> On June 23, 2016 at 8:56 AM Michael Fox <n...@mefox.org> wrote: > > > > http://wiki.dovecot.org/LDA > > > > Section virtual users, with lookup has the answer. > > Thanks for the quick response Aki. > > I presume you're referring to this: > > service auth { > unix_listener auth-userdb { > mode = 0600 > user = vmail # User running dovecot-lda > #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this > group > } > } > > So, given that, then I'm still not clear on the following: > 1) User vmail is reading the userdb, not writing to the userdb. So why mode > 0600? > 2) What should the owner, group and mode/permissions of the actual userdb > flat file be for best security? > > Michael
1) that is a socket, not regular file. LDA speaks with auth service. 2) as auth *service* runs as root it prolly is best to use root:root 0400 for the actual file. --- Aki Tuomi
