Well, I don't know about yuuuge security risk (not saying there
isn't any...), but if this concerns you, you can also use LTMP
instead, which is probably a better solution here.
Aki
yeah, the only problem about that is it's a yuuuge security risk :), and also, postfix simply won't let me:
Jul 31 02:20:37 rhyno postfix/pipe[29532]: fatal: user= command-line attribute specifies root privileges
so it's entirely possible i'm knocking on the wrong door, and instead i should be asking this in the postfix mailing list.
however, i'm also worried about this: "to bypass this check, set: service auth { unix_listener /var/run/dovecot/auth-userdb { mode=0777 } }", as i have done what it says, and the check wasn't bypassed so i'm wary about something bad coming up once i somehow fix this initial UID problem.
thanks,
a
2018. 07. 31. 7:12 keltezéssel, Aki Tuomi írta:
You could run dovecot-lda as root. It will setuid to correct account.
---Aki TuomiDovecot oy
hi,-------- Original message --------From: Andras Kemeny <pdx@pdx.hu>Date: 31/07/2018 04:46 (GMT+02:00)Subject: uid problem
contacting this mailing list is my last-ditch effort to somehow come to
a working configuration where postfix "ends in" dovecot, IE for special
LDAP-based users, featured in the virtual mailbox delivery, dovecot
would act as LDA.
here's the deal.
i've set up dovecot's access to the LDAP server, and for the purposes of
being an IMAP server and a SASL auth backend, dovecot works brilliantly
and without a glitch. i can access my test mailbox (in maildir format),
i can use the LDA as root and it delivers the message correctly (after a
switch to the target user's UID), and even postfix's submission works
with dovecot as its SASL backend.
what does not work is dovecot as LDA from postfix.
i'm getting these errors in the log:
Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER
lookup failed
Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't
have lookup permissions for this user: userdb uid (10001) doesn't match
peer uid (5000) (to bypass this check, set: service auth { unix_listener
/var/run/dovecot/auth-userdb { mode=0777 } })
Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error occurred.
Refer to server log for more information.
for the sake of clarity, i've tried the "to bypass this check"
instructions, didn't help.
also, for the sake of operational clarity, "aik" is the LDAP account
with the following parameters:
dn: uid=aik,ou=People,dc=rhyno,dc=tech
objectClass: account
objectClass: posixAccount
objectClass: postfixUser
cn: aik
uid: aik
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/aik
loginShell: /bin/sh
gecos: aik
description: User account
structuralObjectClass: account
entryUUID: db947584-0369-1038-98b3-675e2f0cea17
creatorsName: cn=admin,dc=rhyno,dc=tech
createTimestamp: 20180613152616Z
email: ***********
userPassword:: *************************
mailacceptinggeneralid: andras.kemeny
mailacceptinggeneralid: kemeny.andras
mailacceptinggeneralid: aik
mailacceptinggeneralid: pdx
mailacceptinggeneralid: @rhyno.tech
mailacceptinggeneralid: @rhynotechnologies.com
maildrop: aik
and postfix's master.cf says:
dovecot unix - n n - - pipe
flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f
${sender} -d ${user}
so i'm stuck at this point. obviously, if the LDA is spawned with
vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and passwd
accounts were once connected, but for security reasons, the connection
has been severed -- still the /home/aik/mail dir is owned by uid 10001 etc).
what am i doint wrong?
thanks,
a