[Dovecot] deliver net_connect auth-master failed: Permission denied

[Rich Winkel]

On Tue, Sep 25, 2007 at 09:07:24PM -0400, Bill Cole wrote:
> At 7:19 PM -0500 9/25/07, Rich Winkel  imposed structure on a stream 
> of electrons, yielding:

a flux of gibberish!!!

> >Does deliver run as root, as the recipient's ID, sendmail's ID or
> >sendmail's GID?  (I'm running freebsd)
> 
> Ideally, it should run SUID+SGID  to a user and group that exist to 
> make mail delivery permissions work. See 
> http://wiki.dovecot.org/LDA/Sendmail and http://wiki.dovecot.org/LDA
> 
> The key bit is on the main LDA page where it describes the master 
> socket config and on the Sendmail page where it discusses 'non-root' 
> sendmail setups, which is  really applicable to all common setups of 
> modern Sendmail.

Ok, I've done:
chown dovecot:dovecot /usr/local/libexec/dovecot/deliver
chmod ug+s /usr/local/libexec/dovecot/deliver
and set
  socket listen {
    master {
      # Master socket provides access to userdb information. It's typically
      # used to give Dovecot's local delivery agent access to userdb so it
      # can find mailbox locations.
      path = /var/run/dovecot/auth-master
      mode = 0660
      # Default user/group is the one who started dovecot-auth (root)
      user = dovecot
      group = dovecot
    }
in dovecot.conf.  Then I got:

deliver(userid): setgid(10) failed: Operation not permitted
So I tried
chown root:dovecot /usr/local/libexec/dovecot/deliver
nd now it seems to be working ... I think!

> >Or am I totally clueless ??
> 
> Well, the Mizzou address argues one way, but I'll give you the 
> benefit of the doubt and say maybe not...
> :)

Doh!  Walked right into that one :)

> The bottom line: make up a user and group to own the master socket, 
> structure your inbox permissions so that deliver can run that way and 
> write to them, and make deliver SUID/SGID.
> 
> Structuring inbox permissions so that can work is a potentially 
> complex problem.

So I see ...

Danke kindly,
Rich