doc/web/source/installation/system_preparation.rst
author "martin f. krafft" <madduck@debian.org>
Tue, 07 Aug 2012 21:53:41 +0000
changeset 582 605f8c115711
parent 579 be0906181a10
permissions -rw-r--r--
Due to the UNION query in address_list, the assumption that the list of gids received from the database would be continuous does not hold. To prevent addresses for domains with multiple entry types from being listed, it is necessary to check the list of domain gids for every entry. Signed-off-by: martin f. krafft <madduck@debian.org> --- VirtualMailManager/common.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
579
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     1
==================
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     2
System Preparation
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     3
==================
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     4
.. _doveauth:
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     5
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     6
We have to create a system user, named `doveauth`.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     7
The `doveauth` user will execute Dovecot's authentication processes.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     8
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
     9
We will also create an additional system group, named `dovemail`.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    10
The GID of the group `dovemail` will be the supplementary GID for all
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    11
mail related Dovecot processes, e.g. the `dict` service for quota limits.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    12
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    13
And finally we will create the ``base_directory``, with it's subdirectories.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    14
It is the location for all domain directories and the virtual user's home
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    15
directories.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    16
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    17
The example below shows the steps executed on a Debian GNU/Linux system.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    18
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    19
.. code-block:: console
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    20
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    21
 root@host:~# adduser --system --home /nonexistent --no-create-home --group \
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    22
 > --disabled-login --gecos "Dovecot IMAP/POP3 authentication user" doveauth
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    23
 root@host:~# addgroup --system dovemail
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    24
 root@host:~# mkdir /srv/mail
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    25
 root@host:~# cd /srv/mail
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    26
 root@host:/srv/mail# mkdir 0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    27
 root@host:/srv/mail# chmod 771 /srv/mail
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    28
 root@host:/srv/mail# chmod 751 /srv/mail/*
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    29
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    30
.. _root-setuid-copy-of-deliver:
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    31
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    32
root SETUID copy of deliver
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    33
---------------------------
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    34
.. note:: This step is only necessary if you are still using Dovecot v\ **1**.x
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    35
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    36
For security reasons the permissions in the domain/user directories will
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    37
be very restricted.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    38
Each user will get its own unique UID_ and the GID_ from the domain.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    39
So it will be only possible for a user of the domain to access the domain
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    40
directory (read only) and the user will get granted read write access only
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    41
for its home directory.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    42
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    43
For this reason it is necessary to provide a setuid_-root copy of Dovecot's
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    44
LDA_ (:command:`deliver`) for Postfix.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    45
Because Postfix will refuse to execute commands with root privileges, or
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    46
with the privileges of the mail system owner (normally `postfix`) you should
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    47
`nobody` let do the job.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    48
Therefore the permissions will be set very restrictive again.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    49
Only `nobody` will be able to execute the setuid-root copy of
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    50
:command:`deliver`.
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    51
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    52
.. code-block:: console
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    53
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    54
 root@host:~# mkdir -p /usr/local/lib/dovecot
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    55
 root@host:~# chmod 700 /usr/local/lib/dovecot
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    56
 root@host:~# chown nobody /usr/local/lib/dovecot
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    57
 root@host:~# cp /usr/lib/dovecot/deliver /usr/local/lib/dovecot/
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    58
 root@host:~# chown root:`id -g nobody` /usr/local/lib/dovecot/deliver
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    59
 root@host:~# chmod u+s,o-rwx /usr/local/lib/dovecot/deliver
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    60
be0906181a10 doc: Added source of http://vmm.localdomain.org/.
Pascal Volk <user@localhost.localdomain.org>
parents:
diff changeset
    61
.. include:: ../ext_references.rst