[Dovecot] exim and /var/run/dovecot/auth-client permissions
I am attempting to configure a dovecot 2.0 + exim + fetchmail (demon)
combination on openSUSE 11.4, initially with the standard dovecot package
(2.0.9-3.4-x86_64) and now with the later server:mail build service
package (2.0.11-1.1-x86_64).
I followed the instructions in
http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL but despite the changes
in conf.d/10-master.conf the permissions on /var/run/dovecot/auth-client
remain unchanged:
$ ls -l /var/run/dovecot/auth-client Srw------- 1 root root 0 Mar 14 13:11 /var/run/dovecot/auth-client $
This is probably the cause of authentication failures from exim. I
suspect it is something trivial but haven't yet been able to find the
answer.
On Mon, 14 Mar 2011 13:45:42 -0000, John Connett
<john.connett@ntlworld.com> wrote:
I am attempting to configure a dovecot 2.0 + exim + fetchmail (demon)
combination on openSUSE 11.4, initially with the standard dovecot
package (2.0.9-3.4-x86_64) and now with the later server:mail build
service package (2.0.11-1.1-x86_64).I followed the instructions in
http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL but despite the
changes in conf.d/10-master.conf the permissions on
/var/run/dovecot/auth-client remain unchanged:$ ls -l /var/run/dovecot/auth-client Srw------- 1 root root 0 Mar 14 13:11 /var/run/dovecot/auth-client $
This is probably the cause of authentication failures from exim. I
suspect it is something trivial but haven't yet been able to find the
answer.
Confirmed that the permissions are the source of the authentication
failures by manually changing to mode=0660, user=mail. These permissions
revert to mode=0600, user=root when dovecot is restarted.
The problem is either with the instructions on the wiki or within
dovecot. I will look at the source code to see if I can identify why the
permissions in conf.d/10-master.conf are not being applied. The "service
auth" part of conf.d/10-master.conf, stripped of comments, is:
service auth { unix_listener auth-client { mode = 0660 user = mail } unix_listener auth-userdb { } }
On Wed, 2011-03-16 at 08:18 +0000, John Connett wrote:
$ ls -l /var/run/dovecot/auth-client Srw------- 1 root root 0 Mar 14 13:11 /var/run/dovecot/auth-client .. The problem is either with the instructions on the wiki or within
dovecot. I will look at the source code to see if I can identify why the
permissions in conf.d/10-master.conf are not being applied. The "service
auth" part of conf.d/10-master.conf, stripped of comments, is:service auth { unix_listener auth-client { mode = 0660 user = mail } unix_listener auth-userdb { } }
Check with doveconf that Dovecot really sees those settings:
doveconf service/auth
Also you didn't specify group for the auth-client, so you probably should keep it 0600..
On Wed, 16 Mar 2011 16:31:43 -0000, Timo Sirainen <tss@iki.fi> wrote:
On Wed, 2011-03-16 at 08:18 +0000, John Connett wrote:
$ ls -l /var/run/dovecot/auth-client Srw------- 1 root root 0 Mar 14 13:11 /var/run/dovecot/auth-client .. The problem is either with the instructions on the wiki or within dovecot. I will look at the source code to see if I can identify why
the permissions in conf.d/10-master.conf are not being applied. The
"service auth" part of conf.d/10-master.conf, stripped of comments, is:service auth { unix_listener auth-client { mode = 0660 user = mail } unix_listener auth-userdb { } }
Check with doveconf that Dovecot really sees those settings:
doveconf service/auth
Many thanks. Looks like it isn't seeing those settings (see output
below). The openSUSE source rpm has two patches which only modify the
following files:
dovecot-2.0-pigeonhole/configure.in
configure.in
to "Enable PIE support (default)". The source code is unmodified so any
problem is likely to be in the upstream:
dovecot-2.0.11.tar.bz2
dovecot-2.0-pigeonhole-0.2.2.tar.bz2
Also you didn't specify group for the auth-client, so you probably should keep it 0600..
I wondered about that myself. Granting rw group access to root doesn't
appear to provide any addition access to any users. I copied it exactly
from the example just in case there might have been some sneaky use of the
group permissions. Once I had it working I would have tried turning them
off to see if that broke anything. Granting rw user access to mail should
be sufficient for exim.
master:~ # doveconf service/auth service auth { chroot = client_limit = 4096 drop_priv_before_exec = no executable = auth extra_groups = group = idle_kill = 0 privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener auth-client { group = mode = 0600 user = } unix_listener auth-login { group = mode = 0600 user = $default_internal_user } unix_listener auth-master { group = mode = 0600 user = } unix_listener auth-userdb { group = mode = 0600 user = } unix_listener login/login { group = mode = 0666 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } master:~ #
On Wed, 16 Mar 2011 23:25:08 -0000, John Connett <jrc@skylon.demon.co.uk>
wrote:
On Wed, 16 Mar 2011 16:31:43 -0000, Timo Sirainen <tss@iki.fi> wrote:
On Wed, 2011-03-16 at 08:18 +0000, John Connett wrote:
$ ls -l /var/run/dovecot/auth-client Srw------- 1 root root 0 Mar 14 13:11 /var/run/dovecot/auth-client .. The problem is either with the instructions on the wiki or within dovecot. I will look at the source code to see if I can identify why
the permissions in conf.d/10-master.conf are not being applied. The
"service auth" part of conf.d/10-master.conf, stripped of comments, is:service auth { unix_listener auth-client { mode = 0660 user = mail } unix_listener auth-userdb { } }
Check with doveconf that Dovecot really sees those settings:
doveconf service/auth
Problem was all mine! I didn't fully appreciate the configuration process
and managed to end up with a dovecot.conf which didn't include the files
from conf.d ...
My apologies for the time wasting.
participants (2)
-
John Connett
-
Timo Sirainen