...

It seems that sendamil is running the lda, but the lda has problems that are reported by by exiting with tempfail. You should check the logging that is emitted by dovecot-lda to find what the problem is.

Ownership of the binary should not be one of them, I think, but show us logging from dovecot-lda and we can tell you more. 'dovecot -n' output would also help a lot.

Regards, Tom

I've enabled dovecot-lda logging with:

protocol lda { log_path = info_log_path = syslog_facility = mail }

However it's not producing any entries in the mail syslog. I'm wondering if it's not even executing dovecot-lda then. As a test I tried running "/usr/libexec/dovecot/dovecot-lda -d username" directly as root to see what happens, and I got a blank email delivered to "username" OK. So based on this I think lda is OK? I am not seeing any errors logged when sendmail tries to use dovecot-lda though.

Here's what "dovecot -n" shows:

2.2.10: /etc/dovecot/dovecot.conf

OS: Linux 3.10.0-123.9.2.el7.x86_64 x86_64 CentOS Linux release 7.0.1406

(Core) ext4 mail_location = mbox:/mail/home/%u/mail:INBOX=/mail/spool/%u mail_plugins = " quota" mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = prefix = } passdb { driver = pam } plugin { quota = fs:User quota:user quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@localhost protocols = imap pop3 sieve service managesieve-login { inet_listener sieve { port = 4190 } } ssl_cert = </etc/pki/tls/certs/mailcert.crt ssl_key = </etc/pki/tls/private/mailcert.key userdb { driver = passwd } protocol lda { info_log_path = log_path = syslog_facility = mail } protocol imap { mail_plugins = " quota imap_quota" }

Thank you very much for any further thoughts on this.

Chris

These errors just started showing up in the mail syslog, FINALLY. Not sure why it took this long.

dovecot: lda(username): Fatal: setresgid(1000(username),1000(username),12(mail)) failed with euid=0(root): Operation not permitted

After turning off SELinux, mail was finally being delivered! So, I adjusted SELinux to allow a few denied errors for dovecot-lda (including filesystem quotas):

audit2allow -m local -l -i /var/log/audit/audit.log > dovecotlda.te

Then, verified the contents of "dovecotlda.te":

module local 1.0; require { type fs_t; type mqueue_spool_t; type dovecot_deliver_t; class capability { setuid setgid }; class file write; class filesystem quotaget; } #============= dovecot_deliver_t ============== allow dovecot_deliver_t fs_t:filesystem quotaget; allow dovecot_deliver_t mqueue_spool_t:file write; allow dovecot_deliver_t self:capability { setuid setgid };

Then create the policy file and activate it:

checkmodule -M -m -o dovecotlda.mod dovecotlda.te semodule_package -o dovecotlda.pp -m dovecotlda.mod semodule -i dovecotlda.pp

Now with SELinux enforcing, I'm getting mail delivered OK.

Also just to confirm, this is the line I'm using in /etc/mail/sendmail.mc:

FEATURE(local_procmail', /usr/libexec/dovecot/dovecot-lda',`/usr/libexec/dovecot/dovecot-lda -d $u')dnl

Thanks again for the help, hopefully this helps others in the future with sendmail.

-- Chris