Hi --
On 15.03.2012 22:05, Timo Sirainen wrote:
On 15.3.2012, at 22.48, Michael Grimm wrote:
Actually it's a bad idea to use root for ssh from a security point
of view. A hacked root account isn't fun. Thus, normally one needs
to explicitly change the config of the sshd daemon to allow root
logins (at least with FreeBSD what I'm using). Thus, I do recommend
to use an unprivileged user like vmail.
Then again it's safer to use system user accounts than a single vmail
account that has access to everyone's emails.
Root has access to everyone's mail as well.
And if you allow ssh login only with public key authentication I
don't think there are much security issues. And finally, it would
be possible to write a small wrapper that allows the root's public
key auth to only execute dsync-user.sh script that can't do anything
except sync a specified user's mails.
All those safety measures can be applied for the vmail user as well.
Actually, that's what I did in my case, plus allowing ssh only between
both mail servers (firewall rule).
Regards,
Michael
