System Users and Filesystem Access

The data handled by imip-agent needs to be accessible to other software, notably mail handling software and Web server software. Two approaches to e-mail integration affect the choice of system users and groups:

Integration Method System Users and Groups Suitable for...
Using a dedicated lmtp group imip-agent belongs to lmtp and www-data groups
www-data also belongs to the lmtp group
LMTP delivery and Local SMTP delivery
Using an existing group imip-agent belongs to the www-data group Local SMTP delivery

The corresponding strategies are described in more detail below.

Here, imip-agent's programs can run in a way that permits them to initiate LMTP delivery (requiring suitable local privileges to communicate with the mail storage solution) whilst allowing the Web server to read data written by the agent programs.

A system group needs to be created for LMTP delivery and for certain users to share resources:

addgroup lmtp

This group should be employed for LMTP delivery by systems like Cyrus and Dovecot. See the mail storage guide for more information.

A system user needs to be created and to belong to certain groups in order to deliver messages to mail stores and to publish resources on the Web:

useradd -d /var/lib/imip-agent -m -U -G lmtp,www-data -r imip-agent

Store details and published resources need to be accessible by the imip-agent and www-data users. Thus, www-data also needs to belong to the lmtp group:

adduser www-data lmtp

This configuration should also work with the local SMTP delivery method, because the lmtp group membership will be superfluous for the imip-agent user. So, if the use of such a group is not problematic, this approach is a reasonable default choice. Moreover, there may be a need to create the lmtp group, anyway, so that MTAs can deliver to mail storage solutions.

Using an Existing Group

Here, imip-agent's programs run in a way that permits local SMTP delivery (which merely needs the ability to connect to a local network service) whilst allowing the Web server to read data written by the agent programs. This approach provides a means of keeping imip-agent separate from mail-related users and groups.

A system user needs to be created and to belong to certain groups in order to deliver messages to mail stores and to publish resources on the Web:

useradd -d /var/lib/imip-agent -m -U -G www-data -r imip-agent

Again, the tools/init.sh script will initialise directories for stored and published data. The tools/config.sh script should be edited and the group redefined as follows:

IMIP_AGENT_GROUP=www-data

If already installed, the /etc/imip-agent/config.sh script should be edited instead. See the configuration guide for more information.

With local SMTP delivery, the mail system will need to be configured to route messages for local recipients. See the local SMTP description of mail configuration for more information.

Updating the Configuration

Once the necessary decisions have been taken here, the system's configuration will need updating so that the software and tools will work correctly.