Using "postfix" user for "dovecot"

71GA asked:

I set the Postfix so that my mailboxes (maildir format) for my virtual users are set like this:

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/
total 4
drwxr-sr-x 5 postfix postfix 4096 Dec  2 12:27 pistam.eu

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/domain.eu/
total 12
drwx--S--- 5 postfix postfix 4096 Dec  2 12:10 user_1
drwx--S--- 5 postfix postfix 4096 Dec  1 22:35 user_2

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/domain.eu/user_1/
total 12
drwx--S--- 2 postfix postfix 4096 Dec  2 12:27 cur
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 new
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 tmp

Now I am setting up Dovecot server (IMAPS/SASL) and I want to use one system user that will manage all the mailboxes for all the Postfix virtual users. I saw many articles where administrators create user vmail like e.g.:

# useradd -r -m -d /home/vmail vmail

and they use it as the default Dovecot user by setting these two lines in /etc/dovecot/conf.d/10-master.conf:

mail_access_groups = vmail
default_login_user = vmail

But in my case group postfix has "setuid" bit which means that these folders will always be manipulated by user postfix.

So what is the point in creating user vmail? Why not just using user postfix for Dovecot to do that instead? Are there any risks doing this? There are also these two users that Dovecot installation procedure created:

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> cat /etc/passwd | grep dove
dovecot:x:112:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:113:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin

Why not use one of those? There are also these two hints in the configuration file /etc/dovecot/conf.d/10-master.conf:

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

My answer:


It’s the principle of separation of concerns, which here has security benefits.

After you give the responsibility to deliver mail to dovecot, it is no longer the responsibility of postfix, so postfix does not need that access.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.