[Dovecot] Random LDA failure to access auth socket

Chris Richards gizmo at giz-works.com
Sat Mar 2 19:52:01 EET 2013 

Thanks for the links: those were what I followed when I set things up.

The dovecot user is the $default_internal_user.

hermes conf.d # dovecot -n
# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.4.2-hardened-r1-bordernet x86_64 Gentoo Base System release
2.1 ext4
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@&
auth_verbose_passwords = plain
disable_plaintext_auth = no
login_greeting = Awaiting command...
mail_location = maildir:/home/vmail/%d/%n/Maildir
mail_plugins = " quota"
mail_privileged_group = 100
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  expire = Trash 7
  expire2 = Trash/* 7
  expire3 = Spam 7
  quota = maildir:User quota
  quota_rule = *:storage=200M
  quota_warning = storage=95%% quota-warning 95 %n %d
  quota_warning2 = storage=80%% quota-warning 80 %n %d
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /home/vmail/dovecot/sieve
  sieve_global_path = /home/vmail/dovecot/sieve/default.sieve
}
protocols = imap pop3 sieve
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
  user = $default_internal_user
}
service quota-warning {
  executable = script /etc/dovecot/quota-warning.sh
  unix_listener quota-warning {
    user = vmail
  }
  user = dovecot
}
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_key = </etc/ssl/dovecot/server.key
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lmtp {
  mail_plugins = sieve quota
}
protocol lda {
  mail_plugins = " quota sieve quota"
}
protocol imap {
  mail_max_userip_connections = 20
  mail_plugins = " quota quota imap_quota"
}
protocol pop3 {
  mail_plugins = " quota quota"
}




hermes conf.d # stat /usr/libexec/dovecot/deliver
  File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda'
  Size: 11              Blocks: 0          IO Block: 4096   symbolic link
Device: 805h/2053d      Inode: 267375      Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2012-11-24 17:44:04.440976879 +0000
Modify: 2012-11-24 17:44:04.440976879 +0000
Change: 2012-11-24 17:44:04.440976879 +0000
 Birth: -

hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
  File: '/usr/libexec/dovecot/dovecot-lda'
  Size: 22432           Blocks: 48         IO Block: 4096   regular file
Device: 805h/2053d      Inode: 849010      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2012-11-24 17:43:57.124794021 +0000
Modify: 2012-11-24 17:44:02.204920992 +0000
Change: 2012-11-24 17:44:04.444976978 +0000
 Birth: -


Thanks in advance for your help.

Chris

On Sat, March 2, 2013 11:15 am, Daniel Parthey wrote:
> Chris Richards wrote:
>> I've got a dovecot server running version 2.0.19 on Gentoo Hardened.  I
>> have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the
>> mail.  Everything is working great, mail is being delivered, and the
>> users
>> are happy.
>>
>> However, I am noticing that I have random entries like this:
>>
>> Mar  1 20:19:23 hermes dovecot: lda: Error: userdb lookup:
>> connect(/var/run/dovecot/auth-userdb) failed: Permission denied
>> (euid=97(dovecot) egid=97(dovecot) missing +r perm:
>> /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
>> Mar  1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred.
>> Refer
>> to server log for more information.
>>
>> In Postfix master.cf, I have the following:
>> dovecot   unix -        n       n       -       -       pipe
>>   flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
>> ${sender} -d ${user}@${nexthop}
>>
>> Permissions on the socket are:
>> srw------- 1 vmail   vmail      0 Feb 24 23:43 auth-userdb
>>
>> Judging from the log, my problem is that the LDA appears to be trying to
>> access the socket as the dovecot user (rather than the vmail user), but
>> my
>> question is why?  What logging can I use to tell me if postfix is
>> calling
>> with the wrong permissions or if the lda is somehow getting confused?
>
> Have a look at
> http://wiki2.dovecot.org/LDA
> http://wiki2.dovecot.org/LDA/Postfix
> Maybe there you will find some helpful hints.
>
> Is /usr/libexec/dovecot/deliver or /usr/libexec/dovecot/dovecot-lda
> somehow setuid or setgid and owner/group dovecot? Where does the
> effective user euid=97(dovecot) and effective group egid=97(dovecot)
> come from, is it somewhere your dovecot config?
>
> Please show full output of
> # doveconf -n
> # stat /usr/libexec/dovecot/deliver
> # stat /usr/libexec/dovecot/dovecot-lda
>
> Regards
> Daniel

More information about the dovecot mailing list