Thanks for the links: those were what I followed when I set things up.
The dovecot user is the $default_internal_user.
hermes conf.d # dovecot -n # 2.1.9: /etc/dovecot/dovecot.conf # OS: Linux 3.4.2-hardened-r1-bordernet x86_64 Gentoo Base System release 2.1 ext4 auth_master_user_separator = * auth_mechanisms = plain login auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@& auth_verbose_passwords = plain disable_plaintext_auth = no login_greeting = Awaiting command... mail_location = maildir:/home/vmail/%d/%n/Maildir mail_plugins = " quota" mail_privileged_group = 100 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { expire = Trash 7 expire2 = Trash/* 7 expire3 = Spam 7 quota = maildir:User quota quota_rule = *:storage=200M quota_warning = storage=95%% quota-warning 95 %n %d quota_warning2 = storage=80%% quota-warning 80 %n %d sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /home/vmail/dovecot/sieve sieve_global_path = /home/vmail/dovecot/sieve/default.sieve } protocols = imap pop3 sieve service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = $default_internal_user } service quota-warning { executable = script /etc/dovecot/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_cert =
hermes conf.d # stat /usr/libexec/dovecot/deliver File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda' Size: 11 Blocks: 0 IO Block: 4096 symbolic link Device: 805h/2053d Inode: 267375 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:44:04.440976879 +0000 Modify: 2012-11-24 17:44:04.440976879 +0000 Change: 2012-11-24 17:44:04.440976879 +0000 Birth: -
hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda File: '/usr/libexec/dovecot/dovecot-lda' Size: 22432 Blocks: 48 IO Block: 4096 regular file Device: 805h/2053d Inode: 849010 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:43:57.124794021 +0000 Modify: 2012-11-24 17:44:02.204920992 +0000 Change: 2012-11-24 17:44:04.444976978 +0000 Birth: -
Thanks in advance for your help.
Chris
On Sat, March 2, 2013 11:15 am, Daniel Parthey wrote:
Chris Richards wrote:
I've got a dovecot server running version 2.0.19 on Gentoo Hardened. I have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the mail. Everything is working great, mail is being delivered, and the users are happy.
However, I am noticing that I have random entries like this:
Mar 1 20:19:23 hermes dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=97(dovecot) egid=97(dovecot) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) Mar 1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred. Refer to server log for more information.
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
Permissions on the socket are: srw------- 1 vmail vmail 0 Feb 24 23:43 auth-userdb
Judging from the log, my problem is that the LDA appears to be trying to access the socket as the dovecot user (rather than the vmail user), but my question is why? What logging can I use to tell me if postfix is calling with the wrong permissions or if the lda is somehow getting confused?
Have a look at http://wiki2.dovecot.org/LDA http://wiki2.dovecot.org/LDA/Postfix Maybe there you will find some helpful hints.
Is /usr/libexec/dovecot/deliver or /usr/libexec/dovecot/dovecot-lda somehow setuid or setgid and owner/group dovecot? Where does the effective user euid=97(dovecot) and effective group egid=97(dovecot) come from, is it somewhere your dovecot config?
Please show full output of # doveconf -n # stat /usr/libexec/dovecot/deliver # stat /usr/libexec/dovecot/dovecot-lda
Regards Daniel