From 88e372b8f8e10330254be88d1fb5cec17b08c912 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Fri, 22 Oct 2021 19:36:53 -0700 Subject: [PATCH] email_server: dovecot: Don't deliver mail to home directory Delivering mail to home directory is only needed when users are expected to login via terminal and use command line tools for accessing their email. In FreedomBox, we expect users to use GUI tools such as Thunderbird and K-9 Mail to access their mail. So, POP3 and IMAP access sufficient. Not trying to compatible with command line mail tools means that high performance mailbox storage formats can be chosen. This is important to ensure that accessing mail via IMAP is fast. In future, we can consider enabling full text search using Apache Solr. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- .../dovecot/conf.d/05-freedombox-mail.conf | 25 +++++++++++++++++++ .../dovecot/conf.d/15-freedombox-mail.conf | 16 ++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 plinth/modules/email_server/data/etc/dovecot/conf.d/05-freedombox-mail.conf create mode 100644 plinth/modules/email_server/data/etc/dovecot/conf.d/15-freedombox-mail.conf diff --git a/plinth/modules/email_server/data/etc/dovecot/conf.d/05-freedombox-mail.conf b/plinth/modules/email_server/data/etc/dovecot/conf.d/05-freedombox-mail.conf new file mode 100644 index 000000000..e3c908d64 --- /dev/null +++ b/plinth/modules/email_server/data/etc/dovecot/conf.d/05-freedombox-mail.conf @@ -0,0 +1,25 @@ +# Direct edits to this file will be lost! +# Manage your settings on Plinth + +# Users in FreedomBox are not expected to access mail by logging into the +# system. Storing the mail in single location instead of home directories and +# with single UID/GID simplifies security reasoning and backup/restore +# operations. +# +# When FreedomBox has multiple domains a user is expected to get a mailbox that +# is same across the domains. Changing an domain name is not uncommon in +# FreedomBox. So, authenticate and store mails based on username only instead of +# including domain names in storage path. +# +# For authdb and userdb, the passwd driver looks up using NSS. In FreedomBox, +# NSS is configured to lookup LDAP with the help of libnss-ldapd. There is no +# need to configure LDAP lookup separately. +# +# Directories are created under /var/mail as necessary by dovecot. Permissions +# for newly created directories are inherited from parent directory. FreedomBox +# will remove all permissions for 'others' from /var/mail to ensure that mail is +# not read by non-root users. +userdb { + driver = passwd + override_fields = home=/var/mail/%Ln uid=mail gid=mail +} diff --git a/plinth/modules/email_server/data/etc/dovecot/conf.d/15-freedombox-mail.conf b/plinth/modules/email_server/data/etc/dovecot/conf.d/15-freedombox-mail.conf new file mode 100644 index 000000000..40bccbce2 --- /dev/null +++ b/plinth/modules/email_server/data/etc/dovecot/conf.d/15-freedombox-mail.conf @@ -0,0 +1,16 @@ +# Direct edits to this file will be lost! +# Manage your settings on Plinth + +# Use sdbox, a format specific to dovecot, for storing mails. The format allows +# better performance with some IMAP queries. When this is combined with Full +# Text Search (FTS), users will get optimal web and desktop mail experience. +# Don't pick mdbox format because is requires regular expunge maintenance. We +# have enabled btrfs filesystem compression by default. +mail_location = sdbox:~/mail + +# We try to deliver all mail using a single UID 'mail' and a single GID 'mail'. +# In Debian, UID of mail user is 8 and GID of mail user is 8 as set in +# /usr/share/base-passwd/{passwd|group}.master. By default first valid UID in +# dovecot is 500. +first_valid_uid = 8 +last_valid_uid = 8