I'm new to Dovecot and I'm having trouble getting basic, flat file userdb lookups to work. This must have been asked before, but if so, I can't find it.
I'm following the basic setup here: http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor differences. Output of doveconf -n is below, as well as relevant entries from postfix main.cf and master.cf.
When I send a message to a virtual user that will be handled by Dovecot, Postfix hands it off to Dovecot LDA. But I get the following error in the log:
Jun 22 20:53:33 xxxxx dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
/var/run/dovecot/ is indeed owned by root:root with 0755 permissions.
The actual passwd file used for userdb/passdb is currently owned by root:vmail with 0640 permissions.
I read http://wiki2.dovecot.org/UserIds but I just don't understand the section on "Authentication process user". It's very vague. It doesn't explain which service is used for which circumstances or how to correlate the userdb/passdb file permissions with the service user/group settings for best security.
The http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall link mentions nothing about having to modify the auth or auth-worker services.
And the http://wiki2.dovecot.org/HowTo/VirtualUserFlatFilesPostfix page mentions a new "doveauth" user which isn't described elsewhere and sets service auth to user postfix and group postfix, something not mentioned anywhere else.
/etc/doveconf/10-master.conf says that the service auth socket is typically readable only by root. Uhm. OK. Well, my passwd file is owned by root. I don't know how that relates to the socket. So I don't understand the problem.
Bottom line, each information source seems to say something completely different. I can't correlate the information in the above sources into any actionable result.
Questions:
Basically, can someone please explain how the permissions for userdb and passdb lookup work (i.e. file permissions vs. service permissions)?
What's the best solution to solve the above problem permission problem in the most secure way? Adjust the config of service auth? If so, how and why? Or adjust my passwd file ownership? If so, how and why? I'm really trying to understand the why, not just the what.
Thanks much.
Michael
Output of doveconf -n follows:
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS
auth_verbose = yes
disable_plaintext_auth = no
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_uid = vmail
passdb {
driver = pam
}
passdb {
args = username_format=%n /var/vmail/auth.d/%d/passwd
driver = passwd-file
}
pop3_uidl_format = %08Xv%08Xu
protocols = pop3
ssl = no
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
driver = passwd
}
userdb {
args = username_format=%n /var/vmail/auth.d/%d/passwd
driver = passwd-file
}
protocol lda {
postmaster_address = postmaster@xxxxx
}
Postfix main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = xxxx
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_transport = dovecot
Postfix master.cf:
# Dovecot LDA
# Ref: http://wiki2.dovecot.org/LDA/Postfix
# Allows user+extension@domain.com (recipient_deliminter = + in main.cf)
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension}
On June 23, 2016 at 8:01 AM Michael Fox <news@mefox.org> wrote:
I'm new to Dovecot and I'm having trouble getting basic, flat file userdb lookups to work. This must have been asked before, but if so, I can't find it.
I'm following the basic setup here: http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor differences. Output of doveconf -n is below, as well as relevant entries from postfix main.cf and master.cf.
When I send a message to a virtual user that will be handled by Dovecot, Postfix hands it off to Dovecot LDA. But I get the following error in the log:
Jun 22 20:53:33 xxxxx dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
/var/run/dovecot/ is indeed owned by root:root with 0755 permissions.
The actual passwd file used for userdb/passdb is currently owned by root:vmail with 0640 permissions.
Section virtual users, with lookup has the answer.
Aki Tuomi
Section virtual users, with lookup has the answer.
Thanks for the quick response Aki.
I presume you're referring to this:
service auth { unix_listener auth-userdb { mode = 0600 user = vmail # User running dovecot-lda #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group } }
So, given that, then I'm still not clear on the following:
- User vmail is reading the userdb, not writing to the userdb. So why mode 0600?
- What should the owner, group and mode/permissions of the actual userdb flat file be for best security?
Michael
On June 23, 2016 at 8:56 AM Michael Fox <news@mefox.org> wrote:
Section virtual users, with lookup has the answer.
Thanks for the quick response Aki.
I presume you're referring to this:
service auth { unix_listener auth-userdb { mode = 0600 user = vmail # User running dovecot-lda #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group } }
So, given that, then I'm still not clear on the following:
- User vmail is reading the userdb, not writing to the userdb. So why mode 0600?
- What should the owner, group and mode/permissions of the actual userdb flat file be for best security?
Michael
that is a socket, not regular file. LDA speaks with auth service.
as auth *service* runs as root it prolly is best to use root:root 0400 for the actual file.
Aki Tuomi
participants (2)
-
aki.tuomi@dovecot.fi
-
Michael Fox