postfix file permissions

[Red Squirrel]

which permissions do I need to set on postfix related files such as virtual hosts? I tried 700 owned by postfix😛ostfix, I tried root:mail and every other possible combination. I'm sure root:root chmod 777 would work but I don't want to set it to that since other people will have access to this server eventually, so is there a secure way of setting this up?

 

[Nothinman]

Mine are all root:root 0644 but then I never really paid attention since it's not a shared box. Most of the postfix binaries seem to run as the postfix user so having him own them should be good enough. I'm sure there's securing postfix docs out there that could give a more definititive answer though.

 

[Red Squirrel]

Yeah since 644 would mean its world readable right? Not good if people can read other people's emails.

 

[Nothinman]

Yes 0644 means world readable, but I was only talking about the config files and not the mail spool itself.

 

[Red Squirrel]

What should I set the mail spool to? ex: /var/mail/vhosts

 

[Nothinman]

I never paid attention the postfix spools, the package set those up for me and just now looking they look secure enough. I'm not using any vhosts in postfix though.

 

[child of wonder]

On my server at home I have multiple domains set up. They're owned by Postfix.Postfix and the permissions are 0660.

 

[Red Squirrel]

I think theres something with uids and guids that I have to setup, what exactly are those?

I think it has to do with these options:

virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

Perhaps I have to set that to something else. (this is default from postfix docs)

 

[child of wonder]

That's the UID and GID it'll give to virtual users.

 

[Red Squirrel]

What is a uid and gid though?

 

[Nothinman]

User id and Group id...

 

[Red Squirrel]

OH so I just translate the user/group name into their IDs? Is there a command for that? the user/group is postfix.

 

[Red Squirrel]

Think I got it going, the uid is the number thats in /etc/passwd and the guid is the number in /etc/groups (matching with user/group).

Also noticed I can't use postfix, have to create my own user. So just made one called mailbox so I chmodded the mail spool to 770 and made it owned by mailbox:mail. then when I get to configuring dovecot I'll just make it run as user mail and hopefully that will work.