Re: [Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master
Message: 7 Date: Tue, 15 Jan 2008 00:21:02 +0100 From: Andreas Ntaflos <daff@pseudoterminal.org> Subject: [Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master To: dovecot@dovecot.org Message-ID: <200801150021.02689.daff@pseudoterminal.org> Content-Type: text/plain; charset="us-ascii"
Hello list,
while fiddling around with the configuration so Dovecot's LDA
"deliver" can be used by multiple users by means of Getmail (you can read about that
in [1]) I always end up running into the error message posted in the subject
line:Jan 15 00:00:02 HOSTNAME deliver(USERID): Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: Permission denied
Notice how it says "/usr/local/var/run/dovecot"! How and why does
dovecot ^^^^^^^^^^ think that anything of any importance can be found under /usr/local/ var/... ? Please see dovecot -n at the end of this message, but as far as I
can tell Imaster: path: /var/run/dovecot/auth-master mode: 432 user: root group: dovecot
Andreas "daff" Ntaflos Vienna, Austria
For the quick answer to your immediate problem / question, try:
cd /path/to/dovecot's/deliver (probably /usr/local/libexec/dovecot/ )
chmod u+s deliver
(enable the setuid bit for the deliver app). Your Getmail app may not
be truly running as root and thus does not really have permission to
do what you want.
you may need to do the same for the group as well
Unix permissions are weird sometimes, like a $100 television tube that
protects a 50 cent fuse by blowing first.
It does look like (from your use of /usr/local/*****) you built
dovecot to run out of /usr/local.
One last thing, as a security idea, try something like
master {
path = /usr/local/var/run/dovecot/auth-master
mode = 0600
user = dovecot_user
group = dovecot_group
}
and set your postfix line that calls deliver to match:
dovecot unix - n n - - pipe flags=DRhu
user=dovecot_user:dovecot_group argv=/usr/local/libexec/dovecot/ deliver -f ${sender} -d ${recipient}
(try to have dovecot run as an unprivileged user as much as you can)
On Tuesday 15 January 2008 03:56:28 Jerry Yeager wrote:
while fiddling around with the configuration so Dovecot's LDA "deliver" can be used by multiple users by means of Getmail (you can read about that in [1]) I always end up running into the error message posted in the subject line:
Jan 15 00:00:02 HOSTNAME deliver(USERID): Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: Permission denied
Notice how it says "/usr/local/var/run/dovecot"! How and why does dovecot ^^^^^^^^^^ think that anything of any importance can be found under /usr/local/ var/... ? Please see dovecot -n at the end of this message, but as far as I can tell I
master: path: /var/run/dovecot/auth-master mode: 432 user: root group: dovecot
For the quick answer to your immediate problem / question, try:
cd /path/to/dovecot's/deliver (probably /usr/local/libexec/dovecot/ )
chmod u+s deliver
(enable the setuid bit for the deliver app). Your Getmail app may not be truly running as root and thus does not really have permission to do what you want.
you may need to do the same for the group as well
Thank you as well for the reply! :)
Chmod'ing deliver really was a step forward in the right direction, although, as I mentioned elsewhere in this thread, I did not quite get the configuration right so a few messages from this and other mailing lists bounced because deliver wasn't called correctly. Still trying to figure that out.
Unix permissions are weird sometimes, like a $100 television tube that protects a 50 cent fuse by blowing first.
Really great analogy :) I never had a problem with understanding Unix permissions, but things seem to get complicated when you try to make different parts of a mail system running smoothly together.
It does look like (from your use of /usr/local/*****) you built dovecot to run out of /usr/local.
No, I really didn't (as far as I can tell). The installation prefix is /usr/local, yes, but Dovecot runs out of /var/run/dovecot. But apparently the auth_socket_path for protocol lda defaults to /usr/local/var/run/dovecot, a parameter I'm still not sure what I need it for.
One last thing, as a security idea, try something like
master { path = /usr/local/var/run/dovecot/auth-master mode = 0600 user = dovecot_user group = dovecot_group }
and set your postfix line that calls deliver to match:
dovecot unix - n n - - pipe flags=DRhu user=dovecot_user:dovecot_group argv=/usr/local/libexec/dovecot/ deliver -f ${sender} -d ${recipient}
Thanks for this suggestion! But that would imply that I have a virtual user setup, wouldn't it? Because I don't, all my users are regular Unix users with shell accounts. That's why my Postfix main.cf contains just
home_mailbox = Maildir/ mailbox_command = /usr/local/libexec/dovecot/deliver
which is also what the LDA/Postfix wiki page says on wiki.dovecot.org. No Dovecot entry in master.cf at all.
And, as also mentioned elsewhere in this thread, until yesterday I didn't even have the master { ... } section uncommented, and no auth-master socket seems to have been configured. But then again I only delivered through Postfix and didn't need to have deliver called by a regular user.
Andreas
Andreas "daff" Ntaflos Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
participants (2)
-
Andreas Ntaflos
-
Jerry Yeager