[Dovecot] LDA/Postfix with quotas and without LMTP
Reading the wiki page for dovecot2 and LDA/Postfix, the system users section (all mail delivery goes to system users)... It shows you can simply use postfix mailbox_command. There is this additional comment:
"This command doesn't do a userdb lookup. If you want that (e.g. for per-user quota lookups) you need to add -d "$USER" parameter."
So, i added that. Once adding it, I find I get an error:
dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied
Using mailbox_command in Postfix means that dovecot-lda is running as the system user getting the mail. Which means it can't access the socket file. Of course, one can simply use mode 666 on it, but, then people can use it to find out information according to the doc, which I do not want.
So, I am not sure why the doc says to add -d for per user quotas, without also mentioning the problem with doing that. I don't see how it can work?
Assuming I need per user quotas, and I don't want to use LMTP, is there a good way around this without the security issue? Steve
On Sun, 2011-10-09 at 11:31 -0700, Steve Fatula wrote:
dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied
Using mailbox_command in Postfix means that dovecot-lda is running as the system user getting the mail. Which means it can't access the socket file. Of course, one can simply use mode 666 on it, but, then people can use it to find out information according to the doc, which I do not want.
So, I am not sure why the doc says to add -d for per user quotas, without also mentioning the problem with doing that. I don't see how it can work?
Assuming I need per user quotas, and I don't want to use LMTP, is there a good way around this without the security issue?
The possibilities are:
a) Start dovecot-lda so that the process belongs to extra group (e.g. dovecot) and make the socket rw for that group. I don't know if Postfix can do this for system users..
b) Use filesystem setgid bit for dovecot-lda
c) Run via sudo
The b) and c) are explained in wiki in the "multiple UIDs" section (although for setuid-root rather than setgid-dovecot).
On Tue, 2011-10-18 at 17:52 +0300, Timo Sirainen wrote:
On Sun, 2011-10-09 at 11:31 -0700, Steve Fatula wrote:
dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied
The possibilities are:
a) Start dovecot-lda so that the process belongs to extra group (e.g. dovecot) and make the socket rw for that group. I don't know if Postfix can do this for system users..
b) Use filesystem setgid bit for dovecot-lda
c) Run via sudo
The b) and c) are explained in wiki in the "multiple UIDs" section (although for setuid-root rather than setgid-dovecot).
Oh, and
d) With v2.1 this works automatically
participants (2)
-
Steve Fatula
-
Timo Sirainen