| 1 |
Hi all, |
| 2 |
|
| 3 |
Still waiting on an answer on the dovecot list, but I think there are |
| 4 |
more than a few dovecot users here too, so... |
| 5 |
|
| 6 |
I just migrated my 9+ year old gentoo mail server to a shiny new gentoo |
| 7 |
VM. Had to do some adjustments (see below if curious), but once I worked |
| 8 |
all of that out, it went rather smoothly and is now working very well. |
| 9 |
|
| 10 |
Something I neglected to confirm, though, and I want to deal, with this |
| 11 |
now, is I want to make sure the filesystem permissions are correct, and |
| 12 |
secure as possible. |
| 13 |
|
| 14 |
This is a virtual hosting setup only (no system users), and dovecot is |
| 15 |
currently running in high performance mode (I'm thinking I want to |
| 16 |
change that too, so wondering if that would affect the permissions)... |
| 17 |
|
| 18 |
/var/vmail (and everything under it) is owned by vmail:vmail. |
| 19 |
|
| 20 |
Current permissions are: |
| 21 |
|
| 22 |
Top-level dir: |
| 23 |
/var/vmail 755 |
| 24 |
|
| 25 |
Virtual domain dirs: |
| 26 |
/var/vmail/example1.com 777 |
| 27 |
/var/vmail/example2.com 777 |
| 28 |
|
| 29 |
Users home dirs (all others are the same): |
| 30 |
/var/vmail/example1.com/user1 755 |
| 31 |
|
| 32 |
Users Maildirs (all others are the same): |
| 33 |
/var/vmail/example1.com/user1/Maildir 700 |
| 34 |
|
| 35 |
All files inside the users Maildirs are 600, with the exception of the |
| 36 |
dovecot-uidvalidity.blahblah files, which are all 444 |
| 37 |
|
| 38 |
So... is this right? Anything need to be changed? |
| 39 |
|
| 40 |
************************************ |
| 41 |
|
| 42 |
If anyone is interested, the adjustments I wanted/needed to make were: |
| 43 |
|
| 44 |
1. the users Maildirs were also their home |
| 45 |
|
| 46 |
I had to mv everything in .../example.com/user to |
| 47 |
.../example.com/user/Maildir |
| 48 |
|
| 49 |
2. the filesystem ownership/permissions were wrong for using the |
| 50 |
dovecot LDA |
| 51 |
|
| 52 |
chown -R vmail:vmail /var/vmail |
| 53 |
|
| 54 |
3. I wanted to get rid of the old legacy courier-imap INBOX prefix, but |
| 55 |
had to figure out how to provide compatibility settings so users |
| 56 |
wouldn't see any changes in their folders in their clients when I |
| 57 |
flipped the switch and had time to make the client changes before I |
| 58 |
remove the compatibility settings, etc. |
| 59 |
|
| 60 |
If anyone is interested I can provide the exact settings... |
| 61 |
|
| 62 |
4. I wanted to switch my instructions for setting up new mail clients |
| 63 |
from using SSL/TLS on port 993 to STARTTLS on port 143. |
| 64 |
|
| 65 |
Simple, tell dovecot to start listening on 143 and open up 143 on the |
| 66 |
firewall, and change the instructions. |
| 67 |
|
| 68 |
Last of course I had to write up instructions for the users on how to |
| 69 |
change these settings so I can remove the compatibility settings - and |
| 70 |
of course, I'm very detail oriented, so the first instructions I sent |
| 71 |
out were overly complicated (had a few complaints from the people who |
| 72 |
don't know how to read) - so I removed all of the explanatory text and |
| 73 |
re-sent simplified instructions. |
| 74 |
|
| 75 |
I'll keep the compatibility settings for a week or two, and won't remove |
| 76 |
them until I stop seeing connections on 993 (toward the end of the week |
| 77 |
I'll start grepping the logs and fixing the stragglers). |
| 78 |
|
| 79 |
Anyway, once I figured out how to do the above, everything went very |
| 80 |
smoothly. Clients with the legacy INBOX prefix (Thunderbird, iPhones, |
| 81 |
Android/K9 clients, etc) all didn't notice a thing when I flipped the |
| 82 |
DNS switch. |
| 83 |
|
| 84 |
When users change their settings to remove the INBOX prefix and change |
| 85 |
the security/port settings to STARTTLS/143, Thunderbird users have to |
| 86 |
re-accept the SSL Cert (we use self-signed certs), but iPhone clients |
| 87 |
interestingly didn't. I think my Android did, but can't remember now... |
| 88 |
|
| 89 |
Anyway, took a lot of prep work to make the transition so seamless, but |
| 90 |
it was worth it. |
Archives