Re: [exim] Problems with Dovecot Authenticate

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] Problems with Dovecot Authenticate
Markus Bergholz wrote:
>> What's the ownership of the socket? Can the user exim is running as
>> read/write it?
>>
>
> hm, ls -l said only root is allowed:
> srw-rw---- 1 root root
>
> but i'm little confused...i've got no user exim? how to do that exim is allow to read/write?
>
> greetings
> markus


'Depends on the Situation'...

Your exim 'parent' process would ordinarily be invoked by/as root else
cannot take control of port 25 (587, et al).

But it should then drop privileges and most specifically run each of the
'child' processes as a lesser-privileged user, eg 'mail', 'exim',
'eximd' .. whatever you built it to utilize or configued it to utilize.

Thereafter, what works for us is 'group' rights, with all of the players
that have to do with mail-related services (Exim, Dovecot, SA, ClamAV,
perhaps a DBMS...etc.) each with their own UID, but in the same group
set aside for those players that must pass mail-related stuff between
and among themselves.

The Unixen in general have legacy default UID:GID for those, such as
'mail' and 'mailnull'. We use our own bespoke ones to insure nothing
else will touch them [1].

CAVEAT: Group rights may get tricky if you have either/both Exim/Dovecot
take-on the logged-in user's (E)UID:(E)GID to r/w message files to/from
IMAP/POP. You'll need a consistent approach here.

HTH,

Bill

[1] cron jobs that expect legacy sendmail and legacy log ownership