Re: [Dovecot] started with dovecot sieve
Rolf wrote:
Am 2012-06-25 23:59, schrieb Daniel Parthey:
Hi Rolf,
Rolf wrote:
Jun 25 20:22:54 rolf14 dovecot: lda(rolf): Error: setegid(privileged) failed: Operation not permitted
Doesn't lda(rolf) mean it is being executed under user "rolf", not root or dovecot?
How exactly do you invoke lda from your /etc/postfix/master.cf?
You might also try to use LMTP via TCP to deliver mails from postfix to dovecot to work around any permission problems.
I have installed dovecot and docecot-sieve by Debians aptitude
You don't seem to be the only one with these problems, see Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626130
As far as I understand the "ps -f ax" output (see below) dovecot runs with root privileges and postfix runs with its own user privileges.
root 20998 1 0 Jun25 ? Ss 0:03 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
Well, the master process often runs as root, but child processes like lda may be configured to run as an unprivileged, or even as the user which owns the mailbox.
The mbox files below /var/mail are owned by their respective users and have "mail" as their group, both can write, world can do nothing. I added every related system user to the mail group, also restarted postfix and dovecot.
root@rolf14:/var/mail# more /etc/group | grep mail: mail:x:8:amavis,dovecot,clamav,postfix
User "rolf" is not a member of group "mail", but I don't think he needs to be, otherwise he would be able to read the mails of all users on the system and this would be a security risk.
As I understand it, postfix activates the lda "deliver" as user "postfix". Therefore it should be able to write to the mboxes at /var/mail. If needed dovecot can write there as well.
The lda should rather switch to the owner of the respective INBOX, e.g. /var/mail/rolf. Log message "lda(rolf)" looks like this happens.
To summarize, I think LMTP will be the easiest way to fix the permission problems. Otherwise you would need to fiddle out how to prevent dovecot lda from switching to group additional group "mail", since unprivileged user "rolf" is not allowed to do that.
Regards, Daniel
Rolf wrote:
Am 2012-06-25 23:59, schrieb Daniel Parthey:
Hi Rolf,
Rolf wrote:
Jun 25 20:22:54 rolf14 dovecot: lda(rolf): Error: setegid(privileged) failed: Operation not permitted
Doesn't lda(rolf) mean it is being executed under user "rolf", not root or dovecot? could be. However, following your mail I tried several alternatives for grouping, made the user itself part of mail group, made postfix and dovecot part of the users real group, made all part of roots real group, made the users part of postfix and dovecot real group ... I could have made failures in trying all this combinations but the failure remained in any case. (I switched all back for security reasons, the failure is still there.)
How exactly do you invoke lda from your /etc/postfix/master.cf?
Am 2012-06-26 22:10, schrieb Daniel Parthey: these are my lines from /etc/postfix/main.cf: #mailbox_command = procmail -a "$EXTENSION" mailbox_command = /usr/lib/dovecot/deliver
if I switch procmail back on the input gets delivered and I can see them using roundcube as a client for dovecot.
You might also try to use LMTP via TCP to deliver mails from postfix to dovecot to work around any permission problems.
LMTP would be new to me and I fear just other hard-to-understand configuration topics. What I did as a workaround is to have a last rule in each .dovecot.sieve: fileinto "rest". It works and this way the INBOX is no longer needed.
I have installed dovecot and docecot-sieve by Debians aptitude
You don't seem to be the only one with these problems, see Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626130
Do not understand how they have solved the problem. Changing 0660 to 0600 for the /var/mail/user mboxes (with user:mail for user:group) seems not to be a logical solution - have not tried that.
Rolf wrote:
LMTP would be new to me and I fear just other hard-to-understand configuration topics.
LMTP (Lightweight Message Transfer Protocol) is really simple, similar to SMTP, but immediately returns a status code which tells whether the delivery has been successful or not.
I encourage you to read this HOWTO: http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
Dovecot listens and accepts mails on the LMTP service port, postfix delivers mails directly into this LMTP service port.
Since it is an additional service, you should be able to try it first, without interfering with your deliver functionality.
