Le mardi 14 mars 2023 à 22:32, dove...@ptld.com a écrit :
However, when we have a postfix server on the same machine,
that delegates authentication to dovecot SASL ... we can indeed
log in as root on the postfix server.
You are not logging into Dovecot with root, you are connecting
to Postfix for submission.
When you connect to dovecot using linux users (PAM) the process
running takes on the UID of the login user to give file
permissions to read that users home directory where email could
be stored. The risk being if someone had root UID:0 they could
read anything on the server, not just the home directory of a
user.
But you aren't logging into Dovecot, you are connecting to
Postfix. You aren't
checking mail or reading directories. You are only submitting an
email to
Postfix for submission services. Postfix runs as its own Postfix
UID no matter
who you authenticate as. So even though you are authenticating
yourself with
root credentials, you aren't doing so as the root UID, you
aren't reading email,
and you aren't accessing any file systems like Dovecot would be.
I agree that this is absolutely not the same in terms of security.
The thing I'm worrying about is a lot less dangerous than what
you're describing, no arguing about that. It's just, if we imagine
that we have disabled root ssh access, and password ssh connection
(allowing only keypair connection), this situation provides the
port 465 as another way to test passwords, for instance. I would
just like to be able to implement on port 465 more or less the
same requirements I have implemented on port 22, and on port 993
as well through the use of {first,last}_valid_{u,g}id : a static,
and well-known set of users that are allowed to try and
authenticate, even though, as you say (and I agree), that the risk
is absolutely not the same as with SSH or IMAPS.
So, am I to understand from your answer that the fact that login
with root or with users not respecting {first,last}_valid_{u,g}id
is only applicable to dovecot direcly, not to other processes that
have delegated authentication to dovecot ? In other words, that
this is a feature and not a bug ?
Best,
Aymeric
