author | Pascal Volk <user@localhost.localdomain.org> |
Sun, 16 Sep 2012 17:09:45 +0000 | |
changeset 615 | 5882bfdf83e8 |
parent 579 | be0906181a10 |
permissions | -rw-r--r-- |
579
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
1 |
================== |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
2 |
System Preparation |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
3 |
================== |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
4 |
.. _doveauth: |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
5 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
6 |
We have to create a system user, named `doveauth`. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
7 |
The `doveauth` user will execute Dovecot's authentication processes. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
8 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
9 |
We will also create an additional system group, named `dovemail`. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
10 |
The GID of the group `dovemail` will be the supplementary GID for all |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
11 |
mail related Dovecot processes, e.g. the `dict` service for quota limits. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
12 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
13 |
And finally we will create the ``base_directory``, with it's subdirectories. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
14 |
It is the location for all domain directories and the virtual user's home |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
15 |
directories. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
16 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
17 |
The example below shows the steps executed on a Debian GNU/Linux system. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
18 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
19 |
.. code-block:: console |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
20 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
21 |
root@host:~# adduser --system --home /nonexistent --no-create-home --group \ |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
22 |
> --disabled-login --gecos "Dovecot IMAP/POP3 authentication user" doveauth |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
23 |
root@host:~# addgroup --system dovemail |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
24 |
root@host:~# mkdir /srv/mail |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
25 |
root@host:~# cd /srv/mail |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
26 |
root@host:/srv/mail# mkdir 0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
27 |
root@host:/srv/mail# chmod 771 /srv/mail |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
28 |
root@host:/srv/mail# chmod 751 /srv/mail/* |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
29 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
30 |
.. _root-setuid-copy-of-deliver: |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
31 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
32 |
root SETUID copy of deliver |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
33 |
--------------------------- |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
34 |
.. note:: This step is only necessary if you are still using Dovecot v\ **1**.x |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
35 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
36 |
For security reasons the permissions in the domain/user directories will |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
37 |
be very restricted. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
38 |
Each user will get its own unique UID_ and the GID_ from the domain. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
39 |
So it will be only possible for a user of the domain to access the domain |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
40 |
directory (read only) and the user will get granted read write access only |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
41 |
for its home directory. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
42 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
43 |
For this reason it is necessary to provide a setuid_-root copy of Dovecot's |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
44 |
LDA_ (:command:`deliver`) for Postfix. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
45 |
Because Postfix will refuse to execute commands with root privileges, or |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
46 |
with the privileges of the mail system owner (normally `postfix`) you should |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
47 |
`nobody` let do the job. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
48 |
Therefore the permissions will be set very restrictive again. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
49 |
Only `nobody` will be able to execute the setuid-root copy of |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
50 |
:command:`deliver`. |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
51 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
52 |
.. code-block:: console |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
53 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
54 |
root@host:~# mkdir -p /usr/local/lib/dovecot |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
55 |
root@host:~# chmod 700 /usr/local/lib/dovecot |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
56 |
root@host:~# chown nobody /usr/local/lib/dovecot |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
57 |
root@host:~# cp /usr/lib/dovecot/deliver /usr/local/lib/dovecot/ |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
58 |
root@host:~# chown root:`id -g nobody` /usr/local/lib/dovecot/deliver |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
59 |
root@host:~# chmod u+s,o-rwx /usr/local/lib/dovecot/deliver |
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
60 |
|
be0906181a10
doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff
changeset
|
61 |
.. include:: ../ext_references.rst |