Re: Best practice for Dovecot with LDAP and Postfix

Tue, 09 May 2023 01:40:07 -0700 

On 2023-05-09 11:14, Marc wrote:



                so far I had a setup where Dovecot was using a passwd file as
userdb and
                passdb. Postfix was then authenticating with Dovecot via SASL
to
                validate user accounts.

                Now I added an LDAP backend and would like to use that for
Dovecot and
                Postfix. My first approach was to change the passdb to use
the LDAP
                driver with the following settings:

                hosts = openldap:1389
                base = ou=users,dc=example,dc=com
                auth_bind = yes
                auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com



        So why not handle this on the os? Have the os publish the ldap

users, and have dovecot handle os users. It needs to create uid's 
anyway

for the files etc.


If I understood correctly the question, you ask why do not add the 
ldap

users to system ( like using pam ldap plugin) .


This will certainly work but I consider more secure to have pure 
e-mail



I am always surprised to read such statement. The fact is that user 
authentication/authorisation is a core task of linux. Dovecots core 
tasks are related to handling mail. How on earth would you come to 
conclude that dovecot should be able to handle such tasks better than 
linux?
Afaik even dovecot is utilizing the use of different uid's in a virtual 
environment to store files.



users, not system users - which can have shell, local folder and so on 
(

sure it can be restricted but why bother if nobody will ssh on that
server).



? Imho are these just arguments for people not being able to setup an 
environment correctly.



I do not intend to start a flame on this topic, it is just my opinion. 
It's not about the correct environment (you can google for it and you 
will found a pretty good setup even when you are newbie) but about the 
potential vulnerabilities related to each component of the system: if 
the system has less components the probability to have issues is 
smaller.  Also you can have cases when you really want to have system 
users ( like using the same server as samba server or so) and in this 
case the opposite approach is better.












_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org






















					Reply via email to