Greetings! I've been working on moving our mail server from an old CommuniGate system to one based on Postfix.
It's taken me ages to get a Linux machine running and then digging through all the really-detailed Postfix docs & config examples, but they've been a lot of help!! I finally have a running system that can send & receive email, and filter on spam and viruses. So far, it's only local and some tests with another server a friend has. But I'm getting there! :-) I decided to go with a Virtual-only setup and use Dovecot for the IMAP Mailstore. I've been reading and rereading this Non-Postfix mailbox store: separate domains, non-UNIX accounts http://www.postfix.org/VIRTUAL_README.html#in_virtual_other and the references from there, and mostly get which users/groups Postfix needs But once I start adding everything together, I'm getting confused. I'm pretty sure that Postfix security model should probably be the basis for the rest of my system, so I was hoping to get some help getting the rest of the apps' user/group security right. I know this isn't just a Postfix question, but figured users here think more about whole-system security and stuff. After a bunch of digging around on the lists and other sites, all together I'm using: Postfix Dovecot Spampd (instead of Spamassassin's 'spamd') ClamAV plugin (through Spamassassin config) Razor Pyzor If I install these apps from my distro's packaging, they end up running with different users, different home directories, including some as 'root'. I would like the IMAP store to end up under /var/MAILSTORE. The rest of where things get put doesn't really matter that much, but it would be nice to have something that made sense. I figure as a start I should do something like, groupmod vmailstore usermod -g vmailstore -G "" chown -R vmailstore:vmailstore /var/MAILSTORE But after that, I'm stumped. Should all these apps share users, maybe one of the Postfix users? Or should they be left as root user, with configs in /root/.<appname>, for example? Sorry if this is beginner stuff for you guys :-/ I've really been ripping my hair out the last couple of days to understand what the right way to end up most secure is and to not break Postfix's model and recommendations. Cheers! Dave
