Fatal: setgid from userdb lookup fails with wrong gid
J. de Meijer
dovecot at filter.demeijer.com
Wed Oct 14 10:11:16 EEST 2020
Hi,
Not sure if this is it, but I used to have the same error when I started
with dovecot.
Aki's response was the following (and solved my problem).
-------------
Hi!
You can't set
service imap {
service_count = 256
}
if you are using multiple system UIDs. See
https://wiki.dovecot.org/Services#imap.2C_pop3.2C_submission.2C_managesieve
*service_count* can be changed from 1 if only a single UID is used for
mail users. This is improves performance, but it's less secure, because
bugs in code may leak email data from another user's earlier connection.
Aki
-----------
Regards,
Jeroen
> Hello all,
>
> I'm quite new as well to Dovecot, just installed it on a FreeBSD system
with Postfix and Rspamd as side apps. Things are running semi-smoothly
for all users but I do have quite a few errors in the logs :
>
> Oct 13 19:43:56 apollo dovecot[24478]:
> imap(user1)<34412><zIeI9ZCxXDmsFhZG>: Fatal: setgid(1030(user1) from
userdb lookup) failed with euid=1022(user4), gid=1022(user4),
> egid=1022(user4): Operation not permitted (This binary should probably
be called with process group set to 1030(user1) instead of 1022(user4))
Oct 13 19:43:59 apollo dovecot[24478]:
> imap(user1)<37376><pPS79ZCx+kasFhZG>: Fatal: setgid(1030(user1) from
userdb lookup) failed with euid=1124(user3), gid=1124(user3),
> egid=1124(user3): Operation not permitted (This binary should probably
be called with process group set to 1030(user1) instead of 1124(user3))
Oct 13 19:46:45 apollo dovecot[24478]:
> imap(user2)<38858><3hOk/5CxVO1dBDTq>: Fatal: setgid(1136(user2) from
userdb lookup) failed with euid=1038(user5), gid=1038(user5),
> egid=1038(user5): Operation not permitted (This binary should probably
be called with process group set to 1136(user2) instead of 1038(user5))
Oct 13 19:48:55 apollo dovecot[24478]:
> imap(user3)<40607><jQtWB5GxHuwKAkQ2>: Fatal: setgid(1124(user3) from
userdb lookup) failed with euid=1022(user4), gid=1022(user4),
> egid=1022(user4): Operation not permitted (This binary should probably
be called with process group set to 1124(user3) instead of 1022(user4))
>
> There seems to be confusion. The logs are trying to be helpful but I
can't quite process it. Could someone point me in the right direction ?
>
> system is used by about 60 users.
>
> Thanks,
>
> j.
>
> --
>
> doveconf -n
> # 2.3.11.3 (502c39af9): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.11 (d71e0372)
> # OS: FreeBSD 12.1-RELEASE-p10 amd64
> # Hostname: apollo.domain1.tld
> auth_mechanisms = plain login cram-md5
> auth_username_format = %Ln
> mail_location = maildir:~/Maildir
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
extracttext imapsieve vnd.dovecot.imapsieve
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> type = private
> }
> passdb {
> args = scheme=cram-md5 /usr/local/etc/dovecot/cram-md5.pwd
> driver = passwd-file
> }
> plugin {
> imapsieve_mailbox1_before =
> file:/var/vmail/sieve/global/learn-spam.sieve
> imapsieve_mailbox1_causes = COPY
> imapsieve_mailbox1_name = Spam
> imapsieve_mailbox2_before =
> file:/var/vmail/sieve/global/learn-ham.sieve
> imapsieve_mailbox2_causes = COPY
> imapsieve_mailbox2_from = Spam
> imapsieve_mailbox2_name = *
> quota = maildir:User quota
> quota_exceeded_message = Benutzer %u hat das Speichervolumen
> überschritten. / User %u has exhausted allowed storage space.
> sieve = file:~/sieve;active=~/.dovecot.sieve
> sieve_before = /var/vmail/sieve/global/spam-global.sieve
> sieve_global_extensions = +vnd.dovecot.pipe
> sieve_pipe_bin_dir = /usr/local/bin
> sieve_plugins = sieve_imapsieve sieve_extprograms
> }
> postmaster_address = postmaster at apollo.domain1.tld
> protocols = imap lmtp sieve
> service auth {
> client_limit = 3000
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
> }
> }
> service imap-login {
> service_count = 0
> }
> service imap {
> process_min_avail = 4
> service_count = 512
> vsz_limit = 1 G
> }
> service lmtp {
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
> }
> vsz_limit = 1 G
> }
> ssl_cert =
> </usr/local/etc/letsencrypt/live/apollo.domain1.tld/fullchain.pem
ssl_cipher_list =
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_prefer_server_ciphers = yes
> syslog_facility = local5
> userdb {
> driver = passwd
> }
> protocol lda {
> mail_plugins = sieve
> }
> protocol lmtp {
> mail_plugins = quota sieve
> postmaster_address = postmaster at domain1.tld
> }
> protocol imap {
> mail_max_userip_connections = 100
> mail_plugins = " quota imap_quota imap_sieve"
> }
> local_name imap.domain2.tld {
> ssl_cert =
> </usr/local/etc/letsencrypt/live/mail.domain2.tld/fullchain.pem
> ssl_key = # hidden, use -P to show it
> }
> local_name mail.domain2.tld {
> ssl_cert =
> </usr/local/etc/letsencrypt/live/mail.domain2.tld/fullchain.pem
> ssl_key = # hidden, use -P to show it
> }
>
More information about the dovecot
mailing list