[Dovecot] Postfix & Dovecot LDA
Hi,
before I start to write a lengthy email about something that isn't really possible anyway: can I make Postfix use Dovecot's LDA and start it with different user IDs?
My scenario: Dovecot authenticates users for Postfix and itself using Postgresql. Mails for two domains should be stored under /srv/<domain>/<user> (which is the location returned by my user_sql query and mail_location).
When my clients login (with usernames of the form 'user@domain'), Dovecot creates/opens the correct mailboxes for them, but I can't get LDA to deliver to these mailboxes. Whatever I try, I am always running into some kind of permission problems (either for the mailboxes, or for auth_socket).
I want to use a unique UID for every virtual domain, so I guess LDA needs to have permissions for every corresponding mailbox *and* Dovecot's auth_socket_path. Is there a good solution for this which doesn't involve severe security implications?
J.
If all my friends had Playstations I would buy a Nintendo to prove my individuality. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
Hi, I have a setup, which is the same (currently in testing).
Main problem is that LDA has to switch its privileges to the owner of mail so it has to be run as root. Marking it suid solves the problem, than you can change it to be executable only by Postfix. Timo says that this is the safe way and I personally believe him :-)
Láďa
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Jochen Schulz Sent: Monday, January 22, 2007 6:01 PM To: Dovecot Mailing List Subject: [Dovecot] Postfix & Dovecot LDA
Hi,
before I start to write a lengthy email about something that isn't really possible anyway: can I make Postfix use Dovecot's LDA and start it with different user IDs?
My scenario: Dovecot authenticates users for Postfix and itself using Postgresql. Mails for two domains should be stored under /srv/<domain>/<user> (which is the location returned by my user_sql query and mail_location).
When my clients login (with usernames of the form 'user@domain'), Dovecot creates/opens the correct mailboxes for them, but I can't get LDA to deliver to these mailboxes. Whatever I try, I am always running into some kind of permission problems (either for the mailboxes, or for auth_socket).
I want to use a unique UID for every virtual domain, so I guess LDA needs to have permissions for every corresponding mailbox *and* Dovecot's auth_socket_path. Is there a good solution for this which doesn't involve severe security implications?
J.
If all my friends had Playstations I would buy a Nintendo to prove my individuality. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
Láďa:
I have a setup, which is the same (currently in testing).
Great!
Main problem is that LDA has to switch its privileges to the owner of mail so it has to be run as root. Marking it suid solves the problem, than you can change it to be executable only by Postfix.
I don't quite understand what you mean. Something like this?
-rwsr-x--- 1 root postfix 501K 2006-12-18 19:10 /usr/lib/dovecot/deliver
Timo says that this is the safe way and I personally believe him :-)
If it's not, we'll sue him. :)
BTW, if anybody questions the benefits of different UIDs per domain, I'd be interested to hear it, too.
J.
I am worried that my dreams pale in comparison beside TV docu-soaps. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
On Mon, 2007-01-22 at 18:12 +0100, Láďa wrote:
Hi, I have a setup, which is the same (currently in testing).
Main problem is that LDA has to switch its privileges to the owner of mail so it has to be run as root. Marking it suid solves the problem, than you can change it to be executable only by Postfix. Timo says that this is the safe way and I personally believe him :-)
I don't remember saying it's completely safe, but it's about the only possibility there is currently. There may be bugs that allow local attackers to get root privileges using the suid-root deliver. To make it safer, you could put the suid-root deliver into a directory that only postfix has access to. The whole Dovecot's libexec-dir could actually be made that way, as long as you're not using mail_drop_priv_before_exec=yes.
My apologies, I went back and the correct is that I asked whether it is not unsafe and you did not reply anything. So I remembered it as "Yes, it safe".
Btw. question about benefits is interesting me too, because I can not see any now and I am planning to move everything under single UID.
Láďa
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Monday, January 22, 2007 8:53 PM To: Láďa Cc: 'Jochen Schulz'; 'Dovecot Mailing List' Subject: Re: [Dovecot] Postfix & Dovecot LDA
On Mon, 2007-01-22 at 18:12 +0100, Láďa wrote:
Hi, I have a setup, which is the same (currently in testing).
Main problem is that LDA has to switch its privileges to the owner of mail so it has to be run as root. Marking it suid solves the problem, than you can change it to be executable only by Postfix. Timo says that this is the safe way and I personally believe him :-)
I don't remember saying it's completely safe, but it's about the only possibility there is currently. There may be bugs that allow local attackers to get root privileges using the suid-root deliver. To make it safer, you could put the suid-root deliver into a directory that only postfix has access to. The whole Dovecot's libexec-dir could actually be made that way, as long as you're not using mail_drop_priv_before_exec=yes.
On Mon, 2007-01-22 at 21:08 +0100, Láďa wrote:
Btw. question about benefits is interesting me too, because I can not see any now and I am planning to move everything under single UID.
With single UID it's only Dovecot that limits what the users can do. With multiple UIDs it's Dovecot and the kernel both that limits what the user can do. I suppose if you trust Dovecot to be perfectly secure and kernel not-so-secure, then single UID is just fine ;)
On Mon, 2007-01-22 at 18:00 +0100, Jochen Schulz wrote:
Hi,
before I start to write a lengthy email about something that isn't really possible anyway: can I make Postfix use Dovecot's LDA and start it with different user IDs?
In your master.cf you should have something like this, assuming your postfix setup in correct (main.cf, virtual domains/recipients maps, etc.):
dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
the user= part controls under which uid/gid deliver runs. This way you could run deliver as user vmail for all your virtual domains.
I want to use a unique UID for every virtual domain, so I guess LDA needs to have permissions for every corresponding mailbox *and* Dovecot's auth_socket_path. Is there a good solution for this which doesn't involve severe security implications?
You can give vmail access to the auth socket. I haven't tried the one-user-per-virual-domain setup myself. You could use the group rights to give deliver access to all the vitual domains maildirs while having a different uid per each virtual domain.
ciao
Luca
Hi.
I know, this is a pretty old thread, but since I just ran into similar problems while setting up my one-user-per-virtual-domain postfix + multi-instance-dovecot/-lda, I thought I might share my "fix" in this related (and most useful) thread.
My setup might not be used often - I am running two dovecot instances (on different IP addresses on the same server, in case you're wondering), with the first instance exporting the auth-master socket. I am using different UID/GIDs for my virtual domains/mailboxes. I couldn't get postfix setgid accordingly when callig deliver, and I didn't want to use SUID on deliver. The versions I am using are:
dovecot 1.0.13 postfix 2.3.8
My first dovecot instance is using:
auth default { socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail } } }
The other is using:
protocol lda { auth_socket_path = /var/run/dovecot/auth-master }
And my postfix's master.cf is:
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
dovecot-other unix - n n - - pipe flags=DRhu user=vmail-other:vmail-other argv=/usr/lib/dovecot/deliver -c /etc/dovecot/other/dovecot.conf -f ${sender} -d ${recipient}
My fix is: I use filesystem ACLs and just set the ACLs of the auth-master socket after starting the first dovecot instance (which creates the socket). I.e. I run after starting dovecot (and waiting for a second...):
setfacl -m u:vmail-other:rw /var/run/dovecot/auth-master
This works only for filesystems with ACL support, of course. I use setfacl with ext2/3; other filesystem ACL tools might differ.
Oh, and thanks for dovecot and this supportive mailinglist btw. (even though this is my first post: hi everyone :) )
Greetings,
Jens
participants (6)
-
'Jochen Schulz'
-
Jens Dönhoff
-
Jochen Schulz
-
Luca Corti
-
Láďa
-
Timo Sirainen