Daniel, Just wanted to respond back and let you know that changing permissions to dovecot:dovecot as you suggested seems to have resolved the issue; I've not seen any more occurrences of this error.
Thanks again for your assistance!
Chris
On Sun, March 3, 2013 5:13 pm, Daniel Parthey wrote:
Hi Chris,
Chris Richards wrote:
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = $default_internal_user }
In order for dovecot-lda to work, default internal user "dovecot" seems to need permission for the user listing. This should work, but you should try to narrow the permissions down:
service auth { unix_listener auth-userdb { group = dovecot mode = 0666 user = dovecot } }
Documentation http://wiki2.dovecot.org/LDA says:
The auth-userdb socket can be used to do userdb lookups for given usernames or get a list of all users. Typically the result will contain the user's UID, GID and home directory, but depending on your configuration it may return other information as well. So the information is similar to what can be found from eg. /etc/passwd for system users. This means that it's probably not a problem to use mode=0666 for the socket, but you should try to restrict it more just to be safe.
hermes conf.d # stat /usr/libexec/dovecot/deliver File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda' Size: 11 Blocks: 0 IO Block: 4096 symbolic link Device: 805h/2053d Inode: 267375 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:44:04.440976879 +0000 Modify: 2012-11-24 17:44:04.440976879 +0000 Change: 2012-11-24 17:44:04.440976879 +0000 Birth: -
deliver is a symbolic link to dovecot-lda, so its basically the same.
hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda File: '/usr/libexec/dovecot/dovecot-lda' Size: 22432 Blocks: 48 IO Block: 4096 regular file Device: 805h/2053d Inode: 849010 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:43:57.124794021 +0000 Modify: 2012-11-24 17:44:02.204920992 +0000 Change: 2012-11-24 17:44:04.444976978 +0000 Birth: -
No setuid/setgid flags set.
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
I'm wondering why user=vmail:users does not have the desired effect and dovecot-lda uses the effective uid "dovecot" and effective gid "dovecot" to do the user lookups.
Regards Daniel