_read_locks' and 'mbox_write_locks' settings accordingly. See locking
section in <mbox> [MailboxFormat.mbox.txt] for more information.

Maildir
-------

Maildir is typically stored in '~/Maildir' directory. You can specify this
manually with:

---%<-------------------------------------------------------------------------
mail_location = maildir:~/Maildir
---%<-------------------------------------------------------------------------

Chrooting
---------

Dovecot, including several other software, allow using "/./" in home directory
path to specify the chroot path. For example '/home/./user' would chroot to
'/home'. If you want to enable this for Dovecot, add the chroot path to
'valid_chroot_dirs' setting ('/home' in the previous example). If this isn't
done, Dovecot just ignores the "/./".

(This file was created from the wiki on 2019-06-19 12:42)