CRAM MD5 passwd db permission issue

Aki Tuomi aki.tuomi at open-xchange.com
Wed Jan 4 16:09:37 UTC 2023 

> On 04/01/2023 17:59 EET Gerben Wierda <gerben.wierda at rna.nl> wrote:
> 
> 
> I am busy migrating. I am moving from macOS+MacPorts to Ubuntu+Docker
> 
> On the old system, I have this in the dovecot config:
> mail_uid = _dovecot
> mail_gid = mail
> mail_privileged_group = mail
> mail_access_groups = mail
> 

These settings do not govern auth process access to this file.

> This seems weird to me, I think the dovecot user should be in group dovecot only if I understand the docs. On the old system dovecot, postfix, dovenull and rspamd are all members of the mail group.
> 
> On that system, the cram md5 passwd database (file) has these permissions:
> 
> drwxr-xr-x 3 root wheel 96 Feb 2 2021 .
> drwxr-xr-x 22 root admin 704 Jan 4 15:17 ..
> -rw-r----- 1 root mail 1234 Feb 2 2021 cram-md5.pwd

This should be root:dovecot

> 
> and that has worked like that for many years, basically starting with Mac OS X Server, surviving all kinds of macOS migrations.
> 
> On my new Ubuntu system I've copied this setup over:
> drwxr-xr-x 2 root root 4096 Jan 4 09:49.
> drwxr-xr-x 7 root root 4096 Jan 4 15:21..
> -rw-r----- 1 root mail 1234 Feb 2 2021 cram-md5.pwd
> 
> mail_uid = dovecot
> mail_gid = mail
> mail_privileged_group = mail
> mail_access_groups = mail
> 
> But:
> Jan 04 15:40:08 auth: Error: passwd-file /etc/dovecot/etc/cram-md5.pwd:open(/etc/dovecot/etc/cram-md5.pwd) failed: Permission denied (euid=91(dovecot) egid=91(dovecot) missing +r perm: /etc/dovecot/etc/cram-md5.pwd, we're not in group 8(mail), dir owned by 0:0 mode=0755)
> 
> And really, dovecot is in group mail. From /etc/group:
> mail:x:8:postfix,dovecot
> dovenull:x:90:
> dovecot:x:91:
> And from /etc/passwd:
> dovenull:x:90:90::/home/dovenull:/usr/sbin/nologin
> dovecot:x:91:91::/home/dovecot:/usr/sbin/nologin
> 
> So, that I get this error baffles me.
> 
> Gerben Wierda (LinkedIn (https://www.linkedin.com/in/gerbenwierda))
> R&A IT Strategy (https://ea.rna.nl/) (main site)
> Book: Chess and the Art of Enterprise Architecture (https://ea.rna.nl/the-book/)
> Book: Mastering ArchiMate (https://ea.rna.nl/the-book-edition-iii/)
>

Dovecot processes drop extra groups unless explicitly asked to retain those.

Aki

More information about the dovecot mailing list