diff options
Diffstat (limited to 'doc/wiki/SystemUsers.txt')
| -rw-r--r-- | doc/wiki/SystemUsers.txt | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/doc/wiki/SystemUsers.txt b/doc/wiki/SystemUsers.txt new file mode 100644 index 0000000..45b5fd9 --- /dev/null +++ b/doc/wiki/SystemUsers.txt @@ -0,0 +1,112 @@ +System Users +============ + +System users are typically defined in '/etc/passwd' file, but this isn't +necessary. Using NSS [http://en.wikipedia.org/wiki/Name_Service_Switch] you can +configure the lookups to be done from elsewhere (e.g. LDAP). See <passwd> +[AuthDatabase.Passwd.txt] userdb configuration for how to set this up. +Especially if you're using nss_ldap you must set 'blocking=yes'. + +System users usually have their own separate user IDs (UIDs). This is good from +security point of view, because it means that the kernel will also prevent +users from accessing each others' mails. + +If the users have direct write access to the mail files (eg. the users have +shell access), they can easily cause all sorts of mailbox corruptions. That may +generate all kinds of error messages to Dovecot's error logs, so it may be +sometimes difficult to tell if there really is a problem or if user is just +doing something stupid. + +If users are going to access the mailboxes with other software than Dovecot, +it's important to make sure that their mailbox accesses are compatible. This +mostly means that with mboxes you must make sure that everyone uses the <same +locking methods in the same order> [MailboxFormat.mbox.txt]. + +Authentication +-------------- + +Admins often wish to use different passwords for IMAP and POP3 than for other +services (eg. SSH), because IMAP and POP3 clients often send the password +unencrypted over the internet without even bothering to give users any +warnings. Dovecot can easily support non-system passwords for system users. + +If you wish to use system passwords, you'll want to use one of these passdbs: + + * <PAM> [PasswordDatabase.PAM.txt]: Most commonly used in Linux and BSDs + nowadays. + * <BSDAuth> [PasswordDatabase.BSDAuth.txt]: BSD authentication is used by + OpenBSD. + * <Passwd> [AuthDatabase.Passwd.txt]: System users (NSS, '/etc/passwd', or + similiar). This may work instead of PAM (mostly in some BSDs). + * <Shadow> [PasswordDatabase.Shadow.txt]: Shadow passwords for system users + (NSS,'/etc/shadow' or similiar). Deprecated by PAM nowadays, but it should + work with Linux and Solaris. + +If you wish to use non-system passwords, you can use pretty much any of the +Dovecot's <password databases> [PasswordDatabase.txt], but for simple +installations you'll probably want to use <passwd-file> +[AuthDatabase.PasswdFile.txt]. + +<User database> [UserDatabase.txt] for system users is always <passwd> +[AuthDatabase.Passwd.txt]. + +Mail Location +------------- + +Usually UNIX systems are configured by default to deliver mails to +'/var/mail/username' or '/var/spool/mail/username' mboxes. You may decide to +use these, or use <maildir> [MailboxFormat.Maildir.txt] format instead. + +Dovecot detects the mailbox format and location automatically if +'mail_location' setting isn't set, but it's still a good idea to explicitly +tell Dovecot where to find the mails. This makes it sure that Dovecot behaves +correctly also when the user's mailbox doesn't exist at the moment (eg. a new +user). If Dovecot can't figure out where the existing mails are, it simply +gives an error message and quits. It never tries to create a missing mailbox +when autodetection is used. + +See <MailLocation.txt> for more information how to configure the mailbox +location. Below are the highlights for mbox and maildir. + +mbox +---- + +The '/var/mail/username' mbox is called user's INBOX. IMAP protocol supports +multiple mailboxes however, so Dovecot needs some directory where to store the +other mailboxes. Typically they're stored in '~/mail/' or '~/Mail/' directory. +All of these locations are included in mailbox location autodetection. You can +specify them manually with: + +---%<------------------------------------------------------------------------- +mail_location = mbox:~/mail:INBOX=/var/mail/%u +---%<------------------------------------------------------------------------- + +Remember that the first path after 'mbox:' is the mailbox root directory, never +try to give 'mbox:/var/mail/%u' because that just isn't going to work (unless +you really want to store mails under '/var/mail/%u/' directory). + +If you're also using other software than Dovecot to access mboxes, you should +try to figure out what locking methods exactly they're using and update +'mbox_read_locks' and 'mbox_write_locks' settings accordingly. See locking +section in <mbox> [MailboxFormat.mbox.txt] for more information. + +Maildir +------- + +Maildir is typically stored in '~/Maildir' directory. You can specify this +manually with: + +---%<------------------------------------------------------------------------- +mail_location = maildir:~/Maildir +---%<------------------------------------------------------------------------- + +Chrooting +--------- + +Dovecot, including several other software, allow using "/./" in home directory +path to specify the chroot path. For example '/home/./user' would chroot to +'/home'. If you want to enable this for Dovecot, add the chroot path to +'valid_chroot_dirs' setting ('/home' in the previous example). If this isn't +done, Dovecot just ignores the "/./". + +(This file was created from the wiki on 2019-06-19 12:42) |