dovecot-lda from www-data - doesnt work
m trying to deliver email from a webform, but its not working.
I then tried manually in the console:
WORKS:
sudo -u info /usr/lib/dovecot/dovecot-lda -d info
DOES NOT WORK:
sudo -u www-data /usr/lib/dovecot/dovecot-lda -d info
sudo -u postfix /usr/lib/dovecot/dovecot-lda -d info
sudo -u dovecot /usr/lib/dovecot/dovecot-lda -d info
I need to be able to deliver email from "www-data" to any user on the system (that is a valid dovecot-lda mail user).
It seems a security setting blocks it. I have already set authdb to 0777 in dovecot settings (because otherwise it gives an error about lookup rights), and also enabled stats-writer and stats-reader with 0666.
so no more error messages in log, but the above commands that does NOT work, terminate immediately, while the working command waits for email from STDIN. No error messages in either log or on STDOUT/STDERR.
What can be the problem?
"Sebastian" == Sebastian Nielsen via dovecot <dovecot@dovecot.org> writes:
m trying to deliver email from a webform, but its not working.
Why are you not feeding the email to postfix on the host, and then have postfix do all the lookups for valid users, etc. Then postfix will deliver to dovecot.
I need to be able to deliver email from "www-data" to any user on the system (that is a valid dovecot-lda mail user).
Yeah, don't do it like this, go through a proper MTA instead which handles all this for you.
It seems a security setting blocks it. I have already set authdb to 0777 in dovecot settings (because otherwise it gives an error about lookup rights), and also enabled stats-writer and stats-reader with 0666.
No no no, don't do this, you're now opening yourself up to getting hacked.
so no more error messages in log, but the above commands that does NOT work, terminate immediately, while the working command waits for email from STDIN. No error messages in either log or on STDOUT/STDERR.
How is your webform being called? If it's just a PHP handler for a submitted form, just hand it off to port 25 on localhost to deliver the email locally.
This puts all the lookups into the same place that other email is handled by, including user lookups, anti-spam, etc.
John
Dont want to pull the SMTP handler module, its pretty huge.
I have managed to get it to work better now. I did setuid the dovecot-lda, and then added www-data to the dovecot group, so now dovecot-lda executes sucessfully. This also meant I could set back the authdb to 0666 and also remove the stats-writer and stats-reader and it still works sending from www-data now. Since guest doesn't have execute rights, it means that its secure now (according to the "Multiple UID" article on the wiki)
However, I have ran into another weird problem. If I run the script like this:
sudo -u www-data ./index.cgi
The mail appears in the inbox. But if I visit index.cgi from the browser via the web server, it doesn't work.
Here is index.cgi:
#!/usr/bin/perl
use MIME::Entity; use Email::Date::Format qw(email_date); use Encode;
$mime = MIME::Entity->build(Type => "text/plain; charset=utf-8", From => "Sebastian Nielsen <sebastian@sebbe.eu>", To => "Dovecot-LDA Form <info@localhost>", Subject => encode("MIME-Header", "Räksmörgås"), Date => email_date, Data => "Testar med lite text"); open (MAILPIPE, "|/usr/lib/dovecot/dovecot-lda -d info"); $mime->print(\*MAILPIPE); close(MAILPIPE);
print "Content-Type: text/plain\n\nSuccess";
So its the exact same script, works when run from www-data via sudo, then it works, but not when done from the web server. So whats the difference? Its the same user, so it should work right?
No errors in logs either.
-----Ursprungligt meddelande----- Från: John Stoffel via dovecot <dovecot@dovecot.org> Skickat: den 31 oktober 2024 19:03 Till: Sebastian Nielsen <sebastian@sebbe.eu> Kopia: dovecot@dovecot.org Ämne: Re: dovecot-lda from www-data - doesnt work
"Sebastian" == Sebastian Nielsen via dovecot <dovecot@dovecot.org> writes:
m trying to deliver email from a webform, but its not working.
Why are you not feeding the email to postfix on the host, and then have postfix do all the lookups for valid users, etc. Then postfix will deliver to dovecot.
I need to be able to deliver email from "www-data" to any user on the system (that is a valid dovecot-lda mail user).
Yeah, don't do it like this, go through a proper MTA instead which handles all this for you.
It seems a security setting blocks it. I have already set authdb to 0777 in dovecot settings (because otherwise it gives an error about lookup rights), and also enabled stats-writer and stats-reader with 0666.
No no no, don't do this, you're now opening yourself up to getting hacked.
so no more error messages in log, but the above commands that does NOT work, terminate immediately, while the working command waits for email from STDIN. No error messages in either log or on STDOUT/STDERR.
How is your webform being called? If it's just a PHP handler for a submitted form, just hand it off to port 25 on localhost to deliver the email locally.
This puts all the lookups into the same place that other email is handled by, including user lookups, anti-spam, etc.
John
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
No I resolved it now.
It turns out, that even tough I added the www-data user to dovecot group, it would only have an effect when running as www-data in sudo. The web server wouldn't honor the group membership of www-data user.
So had to tell Apache2 to specifically run as group dovecot, so it gets access to dovecot resources.
Now it FINALLY works!
