[Dovecot] Add bindirs to cache compiled scripts, drop some privileges, run one login proc per user

2017-11-05 12:18:52 +01:00 · 2017-11-05 12:18:52 +01:00 · 586a0b0e05
parent 548fe979ec
commit 586a0b0e05
1 changed files with 15 additions and 4 deletions
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@ -173,6 +173,9 @@ service dict {
    group = vmail
  }
 }
+service log {
+  user = dovenull
+}
 service auth {
  inet_listener auth-inet {
    port = 10001
@ -185,7 +188,6 @@ service auth {
    mode = 0600
    user = vmail
  }
-  user = root
 }
 service managesieve-login {
  inet_listener sieve {
@ -193,10 +195,19 @@ service managesieve-login {
  }
  service_count = 1
  process_min_avail = 2
-  vsz_limit = 128M
+  vsz_limit = 64M
+}
+service imap-login {
+  service_count = 1
+  vsz_limit = 64M
+  user = dovenull
+}
+service pop3-login {
+  service_count = 1
 }
 service imap {
  executable = imap imap-postlogin
+  user = dovenull
 }
 service managesieve {
  process_limit = 256
@ -249,8 +260,8 @@ plugin {
  sieve_quota_max_scripts = 0
  sieve_quota_max_storage = 0
  listescape_char = "\\"
-  sieve_before = dict:proxy::sieve_before;name=active
-  sieve_after = dict:proxy::sieve_after;name=active
+  sieve_before = dict:proxy::sieve_before;name=active;bindir=/var/vmail/sieve_before_bindir
+  sieve_after = dict:proxy::sieve_after;name=active;bindir=/var/vmail/sieve_after_bindir
  sieve_after2 = /var/vmail/sieve/global.sieve
  #mail_crypt_global_private_key = </mail_crypt/ecprivkey.pem
  #mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem