> Marc> Why? Just disallow login, and that is from the perspective that > Marc> a mail user should be limited mail resources. > > If the user does NOT need to login to the dovecot/mail servers, then > not having these users at all is more secure.
No, because there is a difference between a need to login and the presence of a uid. Lots of daemons run under accounts that cannot login. > Marc> I argue exactly the opposite. Keep as much as possible linux > Marc> users. As linux has been engineered for allowing multiple user > Marc> accounts, and most other virtual user providers that are used > Marc> here, have not. > > I'm having a hard time to parse what you are saying here. > > I'm saying that if the mail/dovecot server is only providing mail > services, then putting all the users (across multiple domains even) > into a virtual user database is more secure No it is not more secure, eg. 1. if a user does not exist on the os, how can processes be spawned as these uid's. Everything is running under the same uid. 2. if you do not use separate users, everything is written under the same uid. 3. most amateurs use a crappy mysql as backend for virtual users. The likelihood of that being compromised compared to the linux os is much and much higher. 4. Say you are more professional and setup an ldap server (with correct acls (which is not trivial at all)) If you would have dovecot use it as a backend for virtual users. Does dovecot relay that user auth information or does it need some static bind. The static bind is already an increased attack surface. Better is have the os use the ldap backend and have dovecot use the os. 5. I would even argue that having dovecot 'outsource' the user management to the linux os is more secure. Because dovecot developers are more experienced in programming the email application and have far less experience with authorization, authentication than the linux developers. There is much more scrutiny on the linux os than the dovecot user system. > and more scalable. Not relevant, that is different discussion. > General users don't need accounts on the mail server, and security in > depth argues that keeping them off the server entirely is a good > thing. > You constantly apply incorrect logic. You think that "keeping them off the server entirely" equals virtual user. "keeping them off the server entirely" also includes /sbin/nologin. According to your incorrect logic’s, you support my statement because in my case users are kept off. If your logic’s is incorrect, how can your conclusion be correct? Repeating this does not make it true, the alternative is far worse. Linux always does a better job on permissions, users, authentication than whatever 3rd party software. And if you outsource this to linux you have even more possibilities by using selinux rules.
