[Dovecot] Random LDA failure to access auth socket

Daniel Parthey daniel.parthey at informatik.tu-chemnitz.de
Mon Mar 4 00:13:33 EET 2013 

Hi Chris,

Chris Richards wrote:
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0666
>     user = postfix
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0600
>     user = vmail
>   }
>   user = $default_internal_user
> }

In order for dovecot-lda to work, default internal user "dovecot"
seems to need permission for the user listing. This should work,
but you should try to narrow the permissions down:

service auth {
  unix_listener auth-userdb {
    group = dovecot
    mode = 0666
    user = dovecot
  }
}

Documentation http://wiki2.dovecot.org/LDA says:

The auth-userdb socket can be used to do userdb lookups for given usernames or
get a list of all users. Typically the result will contain the user's UID, GID
and home directory, but depending on your configuration it may return other
information as well. So the information is similar to what can be found from
eg. /etc/passwd for system users. This means that it's probably not a problem
to use mode=0666 for the socket, but you should try to restrict it more just to
be safe.

> hermes conf.d # stat /usr/libexec/dovecot/deliver
>   File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda'
>   Size: 11              Blocks: 0          IO Block: 4096   symbolic link
> Device: 805h/2053d      Inode: 267375      Links: 1
> Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
> Access: 2012-11-24 17:44:04.440976879 +0000
> Modify: 2012-11-24 17:44:04.440976879 +0000
> Change: 2012-11-24 17:44:04.440976879 +0000
>  Birth: -

deliver is a symbolic link to dovecot-lda, so its basically the same.

> hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
>   File: '/usr/libexec/dovecot/dovecot-lda'
>   Size: 22432           Blocks: 48         IO Block: 4096   regular file
> Device: 805h/2053d      Inode: 849010      Links: 1
> Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> Access: 2012-11-24 17:43:57.124794021 +0000
> Modify: 2012-11-24 17:44:02.204920992 +0000
> Change: 2012-11-24 17:44:04.444976978 +0000
>  Birth: -

No setuid/setgid flags set.

> >> In Postfix master.cf, I have the following:
> >> dovecot   unix -        n       n       -       -       pipe
> >>   flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
> >> ${sender} -d ${user}@${nexthop}

I'm wondering why user=vmail:users does not have the desired effect
and dovecot-lda uses the effective uid "dovecot" and effective gid "dovecot"
to do the user lookups.

Regards
Daniel
-- 
https://plus.google.com/103021802792276734820

More information about the dovecot mailing list