Here you can read, how the LMTP communication looks like: http://de.wikipedia.org/wiki/LMTP
Regards Daniel
Am 2012-06-27 20:47, schrieb Daniel Parthey:
Rolf wrote:
LMTP would be new to me and I fear just other hard-to-understand configuration topics.
LMTP (Lightweight Message Transfer Protocol) is really simple, similar to SMTP, but immediately returns a status code which tells whether the delivery has been successful or not.
I encourage you to read this HOWTO: http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
Dovecot listens and accepts mails on the LMTP service port, postfix delivers mails directly into this LMTP service port.
Since it is an additional service, you should be able to try it first, without interfering with your deliver functionality.
Here you can read, how the LMTP communication looks like: http://de.wikipedia.org/wiki/LMTP
Regards Daniel Yes, Daniel, thank you. I had found this pieces from your privious mail. I understand that LMTP is an alternative to SMTP when it comes to mail communication inside a server or a local network. I understand that LMTP is newer. But if you look at incoming mail via SMTP on socket 25 and than look at the mail via roundcoube (communicating with dovecot) what is the difference and why should I care?
That is - if I introduce LMTP - postfix will talk to dovecot by a different protocol. Correct? Will dovecot change its behavior? As I am not an SMTP insider (never did SMTP using telnet) I hardly understand what this change could do to my problem. Wouldn't dovecot LDA "deliver" still try to change the INBOX and will have access problems that I do not understand?
Do you have a link for me, explaining what "deliver" does with a mail that is not subject to any of the "fileinto" of a sieve filter? What user accounts are involved in that function? Why does it not work with the Debian default that a user is not a member of the group "mail" that is assigned to their INBOX? (If this is part of the problem what I do not know for sure, yet.)
Rolf wrote:
Am 2012-06-27 20:47, schrieb Daniel Parthey:
I encourage you to read this HOWTO: http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
I understand that LMTP is an alternative to SMTP when it comes to mail communication inside a server or a local network. I understand that LMTP is newer. But if you look at incoming mail via SMTP on socket 25 and than look at the mail via roundcoube (communicating with dovecot) what is the difference and why should I care?
Delivery via lda: SMTP -> postfix:25 -> EXEC -> lda executed by postfix -> filesystem -> dovecot imap
Delivery via lmtp: SMTP -> postfix:25 -> TCP -> dovecot:24 -> filesystem -> dovecot imap
The difference is that postfix communicates to dovecot lmtp port 24 and the actual delivery to the filesystem will be done by dovecot itself. Therefore you only need to ensure read/write access for dovecot to the mail filesystem.
That is - if I introduce LMTP - postfix will talk to dovecot by a different protocol. Correct?
Yes, postfix will talk LMTP dovecot, either via a UNIX socket in the filesystem, or via local TCP network communication to a TCP Socket in dovecot.
Will dovecot change its behavior?
No. The imap/pop3 service of dovecot will work as usual.
The delivery is a bit different, before being delivered to the filesystem, the message will pass the LMTP service with quota enforcement, sieve filtering, depending on which mail modules you have enabled in dovecot.
As I am not an SMTP insider (never did SMTP using telnet) I hardly understand what this change could do to my problem.
By using LMTP via TCP, you will avoid permission problems where postfix cannot access sockets/files/mails from dovecot, since postfix will communicate via network with dovecot and dovecot will handle the delivery itself.
Wouldn't dovecot LDA "deliver" still try to change the INBOX and will have access problems that I do not understand?
Delivery will be done by the dovecot lmtp service http://wiki2.dovecot.org/Services#lmtp it will not be executed by postfix.
Do you have a link for me, explaining what "deliver" does with a mail that is not subject to any of the "fileinto" of a sieve filter?
I assume it writes the message to INBOX (e.g. /var/mail/rolf), which is often at a different location and possibly has other permissions than your mailboxes in your home directory where SIEVE sorts your mail into.
What user accounts are involved in that function?
Currently, dovecot lda/deliver is executed by postfix, which I see as a possible reason for the permission problems.
After switching to LMTP via TCP, only dovecot should be involved with delivery, and drop privileges to the mailbox owner after userdb lookup according to http://wiki2.dovecot.org/Services#lmtp
Regards, Daniel
participants (2)
-
Daniel Parthey
-
mailinglist