Back in late March I asked what ownership and permissions Dovecot's own directories and files should have; I have an obsessive nature, and wanted to get things right :(.. On April Fool's Day :), Timo responded:
Dovecot opens pretty much all the configuration etc. files as root before dropping the privileges. So in general they could all be 0600 owned by root In my typical turtle-crawl fashion, I got around to today, but the onership/perms came out somewhat differently, which I put down here for anyone that wants to know.........
I set everything under /var/run/dovecot to 600, owned by root:dovecot
4242 root@mercury:/var/run/dovecot ## ls -alR
total 24 drw------- 3 root dovecot 512 Mar 06 15:27 ./ drwxr-xr-x 3 root system 512 Apr 18 2006 ../ drw------- 2 root dovecot 512 May 09 10:37 login/ ./login: total 24 drw------- 2 root dovecot 512 May 09 10:37 ./ drw------- 3 root dovecot 512 Mar 06 15:27 ../ srw------- 1 root dovecot 0 May 09 10:37 default= -rw------- 1 root dovecot 230 May 09 10:36 ssl-parameters.dat
And restarted dovecot
4243 root@mercury:/var/run/dovecot ## dovecot
but apparently /var/run/dovecot/login should be 750, but DC dealt with that automagically
Warning: Corrected permissions for login directory /var/run/dovecot/login 4244 root@mercury:/var/run/dovecot ## ls -alR total 24 drw------- 3 root dovecot 512 Mar 06 15:27 ./ drwxr-xr-x 3 root system 512 Apr 18 2006 ../ drwxr-x--- 2 root dovecot 512 May 10 12:47 login/ ./login: total 24 drwxr-x--- 2 root dovecot 512 May 10 12:47 ./ drw------- 3 root dovecot 512 Mar 06 15:27 ../ srwxrwxrwx 1 root dovecot 0 May 10 12:47 default= -rw------- 1 root dovecot 230 May 09 10:36 ssl-parameters.dat
...but then got in the syslog
May 10 12:49:51 mercury mail:err|error dovecot: imap-login: Can't open SSL param eter file ssl-parameters.dat: Permission denied May 10 12:49:51 mercury mail:err|error dovecot: child 1380384 (login) returned error 89
So I made it 640 which seems to do.
4246 root@mercury:/var/run/dovecot ## chmod 640 login/ssl-parameters.dat 4247 root@mercury:/var/run/dovecot ## ls -alR login
total 24 drwxr-x--- 2 root dovecot 512 May 10 12:47 ./ drw------- 3 root dovecot 512 Mar 06 15:27 ../ srwxrwxrwx 1 root dovecot 0 May 10 12:47 default= -rw-r----- 1 root dovecot 230 May 09 10:36 ssl-parameters.dat So it seems this will do (for others who obsess over things small):: a) /var/run/dovecot can be 600, root:dovecot b) /var/run/dovecot/login should be 750, root:dovecot c) /var/run/dovecot/login/ssl-parameters.dat might be 640, root: dovecot
--
Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York 12504
sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035