[Dovecot] deliver LDA permission problem
Hello,
I'm trying to get deliver LDA working with postfix in a virtual domain configuration.
I'm using dovecot v1.0.rc10. My setup is pretty much exactly as in the wiki (only the path to deliver and auth-master socket are different).
I'm having a little problem with permissions and this occurred which I think is undesirable:
syslog:
Feb 8 13:09:35 deliver(<email-addr>): setgid(5002) failed: Operation not permitted Feb 8 13:09:36 deliver(<email-addr>): setgid(5001) failed: Operation not permitted
mail.log:
Feb 8 13:09:36 Devil postfix/pipe[9622]: 5AD5C103C: to=<<email-addr>>, orig_to=<<email-addr>>, relay=dovecot, delay=0.05, delays=0.01/0/0/0.04, dsn=5.3.0, status=bounced (Command died with status 89: \"/usr/libexec/dovecot/deliver\")
When deliver fails because it can't connect to auth-master socket it returns an undeliverable status which causes postfix to defer delivery. I think it should do the same here.
The real question is how I give deliver the permission to do the setgid? Is it enough to just add user vmail to each of the virtual user groups in /etc/group.
Does deliver setuid to virtual user as well?
Dick
On Thu, 2007-02-08 at 13:53 +0000, Dick Middleton wrote:
Feb 8 13:09:35 deliver(<email-addr>): setgid(5002) failed: Operation not permitted Feb 8 13:09:36 deliver(<email-addr>): setgid(5001) failed: Operation not permitted
Your different users have different GIDs? But do they still have all the same UID? Or do you care about GIDs at all? There are two possibilities:
Make deliver setuid-root so it has permissions to do the setgid() calls (and make sure only Postfix has permissions to start the deliver).
Don't use those GIDs. Make userdb return the same GID as what deliver already runs as.
Yea, it should. This has been in my TODO list for a while. Finally implemented:
http://dovecot.org/list/dovecot-cvs/2007-February/007688.html http://dovecot.org/list/dovecot-cvs/2007-February/007689.html
The real question is how I give deliver the permission to do the setgid? Is it enough to just add user vmail to each of the virtual user groups in /etc/group.
No, Dovecot doesn't care about /etc/group.
Just use the same username for deliver at /etc/posfix/master.cf
As follows my config: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
And make it sure, that you have this same config at /etc/dovecot.conf:
auth default_with_listener { mechanisms = plain login userdb ldap { args = /etc/dovecot-ldap.conf } passdb ldap { args = /etc/dovecot-ldap.conf } socket listen { master { path = /var/run/dovecot/auth-master mode = 0660 user = vmail group = mail } }
I'm using virtual domains, POSTFIX+DOVECOT+FEDORA-DS+SASLAUTHD
Here you can find a lot of information about Dovecot LDA, hope this can help you:
Regards
Venilton C. Junior
HPS Sercompe Computadores Ltda.
Office: +55 47 3431-9700 Fax: +55 47 3431-9747 Mobile: +55 47 9653-5872
www.sercompe.com.br
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Dick Middleton Sent: quinta-feira, 15 de fevereiro de 2007 12:17 To: Dovecot Mailing List Subject: Re: [Dovecot] deliver LDA permission problem
Timo Sirainen wrote:
This is how I resolved the problem. I'm not sure it's ideal; I have an aversion to setguid programs but I don't see what else you can do.
Yea, it should. This has been in my TODO list for a while. Finally implemented:
Good oh!
Thanks
Dick
participants (3)
-
Dick Middleton
-
Timo Sirainen
-
Venilton Junior