summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-21 01:35:28 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-21 02:26:16 +0200
commit5118f8d3394579a245b355c863c69410fe92e26e (patch)
tree54fbaf5aca0a1d798fbecca9ba7929f3b25a604e /roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
parent1df4c30a95abd9e7c6352e2b3d2766281c3e591d (diff)
dovecot-auth-proxy: replace directory traversal with LDAP lookups.
This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
Diffstat (limited to 'roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service')
-rw-r--r--roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service10
1 files changed, 4 insertions, 6 deletions
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
index d20f9c2..3ac0b31 100644
--- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
+++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
@@ -4,8 +4,7 @@ After=dovecot.target
Requires=dovecot-auth-proxy.socket
[Service]
-User=vmail
-Group=vmail
+User=_dovecot-auth-proxy
StandardInput=null
SyslogFacility=mail
ExecStart=/usr/local/bin/dovecot-auth-proxy.pl
@@ -13,14 +12,13 @@ ExecStart=/usr/local/bin/dovecot-auth-proxy.pl
# Hardening
NoNewPrivileges=yes
PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=read-only
-PrivateDevices=yes
PrivateNetwork=yes
+ProtectHome=yes
+ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-RestrictAddressFamilies=
+RestrictAddressFamilies=AF_UNIX
[Install]
WantedBy=multi-user.target