Permission problem when using sieve script
Hi,
I've been banging my head on this problem for a while now and need some help on this issue. I've set up Dovecot with Sieve scripts, which use bash scripts to either learn ham or learn spam. This is sent to the Rspamd controller (using a Unix socket at /var/run/rspamd/rspamd-controller.sock).
The socket has permissions 660 and is owned by _rspamd:_rspamd. It's directory and parent directory have 755. The sieve script looks like: exec /usr/bin/rspamc -h /var/run/rspamd/rspamd-controller.sock -P 'password' learn_ham
I've added the dovecot user to the _rspamd group, but I consistently get "Permission denied" when marking emails as ham/spam. Only when I make the socket permission 666 it works correctly. Also when the permission is 660 but ownership is _rspamd:dovecot it works as well. I don't want the former as anyone could connect, and the latter can't be set automatically in Rspamd.
I'm pulling my hairs out. I've tried to figure out the user and group that dovecot uses to run the sieve script (creatively by 'exit'ing the bash script with the uid or gid as error code), and they are both 97 (i.e. dovecot uid and gid).
I've tried personally logging in as dovecot using 'sudo -u dovecot bash' and then using 'socat' to connect to the socket. This works fine. But through the dovecot sieve script for some reason it's not working. I've tried disabling SELinux and fapolicyd, but no luck. Is Dovecot using some restricted permissions when running sieve scripts?
# dovecot --version 2.3.16 (7e2e900c1a)
Thank you, Taco
I've fixed this issue and wanted to get back for any else that might stumble upon this.
Using logger -p mail.err "$(id)"
in the sieve bash script I found out that the groups for dovecot:dovecot didn't include all groups as set in /etc/group. Apparently Dovecot doesn't respect the system's group memberships (probably due to security?) and instead requires you to set it explicitly using the mail_access_groups
variable. E.g. this works in accessing /var/run/rspamd/rspamd-controller.sock owned by _rspamd:_rspamd and permissions 660 (the execute bit doesn't do anything for sockets, so it is effectively the same as 770):
conf.d/10-mail.conf
mail_uid = dovecot
mail_gid = dovecot
mail_access_groups = _rspamd
first_valid_uid = 97
participants (1)
-
tacodewolff@gmail.com