Hi, Thank you for your answers :). When should I expect the final (production ready) release of Dovecot 2 (an approximate time period)?
Thank you, Buzai Andras On Mon, Jul 12, 2010 at 5:35 PM, Timo Sirainen <t...@iki.fi> wrote: > On Mon, 2010-07-12 at 00:09 +0300, Buzai Andras wrote: > > > dovecot unix - n n - - pipe > > flags=DRhu user=*mysudoeruser* argv=/usr/bin/sudo > /usr/lib/dovecot/deliver > > -f ${sender} -d ${recipient} > > > > When you say that: > > * > > "Basically the user that calls deliver via sudo has the ability to gain > > root privileges (e.g. by telling deliver to > > load a plugin that execs a shell)."*, > > > > do you refer to the postfix user or to the user specified in the > master.cffile ( > > *mysudoeruser* in my case)? > > mysudoeruser (that's who you gave sudo access, right?) > > > In my configuration the user "mysudoeruser" is a dedicated user only for > > this action and it is not allowed to login, etc ... > > > > So basically for somebody to gain root access it should compromise the > > "mysudoeruser" dedicated user, right? > > Yeah. > > > Would you use this setup in a production environment? :) > > I guess it's not too bad. But I'd switch to LMTP once you've upgraded to > Dovecot v2.0. > >