I was going to experiment with ACLs when I faced a small problem.
It is just sufficient to enable the acl plugin for getting the
behavior described hereafter.
When launching dovecot from the command line, one gets:
sh-3.2# /usr/local/dovecot/sbin/dovecot -F
ILoading modules from directory: /usr/local/dovecot-1.2.rc6/lib/ dovecot/imap IModule loaded: /usr/local/dovecot-1.2.rc6/lib/dovecot/imap/ lib01_acl_plugin.so IEffective uid=65534, gid=65534, home=/tmp Iacl: No acl setting - ACLs are disabled ^C
In fact, a "dummy" imap process is run so as to fetch the capability
(see master-settings.c); that process is run with an hardcoded uid/gid
65534.
But this appears to be problematic when dovecot is started from
launchd; clearly, launchd doesn't like arbitrary users, as it may be
seen from system.log:
org.dovecot[28382]: ^AILoading modules from directory: /usr/local/ dovecot-1.2.rc6/lib/dovecot/imap
org.dovecot[28382]: ^AIModule loaded: /usr/local/dovecot-1.2.rc6/lib/
dovecot/imap/lib01_acl_plugin.so
com.apple.launchd[1] (com.apple.launchd.peruser.65534[28384]):
getpwuid("65534") failed
com.apple.launchd[1] (com.apple.launchd.peruser.65534[28384]): PID
28383 "imap" has no account to back it! Real/effective/saved UIDs:
65534/65534/65534
com.apple.launchd[1] (com.apple.launchd.peruser.65534[28384]): Exited
with exit code: 1
com.apple.launchd[1] (com.apple.launchd.peruser.65534): Throttling
respawn: Will start in 10 seconds
com.apple.launchd[1] (org.dovecot[28382]): Stray process with PGID
equal to this dead job: PID 28383 PPID 1 imap
com.apple.launchd[1] (org.dovecot[28382]): Exited abnormally: Alarm
clock
com.apple.launchd[1] (org.dovecot): Throttling respawn: Will start in
5 seconds
com.apple.launchd[1] (com.apple.launchd.peruser.65534[28386]):
getpwuid("65534") failed
com.apple.launchd[1] (com.apple.launchd.peruser.65534[28386]): Exited
with exit code: 1
com.apple.launchd[1] (com.apple.launchd.peruser.65534): Throttling
respawn: Will start in 10 seconds
... and so on ...
A workaround is to create the corresponding system user and group;
launchd then doesn't complain anymore and everything seems to be
working fine.
But I feel somewhat uncomfortable with that...
Wouldn't it be possible, for example, to consider using a system user
such as "nobody" (unless I'm wrong, it should be defined on any unix
flavor)?
TIA, Axel
sh-3.2# /usr/local/dovecot/sbin/dovecot -n # 1.2.rc6: /usr/local/etc/dovecot.conf # OS: Darwin 9.7.0 i386 protocols: pop3 imap ssl: no disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ imap-login login_executable(imap): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ imap-login login_executable(pop3): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ pop3-login first_valid_uid: 2001 last_valid_uid: 65533 mail_location: mbox:~/_mailboxes:INBOX=~/_mailboxes/inbox mail_debug: yes mbox_read_locks: flock mbox_write_locks: flock dotlock mail_executable(default): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ imap mail_executable(imap): /usr/local/dovecot-1.2.rc6/libexec/dovecot/imap mail_executable(pop3): /usr/local/dovecot-1.2.rc6/libexec/dovecot/pop3 mail_plugins(default): acl mail_plugins(imap): acl mail_plugins(pop3): mail_plugin_dir(default): /usr/local/dovecot-1.2.rc6/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/dovecot-1.2.rc6/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/dovecot-1.2.rc6/lib/dovecot/pop3 pop3_lock_session(default): no pop3_lock_session(imap): no pop3_lock_session(pop3): yes pop3_uidl_format(default): %08Xu%08Xv pop3_uidl_format(imap): %08Xu%08Xv pop3_uidl_format(pop3): %08Xv%08Xu auth default: debug: yes passdb: driver: pam args: * userdb: driver: passwd