[Dovecot] deliver is ignoring mail_access_groups
Ubuntu 8.04LTS
Dovecot 1.2.6
Postfix 2.5.1
I'm using dovecot imap/deliver in an environment where I don't want users with shell access to reach their mail folders (partly to do with IMAP ACLs requiring open group permissions and partly to do with not wanting users to mess their mail folders / sieve configs up).
I specifically don't want to switch to a "single dovecot user" style installation.
Current config:
mail_location = maildir:/home/mail/%d/%n/Maildir
mail_privileged_group = mail
mail_access_groups = maildir
drwxrws--- 3 nobody maildir 21 2009-11-15 10:52 /home/mail
drwxrws--- 4 nobody adomain.com 30 2009-11-15 12:12 /home/mail/adomain.com/
drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52 /home/mail/adomain.com/auser
drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52 /home/mail/adomain.com/auser/Maildir
And so on...
As expected IMAP and Managesieve work perfectly, but deliver fails:
Nov 15 12:48:26 s15364807 dovecot: deliver(auser@adomain.com): sieve: stat(/home/mail/adomain.com/auser/.dovecot.sieve) failed: Permission denied (using global script path in stead)
Nov 15 12:28:06 s15364807 dovecot: deliver(auser@adomain.com): stat(/home/mail/adomain.com/auser/Maildir) failed: Permission denied
Nov 15 12:28:06 s15364807 dovecot: deliver(auser@adomain.com): stat(/home/mail/adomain.com/auser/Maildir/tmp) failed: Permission denied (euid=1002(auser) egid=1001(adomain.com) missing +x perm: /home/mail)
Nov 15 12:28:06 s15364807 dovecot: deliver(auser@adomain.com): msgid=20091115122806.79A0F80034F@servername.com: save failed to INBOX: Internal error occurred. Refer to server log for more information. [2009-11-15 12:28:06]
Opening the permissions on /home/mail (6771) allows deliver to succeed suggesting that mail_access_groups is being ignored by deliver.
As a work-around I can set /home/mail to 6771 but this is not ideal as anyone somehow guessing the directory structure could access mail of another user in the same group regardless of IMAP acl settings. Yes, I can severely obfuscate it but it's not secure.
I've spent about half a day trying to figure this out, I'm assuming at this point that either I'm missing something obvious or something else is wrong. Any ideas?
Peter.
On Sun, 2009-11-15 at 12:59 +0000, Peter wrote:
Opening the permissions on /home/mail (6771) allows deliver to succeed suggesting that mail_access_groups is being ignored by deliver.
How are you calling deliver? Either it needs to be started up as root, or you need to make it setuid-root (and call it with -d parameter). Otherwise it can't use mail_access_groups.
Doh. Of course.... knew it would be something obvious. What threw me is that it had correct permissions aside from this.
It's being called by postfix with -d through mailbox_command - I'm digging through postfix config now, if there's a way I can do this without making deliver setuid I'd be much happier....
Thanks, Timo,
Peter.
-----Original Message----- From: dovecot-bounces+dovecot=peter-b.org@dovecot.org [mailto:dovecot-bounces+dovecot=peter-b.org@dovecot.org] On Behalf Of Timo Sirainen Sent: 16 November 2009 18:07 To: Peter Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] deliver is ignoring mail_access_groups
On Sun, 2009-11-15 at 12:59 +0000, Peter wrote:
Opening the permissions on /home/mail (6771) allows deliver to succeed suggesting that mail_access_groups is being ignored by deliver.
How are you calling deliver? Either it needs to be started up as root, or you need to make it setuid-root (and call it with -d parameter). Otherwise it can't use mail_access_groups.
On Mon, 2009-11-16 at 19:14 +0000, Peter Borg wrote:
Doh. Of course.... knew it would be something obvious. What threw me is that it had correct permissions aside from this.
It's being called by postfix with -d through mailbox_command - I'm digging through postfix config now, if there's a way I can do this without making deliver setuid I'd be much happier....
I don't think Postfix allows running it as root. But since you're using mailbox_command, Postfix already looks up the user's groups from somewhere. Perhaps there's something you can do to make Postfix add access to the wanted extra group?
I suppose the long term solution for this will be to use Dovecot's LMTP server.
bounces+dovecot=peter-b.org@dovecot.org] On Behalf Of Timo Sirainen
It's being called by postfix with -d through mailbox_command - I'm digging through postfix config now, if there's a way I can do this without making deliver setuid I'd be much happier....
I don't think Postfix allows running it as root. But since you're using mailbox_command, Postfix already looks up the user's groups from somewhere. Perhaps there's something you can do to make Postfix add access to the wanted extra group?
I suppose the long term solution for this will be to use Dovecot's LMTP server.
Postfix does do group lookup, but not group set. Regardless I wouldn't want the user's group set to include maildir under normal circumstances.
This is where Dovecot works well for me because I can get the dovecot process to add the specified group to the user's authentication which means that they can only get at their mail through dovecot and not through the file system.
Postfix doesn't have the ability to add groups to the user's context so no joy there.
LMTP will be great once it's done, I'm sure, but for now I'm stuck with whatever MTA I can get going... looks like setuid root deliver is going to be the only solution.
Peter.
On Mon, 2009-11-16 at 23:01 +0000, Peter Borg (General) wrote:
This is where Dovecot works well for me because I can get the dovecot process to add the specified group to the user's authentication which means that they can only get at their mail through dovecot and not through the file system.
Perhaps you should have just used virtual users in that case? PAM as passdb, but otherwise use the same uid/gid for all users' mails.
participants (4)
-
Peter
-
Peter Borg
-
Peter Borg (General)
-
Timo Sirainen