Gentoo Archives: gentoo-user

From: Tanstaafl <tanstaafl@×××××××××××.org>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Question re: dovecot + filesystem permissions for vmail dirs
Date: Tue, 07 Jan 2014 11:27:54
1 Hi all,
3 Still waiting on an answer on the dovecot list, but I think there are
4 more than a few dovecot users here too, so...
6 I just migrated my 9+ year old gentoo mail server to a shiny new gentoo
7 VM. Had to do some adjustments (see below if curious), but once I worked
8 all of that out, it went rather smoothly and is now working very well.
10 Something I neglected to confirm, though, and I want to deal, with this
11 now, is I want to make sure the filesystem permissions are correct, and
12 secure as possible.
14 This is a virtual hosting setup only (no system users), and dovecot is
15 currently running in high performance mode (I'm thinking I want to
16 change that too, so wondering if that would affect the permissions)...
18 /var/vmail (and everything under it) is owned by vmail:vmail.
20 Current permissions are:
22 Top-level dir:
23 /var/vmail 755
25 Virtual domain dirs:
26 /var/vmail/ 777
27 /var/vmail/ 777
29 Users home dirs (all others are the same):
30 /var/vmail/ 755
32 Users Maildirs (all others are the same):
33 /var/vmail/ 700
35 All files inside the users Maildirs are 600, with the exception of the
36 dovecot-uidvalidity.blahblah files, which are all 444
38 So... is this right? Anything need to be changed?
40 ************************************
42 If anyone is interested, the adjustments I wanted/needed to make were:
44 1. the users Maildirs were also their home
46 I had to mv everything in .../ to
47 .../
49 2. the filesystem ownership/permissions were wrong for using the
50 dovecot LDA
52 chown -R vmail:vmail /var/vmail
54 3. I wanted to get rid of the old legacy courier-imap INBOX prefix, but
55 had to figure out how to provide compatibility settings so users
56 wouldn't see any changes in their folders in their clients when I
57 flipped the switch and had time to make the client changes before I
58 remove the compatibility settings, etc.
60 If anyone is interested I can provide the exact settings...
62 4. I wanted to switch my instructions for setting up new mail clients
63 from using SSL/TLS on port 993 to STARTTLS on port 143.
65 Simple, tell dovecot to start listening on 143 and open up 143 on the
66 firewall, and change the instructions.
68 Last of course I had to write up instructions for the users on how to
69 change these settings so I can remove the compatibility settings - and
70 of course, I'm very detail oriented, so the first instructions I sent
71 out were overly complicated (had a few complaints from the people who
72 don't know how to read) - so I removed all of the explanatory text and
73 re-sent simplified instructions.
75 I'll keep the compatibility settings for a week or two, and won't remove
76 them until I stop seeing connections on 993 (toward the end of the week
77 I'll start grepping the logs and fixing the stragglers).
79 Anyway, once I figured out how to do the above, everything went very
80 smoothly. Clients with the legacy INBOX prefix (Thunderbird, iPhones,
81 Android/K9 clients, etc) all didn't notice a thing when I flipped the
82 DNS switch.
84 When users change their settings to remove the INBOX prefix and change
85 the security/port settings to STARTTLS/143, Thunderbird users have to
86 re-accept the SSL Cert (we use self-signed certs), but iPhone clients
87 interestingly didn't. I think my Android did, but can't remember now...
89 Anyway, took a lot of prep work to make the transition so seamless, but
90 it was worth it.


Subject Author
Re: [gentoo-user] Question re: dovecot + filesystem permissions for vmail dirs "J. Roeleveld" <joost@××××××××.org>