Well, I don't know about yuuuge security risk (not saying there isn't any...), but if this concerns you, you can also use LTMP instead, which is probably a better solution here.
Aki
On 31.07.2018 13:42, Andras Kemeny wrote:
yeah, the only problem about that is it's a yuuuge security risk :), and also, postfix simply won't let me:
Jul 31 02:20:37 rhyno postfix/pipe[29532]: fatal: user= command-line attribute specifies root privileges
so it's entirely possible i'm knocking on the wrong door, and instead i should be asking this in the postfix mailing list.
however, i'm also worried about this: "to bypass this check, set: service auth { unix_listener /var/run/dovecot/auth-userdb { mode=0777 } }", as i have done what it says, and the check wasn't bypassed so i'm wary about something bad coming up once i somehow fix this initial UID problem.
thanks, a
- 7:12 keltezéssel, Aki Tuomi írta:
You could run dovecot-lda as root. It will setuid to correct account.
Aki Tuomi Dovecot oy
-------- Original message -------- From: Andras Kemeny pdx@pdx.hu Date: 31/07/2018 04:46 (GMT+02:00) To: dovecot@dovecot.org Subject: uid problem
hi,
contacting this mailing list is my last-ditch effort to somehow come to a working configuration where postfix "ends in" dovecot, IE for special LDAP-based users, featured in the virtual mailbox delivery, dovecot would act as LDA.
here's the deal.
i've set up dovecot's access to the LDAP server, and for the purposes of being an IMAP server and a SASL auth backend, dovecot works brilliantly and without a glitch. i can access my test mailbox (in maildir format), i can use the LDA as root and it delivers the message correctly (after a switch to the target user's UID), and even postfix's submission works with dovecot as its SASL backend.
what does not work is dovecot as LDA from postfix.
i'm getting these errors in the log:
Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER lookup failed Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't have lookup permissions for this user: userdb uid (10001) doesn't match peer uid (5000) (to bypass this check, set: service auth { unix_listener /var/run/dovecot/auth-userdb { mode=0777 } }) Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error occurred. Refer to server log for more information.
for the sake of clarity, i've tried the "to bypass this check" instructions, didn't help.
also, for the sake of operational clarity, "aik" is the LDAP account with the following parameters:
dn: uid=aik,ou=People,dc=rhyno,dc=tech objectClass: account objectClass: posixAccount objectClass: postfixUser cn: aik uid: aik uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/aik loginShell: /bin/sh gecos: aik description: User account structuralObjectClass: account entryUUID: db947584-0369-1038-98b3-675e2f0cea17 creatorsName: cn=admin,dc=rhyno,dc=tech createTimestamp: 20180613152616Z email: *********** userPassword:: ************************* mailacceptinggeneralid: andras.kemeny mailacceptinggeneralid: kemeny.andras mailacceptinggeneralid: aik mailacceptinggeneralid: pdx mailacceptinggeneralid: @rhyno.tech mailacceptinggeneralid: @rhynotechnologies.com maildrop: aik
and postfix's master.cf says:
dovecot unix - n n - - pipe flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f ${sender} -d ${user}
so i'm stuck at this point. obviously, if the LDA is spawned with vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and passwd accounts were once connected, but for security reasons, the connection has been severed -- still the /home/aik/mail dir is owned by uid 10001 etc).
what am i doint wrong?
thanks, a
participants (1)
-
Aki Tuomi