-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2013, Torpey List wrote:
Dovecot-lda – I have had issues getting it configured.
What issues? If you were trying to get the LDA to deliver to /var/mail, it's possible you were running into permissions problems. The best solution is to deliver into the mdbox instead, or just leave Sendmail to deliver to /var/mail.
Sendmail changes FEATURE(
local_procmail',/usr/libexec/dovecot/dovecot-lda',/usr/libexec/dovecot/dovecot-lda -d $u') MODIFY_MAILER_FLAGS(LOCAL', `-f') MAILER(procmail)dnl
I do use:
FEATURE(local_procmail', /etc/mail/smrsh/dovecot-deliver',
`/etc/mail/smrsh/dovecot-deliver -f $g -d $u -m $h')dnl
Note, you need a symlink in your "smrsh"-directory anyway.
The option that has gone the furthest is *Making dovecot-lda setuid-root*.
I don't use a setuid-root LDA.
However, I have errors. Here are the permissions.
-rwxr-xr-x. 1 root secmail 26512 Aug 18 2011 /usr/libexec/dovecot/dovecot-lda
Your LDA is not setuid-root ;-)
srw-------. 1 mail root 0 Jan 1 08:39 /var/run/dovecot/auth-userdb
Do you need to protect /var/run/dovecot/auth-userdb that tight? I mean, is this server used by users via ssh or something? Otherwise make the Unix permission of that socket so, that any system user can read from it (aka 0666). Maybe, put all mail users into the same group and use 0660. Change group of auth-userdb to mail ... .
Errors..... ==> /var/log/maillog <== Jan 1 08:24:02 nala sendmail[20154]: r01EO2qc020154: from=user@yahoo.com, size=5723, class=0, nrcpts=1, msgid=1357050226.83142.YahooMailNeo@web120205.mail.ne1.yahoo.com, proto=ESMTP, daemon=MTA, relay=mail.example.com [192.168.1.152] Jan 01 08:24:02 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=0(root) egid=0(root) missing +r perm: /var/run/dovecot/auth-userdb, euid is dir owner) Jan 01 08:24:02 lda: Fatal: Internal error occurred. Refer to server log for more information.
That error seems to indicate a Dovecot permission check failure, but IMHO root is allowed to connect always. You could try to chmod +x /var/run/dovecot/auth-userdb, the x-perm disables the check of Dovecot.
Jan 1 08:24:02 nala sendmail[20155]: r01EO2qc020154: to=user@example.com, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=35889, dsn=4.0.0, stat=Deferred: local mailer (/usr/libexec/dovecot/dovecot-lda) exited with EX_TEMPFAIL
==> /var/log/messages <== Jan 1 08:24:02 nala kernel: type=1400 audit(1357050242.947:42): avc: denied { dac_override } for pid=20156 comm="dovecot-lda" capability=1 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability Jan 1 08:24:02 nala kernel: type=1400 audit(1357050242.947:43): avc: denied { dac_override } for pid=20156 comm="dovecot-lda" capability=1 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability Jan 1 08:24:02 nala kernel: type=1400 audit(1357050242.947:44): avc: denied { dac_read_search } for pid=20156 comm="dovecot-lda" capability=2 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability
This is a AppArmor / SELinux entry?? Did you configured your policy? Security policies would overrule Unix and Dovecot permission checks.
So, the error appears to be related to /var/run/dovecot/auth-userdb. I have made various permission and owner changes; however, restarting dovecot always returns it to the permissions above. So, even if I find a combination that works, dovecot is going to put it back.
You can change the default permission and ownership in the config file.
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUOUtBmoxLS8a3A9mAQKpMwgAsZ1UmJAMcmjWul1fx8MsMZk4TEHeOT8E Ns7HaVnizwooYiDy1bY2jGrhG8xegCXzC7fpWqCXloji7qmVoe5prqLhZsTIpusc wpXf9VAnQ38Fbm4hRj+75zPBIxUYBO7/ulIZsLPkZhRII9WK+QGNNrJnP6ycNcqn +4supaV0AR3KC8uLntfBsrgBWz+2/ZNJu+yZUFpyZpGJHKBkqsaEk7cDnhgHQCzE lhk05MNP+w13QKFb9ZPi9/tv3bhEkBr4R9yA4/xp+Nk7JnrY8ry8Oy2guMXda0a8 Iym6Qgt9XfUFAQ+Urujbu1OlI5KiRIcJV+EyRdM4uVcmAmVZAtI3ow== =K9zr -----END PGP SIGNATURE-----