Rolf wrote:
Am 2012-06-25 23:59, schrieb Daniel Parthey:
Hi Rolf,
Rolf wrote:
Jun 25 20:22:54 rolf14 dovecot: lda(rolf): Error: setegid(privileged) failed: Operation not permitted
Doesn't lda(rolf) mean it is being executed under user "rolf", not root or dovecot?
How exactly do you invoke lda from your /etc/postfix/master.cf?
You might also try to use LMTP via TCP to deliver mails from postfix to dovecot to work around any permission problems.
I have installed dovecot and docecot-sieve by Debians aptitude
You don't seem to be the only one with these problems, see Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626130
As far as I understand the "ps -f ax" output (see below) dovecot runs with root privileges and postfix runs with its own user privileges.
root 20998 1 0 Jun25 ? Ss 0:03 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
Well, the master process often runs as root, but child processes like lda may be configured to run as an unprivileged, or even as the user which owns the mailbox.
The mbox files below /var/mail are owned by their respective users and have "mail" as their group, both can write, world can do nothing. I added every related system user to the mail group, also restarted postfix and dovecot.
root@rolf14:/var/mail# more /etc/group | grep mail: mail:x:8:amavis,dovecot,clamav,postfix
User "rolf" is not a member of group "mail", but I don't think he needs to be, otherwise he would be able to read the mails of all users on the system and this would be a security risk.
As I understand it, postfix activates the lda "deliver" as user "postfix". Therefore it should be able to write to the mboxes at /var/mail. If needed dovecot can write there as well.
The lda should rather switch to the owner of the respective INBOX, e.g. /var/mail/rolf. Log message "lda(rolf)" looks like this happens.
To summarize, I think LMTP will be the easiest way to fix the permission problems. Otherwise you would need to fiddle out how to prevent dovecot lda from switching to group additional group "mail", since unprivileged user "rolf" is not allowed to do that.