1 |
Hi all, |
2 |
|
3 |
Still waiting on an answer on the dovecot list, but I think there are |
4 |
more than a few dovecot users here too, so... |
5 |
|
6 |
I just migrated my 9+ year old gentoo mail server to a shiny new gentoo |
7 |
VM. Had to do some adjustments (see below if curious), but once I worked |
8 |
all of that out, it went rather smoothly and is now working very well. |
9 |
|
10 |
Something I neglected to confirm, though, and I want to deal, with this |
11 |
now, is I want to make sure the filesystem permissions are correct, and |
12 |
secure as possible. |
13 |
|
14 |
This is a virtual hosting setup only (no system users), and dovecot is |
15 |
currently running in high performance mode (I'm thinking I want to |
16 |
change that too, so wondering if that would affect the permissions)... |
17 |
|
18 |
/var/vmail (and everything under it) is owned by vmail:vmail. |
19 |
|
20 |
Current permissions are: |
21 |
|
22 |
Top-level dir: |
23 |
/var/vmail 755 |
24 |
|
25 |
Virtual domain dirs: |
26 |
/var/vmail/example1.com 777 |
27 |
/var/vmail/example2.com 777 |
28 |
|
29 |
Users home dirs (all others are the same): |
30 |
/var/vmail/example1.com/user1 755 |
31 |
|
32 |
Users Maildirs (all others are the same): |
33 |
/var/vmail/example1.com/user1/Maildir 700 |
34 |
|
35 |
All files inside the users Maildirs are 600, with the exception of the |
36 |
dovecot-uidvalidity.blahblah files, which are all 444 |
37 |
|
38 |
So... is this right? Anything need to be changed? |
39 |
|
40 |
************************************ |
41 |
|
42 |
If anyone is interested, the adjustments I wanted/needed to make were: |
43 |
|
44 |
1. the users Maildirs were also their home |
45 |
|
46 |
I had to mv everything in .../example.com/user to |
47 |
.../example.com/user/Maildir |
48 |
|
49 |
2. the filesystem ownership/permissions were wrong for using the |
50 |
dovecot LDA |
51 |
|
52 |
chown -R vmail:vmail /var/vmail |
53 |
|
54 |
3. I wanted to get rid of the old legacy courier-imap INBOX prefix, but |
55 |
had to figure out how to provide compatibility settings so users |
56 |
wouldn't see any changes in their folders in their clients when I |
57 |
flipped the switch and had time to make the client changes before I |
58 |
remove the compatibility settings, etc. |
59 |
|
60 |
If anyone is interested I can provide the exact settings... |
61 |
|
62 |
4. I wanted to switch my instructions for setting up new mail clients |
63 |
from using SSL/TLS on port 993 to STARTTLS on port 143. |
64 |
|
65 |
Simple, tell dovecot to start listening on 143 and open up 143 on the |
66 |
firewall, and change the instructions. |
67 |
|
68 |
Last of course I had to write up instructions for the users on how to |
69 |
change these settings so I can remove the compatibility settings - and |
70 |
of course, I'm very detail oriented, so the first instructions I sent |
71 |
out were overly complicated (had a few complaints from the people who |
72 |
don't know how to read) - so I removed all of the explanatory text and |
73 |
re-sent simplified instructions. |
74 |
|
75 |
I'll keep the compatibility settings for a week or two, and won't remove |
76 |
them until I stop seeing connections on 993 (toward the end of the week |
77 |
I'll start grepping the logs and fixing the stragglers). |
78 |
|
79 |
Anyway, once I figured out how to do the above, everything went very |
80 |
smoothly. Clients with the legacy INBOX prefix (Thunderbird, iPhones, |
81 |
Android/K9 clients, etc) all didn't notice a thing when I flipped the |
82 |
DNS switch. |
83 |
|
84 |
When users change their settings to remove the INBOX prefix and change |
85 |
the security/port settings to STARTTLS/143, Thunderbird users have to |
86 |
re-accept the SSL Cert (we use self-signed certs), but iPhone clients |
87 |
interestingly didn't. I think my Android did, but can't remember now... |
88 |
|
89 |
Anyway, took a lot of prep work to make the transition so seamless, but |
90 |
it was worth it. |