Mercurial Mercurial > vmm / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc/web/source/installation/system_preparation.rst
changeset 579 be0906181a10
equal deleted inserted replaced
578:20141b967c0b 579:be0906181a10 
       
     1 ==================
 
       
     2 System Preparation
 
       
     3 ==================
 
       
     4 .. _doveauth:
 
       
     5 
       
     6 We have to create a system user, named `doveauth`.
 
       
     7 The `doveauth` user will execute Dovecot's authentication processes.
 
       
     8 
       
     9 We will also create an additional system group, named `dovemail`.
 
       
    10 The GID of the group `dovemail` will be the supplementary GID for all
 
       
    11 mail related Dovecot processes, e.g. the `dict` service for quota limits.
 
       
    12 
       
    13 And finally we will create the ``base_directory``, with it's subdirectories.
 
       
    14 It is the location for all domain directories and the virtual user's home
 
       
    15 directories.
 
       
    16 
       
    17 The example below shows the steps executed on a Debian GNU/Linux system.
 
       
    18 
       
    19 .. code-block:: console
 
       
    20 
       
    21  root@host:~# adduser --system --home /nonexistent --no-create-home --group \
 
       
    22  > --disabled-login --gecos "Dovecot IMAP/POP3 authentication user" doveauth
 
       
    23  root@host:~# addgroup --system dovemail
 
       
    24  root@host:~# mkdir /srv/mail
 
       
    25  root@host:~# cd /srv/mail
 
       
    26  root@host:/srv/mail# mkdir 0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z
 
       
    27  root@host:/srv/mail# chmod 771 /srv/mail
 
       
    28  root@host:/srv/mail# chmod 751 /srv/mail/*
 
       
    29 
       
    30 .. _root-setuid-copy-of-deliver:
 
       
    31 
       
    32 root SETUID copy of deliver
 
       
    33 ---------------------------
 
       
    34 .. note:: This step is only necessary if you are still using Dovecot v\ **1**.x
 
       
    35 
       
    36 For security reasons the permissions in the domain/user directories will
 
       
    37 be very restricted.
 
       
    38 Each user will get its own unique UID_ and the GID_ from the domain.
 
       
    39 So it will be only possible for a user of the domain to access the domain
 
       
    40 directory (read only) and the user will get granted read write access only
 
       
    41 for its home directory.
 
       
    42 
       
    43 For this reason it is necessary to provide a setuid_-root copy of Dovecot's
 
       
    44 LDA_ (:command:`deliver`) for Postfix.
 
       
    45 Because Postfix will refuse to execute commands with root privileges, or
 
       
    46 with the privileges of the mail system owner (normally `postfix`) you should
 
       
    47 `nobody` let do the job.
 
       
    48 Therefore the permissions will be set very restrictive again.
 
       
    49 Only `nobody` will be able to execute the setuid-root copy of
 
       
    50 :command:`deliver`.
 
       
    51 
       
    52 .. code-block:: console
 
       
    53 
       
    54  root@host:~# mkdir -p /usr/local/lib/dovecot
 
       
    55  root@host:~# chmod 700 /usr/local/lib/dovecot
 
       
    56  root@host:~# chown nobody /usr/local/lib/dovecot
 
       
    57  root@host:~# cp /usr/lib/dovecot/deliver /usr/local/lib/dovecot/
 
       
    58  root@host:~# chown root:`id -g nobody` /usr/local/lib/dovecot/deliver
 
       
    59  root@host:~# chmod u+s,o-rwx /usr/local/lib/dovecot/deliver
 
       
    60 
       
    61 .. include:: ../ext_references.rst
vmm

Repositories index