However, when we have a postfix server on the same machine, that delegates
authentication to dovecot SASL ... we can indeed log in as root on the postfix
server.
You are not logging into Dovecot with root, you are connecting to Postfix for
submission.
When you connect to dovecot using linux users (PAM) the process running takes
on the UID of the login user to give file permissions to read that users home
directory where email could be stored. The risk being if someone had root UID:0
they could read anything on the server, not just the home directory of a user.
But you aren't logging into Dovecot, you are connecting to Postfix. You aren't
checking mail or reading directories. You are only submitting an email to
Postfix for submission services. Postfix runs as its own Postfix UID no matter
who you authenticate as. So even though you are authenticating yourself with
root credentials, you aren't doing so as the root UID, you aren't reading email,
and you aren't accessing any file systems like Dovecot would be.
I agree that this is absolutely not the same in terms of security.
The thing I'm worrying about is a lot less dangerous than what you're
describing, no arguing about that. It's just, if we imagine that we have
disabled root ssh access, and password ssh connection (allowing only keypair
connection), this situation provides the port 465 as another way to test
passwords, for instance. I would just like to be able to implement on port 465
more or less the same requirements I have implemented on port 22, and on port
993 as well through the use of {first,last}_valid_{u,g}id : a static, and
well-known set of users that are allowed to try and authenticate, even though,
as you say (and I agree), that the risk is absolutely not the same as with SSH
or IMAPS.
So, am I to understand from your answer that the fact that login with root or
with users not respecting {first,last}_valid_{u,g}id is only applicable to
dovecot direcly, not to other processes that have delegated authentication to
dovecot ? In other words, that this is a feature and not a bug ?
Me personally, this is why i prefer to use virtual users stored in a database
for email and never use linux users. I have ultimate control over what users
can be authenticated or receive email. I can add flags to the DB query to fail
an otherwise valid user. Why would i want a root@ email address? Why would i
want my system to accept email for httpd from some stranger on the internet?
Why would i want to have to create a linux user at the OS level just to add a
mailbox?
