Charles Marcus wrote:
On 10/7/2008 3:09 PM, mouss wrote:
but, example.com (the domain, not the hostname) is also listed in
virtual_mailbox_domains via the mysql lookup...
Is this OK/normal? I'm thinking yes, because:
yes, it's ok.
Ok, good... :)
Note that both smtp.example.com and example.com are FQDN.
Right, but the latter can never be a _host_ name...
Sure it can.
"virtual domains" is ambiguous. you are talking about virtual mailbox
domains (contrast with virtual alias domains).
True, and thanks for pointing that out... I do know how important it is
to be precise when discussing things like this...
- you can have a per mailbox uid:gid or use a single uid:gid for all
mailboxes (the maps are then: static:1234, where 1234 is the uid or gid).
Is there any place that discusses the pros/cons of per mailbox vs static
udi/gid? I'm usng static now, but not sure if there is any advantage one
way or another.
Using per-mailbox uid's enlists the OS's built-in access control to help
prevent users from being able to access other users' mail, and in principle
that should be more secure. Unfortunately, it also means that all of your
tools that work with delivery and mail store access have to understand that
model for virtual mailbox domains mapping to real uid's. That usually means
that those tools (e.g. an IMAP server) have to have a master component
running as root, which some people see as a risk. In addition, making that
work is inherently a bit more complicated, and there is a risk when that
causes breakage of "fixing" it in some manner that is significantly worse
than just using the same (otherwise unprivileged) uid for all mailboxes (and
for all of the manipulators of them.) You also can run into scaling issues
with some OS's that have 16-bit uid's and reserve ranges as special.
> I'm mostly concerned with security and simplicity (I'm
lazy and don't like cleaning up messes or managing complicated
configurations)...
If you don't have untrusted users with shell (or similarly arbitrary) access
that lets them run random code, the simplicity of using a single uid for
virtual mailboxes is probably also a security win.