-----Ursprungligt meddelande----- Från: Benny Pedersen via dovecot <dovecot@dovecot.org> Skickat: den 31 oktober 2024 19:45 Till: dovecot@dovecot.org Ämne: Re: Sv: dovecot-lda from www-data - doesnt work
Sebastian Nielsen via dovecot skrev den 2024-10-31 19:15:
No errors in logs either.
maybe your perl need to make the sasl auth to postfix ?
or simply just setup phpmailer with proper sasl auth
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Yes, I have read them. I understood there was a problem with authdb=0777, even tough the written instructions in config file actually recommends settings 0777 if you want free userdb lookups:
" # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). "
But I did remove authdb=0777 and put it back to 0666. Since the setuid works.
I did setuid dovecot-lda to root, and then remove execute permissions from everyone. According to the instructions on this page:
https://doc.dovecot.org/main/howto/lda.html#multiple-uids
Then I set apache2 to run as group dovecot. It isn't really a big security problem anymore.
Apache2 can access all dovecot resources, nothing more.
-----Ursprungligt meddelande----- Från: Benny Pedersen via dovecot <dovecot@dovecot.org> Skickat: den 31 oktober 2024 20:43 Till: dovecot@dovecot.org Ämne: Re: Sv: Sv: dovecot-lda from www-data - doesnt work
Sebastian Nielsen via dovecot skrev den 2024-10-31 19:55:
Now it FINALLY works!
read other mails on maillist, if you belive its good, then you dont know security at all _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
"Sebastian" == Sebastian Nielsen via dovecot <dovecot@dovecot.org> writes:
Dont want to pull the SMTP handler module, its pretty huge.
I think you're overlooking the security implications of NOT doing this. But you also haven't really explained why you're trying to do it this way, instead of the proper more secure way.
I have managed to get it to work better now. I did setuid the dovecot-lda, and then added www-data to the dovecot group, so now dovecot-lda executes sucessfully. This also meant I could set back the authdb to 0666 and also remove the stats-writer and stats-reader and it still works sending from www-data now. Since guest doesn't have execute rights, it means that its secure now (according to the "Multiple UID" article on the wiki)
However, I have ran into another weird problem. If I run the script like this:
sudo -u www-data ./index.cgi
The mail appears in the inbox. But if I visit index.cgi from the browser via the web server, it doesn't work.
Here is index.cgi:
#!/usr/bin/perl
use MIME::Entity; use Email::Date::Format qw(email_date); use Encode;
$mime = MIME::Entity->build(Type => "text/plain; charset=utf-8", From => "Sebastian Nielsen <sebastian@sebbe.eu>", To => "Dovecot-LDA Form <info@localhost>", Subject => encode("MIME-Header", "Räksmörgås"), Date => email_date, Data => "Testar med lite text"); open (MAILPIPE, "|/usr/lib/dovecot/dovecot-lda -d info"); $mime->print(\*MAILPIPE); close(MAILPIPE);
print "Content-Type: text/plain\n\nSuccess";
So its the exact same script, works when run from www-data via sudo, then it works, but not when done from the web server. So whats the difference? Its the same user, so it should work right?
No errors in logs either.
Why don't you just feed the data into a connection to port 25 on your system instead?
#!/usr/bin/perl
use strict;
use warnings;
use Net::SMTP;
$message = Net::SMTP->new($opts{'s'}) || die "can't talk to server $opts{'s'}\n";
$message->mail($opts{'f'});
$message->to(@ARGV) || die "failed to send to the recepients ",join(",",@ARGV),": $!";
$message->data();
$message->datasend("To: some@email.com");
$message->datasend("From: formsender@email.com");
$message->datasend("Subject: form input\n");
$message->datasend("\n");
$message->datasend("Host: $hostname ($ipaddress)\n");
$message->dataend();
$message->quit;Doesn't seem like a bunch of overhead to me, and it keeps a nice clean seperation between your web infrastructure and your dovecot setup. I didn't try to copy your script and adapt it to Net::SMTP.
See more and better docs on: https://perldoc.perl.org/Net::SMTP
The real reason we're all harping on this is because you're opening yourself to any other badly written CGI script on your web server and giving it access to your dovecot instance. And if you decide to move your web server off this dovecot server, then you need to re-do it all anyway. With a proper script connecting to port 25, you just need to update the hostname of the mailserver and you're done.
But hey, you do you.
-----Ursprungligt meddelande----- Från: John Stoffel via dovecot <dovecot@dovecot.org> Skickat: den 31 oktober 2024 19:03 Till: Sebastian Nielsen <sebastian@sebbe.eu> Kopia: dovecot@dovecot.org Ämne: Re: dovecot-lda from www-data - doesnt work
"Sebastian" == Sebastian Nielsen via dovecot <dovecot@dovecot.org> writes:
m trying to deliver email from a webform, but its not working.
Why are you not feeding the email to postfix on the host, and then have postfix do all the lookups for valid users, etc. Then postfix will deliver to dovecot.
I need to be able to deliver email from "www-data" to any user on the system (that is a valid dovecot-lda mail user).
Yeah, don't do it like this, go through a proper MTA instead which handles all this for you.
It seems a security setting blocks it. I have already set authdb to 0777 in dovecot settings (because otherwise it gives an error about lookup rights), and also enabled stats-writer and stats-reader with 0666.
No no no, don't do this, you're now opening yourself up to getting hacked.
so no more error messages in log, but the above commands that does NOT work, terminate immediately, while the working command waits for email from STDIN. No error messages in either log or on STDOUT/STDERR.
How is your webform being called? If it's just a PHP handler for a submitted form, just hand it off to port 25 on localhost to deliver the email locally.
This puts all the lookups into the same place that other email is handled by, including user lookups, anti-spam, etc.
John
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Benny Pedersen
-
John Stoffel
-
Sebastian Nielsen