[Dovecot] Random LDA failure to access auth socket
Greetings all.
Please forgive me if I'm posting something that has already been addressed, but my google-foo is not strong enough to find the solution.
I've got a dovecot server running version 2.0.19 on Gentoo Hardened. I have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the mail. Everything is working great, mail is being delivered, and the users are happy.
However, I am noticing that I have random entries like this:
Mar 1 20:19:23 hermes dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=97(dovecot) egid=97(dovecot) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) Mar 1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred. Refer to server log for more information.
Since these messages came from the server log, looking in the server log for more information is rather pointless.
I have 10-master.conf configured as follows:
service auth { unix_listener auth-userdb { mode = 0600 user = vmail group = vmail }
In 15-lda.conf I have: protocol lda { mail_plugins = $mail_plugins sieve quota }
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
Permissions on the socket are: srw------- 1 vmail vmail 0 Feb 24 23:43 auth-userdb
Judging from the log, my problem is that the LDA appears to be trying to access the socket as the dovecot user (rather than the vmail user), but my question is why? What logging can I use to tell me if postfix is calling with the wrong permissions or if the lda is somehow getting confused?
Any help or suggestions greatly appreciated.
Thanks, Gizmo
Chris Richards wrote:
I've got a dovecot server running version 2.0.19 on Gentoo Hardened. I have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the mail. Everything is working great, mail is being delivered, and the users are happy.
However, I am noticing that I have random entries like this:
Mar 1 20:19:23 hermes dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=97(dovecot) egid=97(dovecot) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) Mar 1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred. Refer to server log for more information.
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
Permissions on the socket are: srw------- 1 vmail vmail 0 Feb 24 23:43 auth-userdb
Judging from the log, my problem is that the LDA appears to be trying to access the socket as the dovecot user (rather than the vmail user), but my question is why? What logging can I use to tell me if postfix is calling with the wrong permissions or if the lda is somehow getting confused?
Have a look at http://wiki2.dovecot.org/LDA http://wiki2.dovecot.org/LDA/Postfix Maybe there you will find some helpful hints.
Is /usr/libexec/dovecot/deliver or /usr/libexec/dovecot/dovecot-lda somehow setuid or setgid and owner/group dovecot? Where does the effective user euid=97(dovecot) and effective group egid=97(dovecot) come from, is it somewhere your dovecot config?
Please show full output of # doveconf -n # stat /usr/libexec/dovecot/deliver # stat /usr/libexec/dovecot/dovecot-lda
Regards Daniel
Thanks for the links: those were what I followed when I set things up.
The dovecot user is the $default_internal_user.
hermes conf.d # dovecot -n # 2.1.9: /etc/dovecot/dovecot.conf # OS: Linux 3.4.2-hardened-r1-bordernet x86_64 Gentoo Base System release 2.1 ext4 auth_master_user_separator = * auth_mechanisms = plain login auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@& auth_verbose_passwords = plain disable_plaintext_auth = no login_greeting = Awaiting command... mail_location = maildir:/home/vmail/%d/%n/Maildir mail_plugins = " quota" mail_privileged_group = 100 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { expire = Trash 7 expire2 = Trash/* 7 expire3 = Spam 7 quota = maildir:User quota quota_rule = *:storage=200M quota_warning = storage=95%% quota-warning 95 %n %d quota_warning2 = storage=80%% quota-warning 80 %n %d sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /home/vmail/dovecot/sieve sieve_global_path = /home/vmail/dovecot/sieve/default.sieve } protocols = imap pop3 sieve service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = $default_internal_user } service quota-warning { executable = script /etc/dovecot/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_cert =
hermes conf.d # stat /usr/libexec/dovecot/deliver File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda' Size: 11 Blocks: 0 IO Block: 4096 symbolic link Device: 805h/2053d Inode: 267375 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:44:04.440976879 +0000 Modify: 2012-11-24 17:44:04.440976879 +0000 Change: 2012-11-24 17:44:04.440976879 +0000 Birth: -
hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda File: '/usr/libexec/dovecot/dovecot-lda' Size: 22432 Blocks: 48 IO Block: 4096 regular file Device: 805h/2053d Inode: 849010 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:43:57.124794021 +0000 Modify: 2012-11-24 17:44:02.204920992 +0000 Change: 2012-11-24 17:44:04.444976978 +0000 Birth: -
Thanks in advance for your help.
Chris
On Sat, March 2, 2013 11:15 am, Daniel Parthey wrote:
Chris Richards wrote:
I've got a dovecot server running version 2.0.19 on Gentoo Hardened. I have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the mail. Everything is working great, mail is being delivered, and the users are happy.
However, I am noticing that I have random entries like this:
Mar 1 20:19:23 hermes dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=97(dovecot) egid=97(dovecot) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) Mar 1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred. Refer to server log for more information.
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
Permissions on the socket are: srw------- 1 vmail vmail 0 Feb 24 23:43 auth-userdb
Judging from the log, my problem is that the LDA appears to be trying to access the socket as the dovecot user (rather than the vmail user), but my question is why? What logging can I use to tell me if postfix is calling with the wrong permissions or if the lda is somehow getting confused?
Have a look at http://wiki2.dovecot.org/LDA http://wiki2.dovecot.org/LDA/Postfix Maybe there you will find some helpful hints.
Is /usr/libexec/dovecot/deliver or /usr/libexec/dovecot/dovecot-lda somehow setuid or setgid and owner/group dovecot? Where does the effective user euid=97(dovecot) and effective group egid=97(dovecot) come from, is it somewhere your dovecot config?
Please show full output of # doveconf -n # stat /usr/libexec/dovecot/deliver # stat /usr/libexec/dovecot/dovecot-lda
Regards Daniel
Hi Chris,
Chris Richards wrote:
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = $default_internal_user }
In order for dovecot-lda to work, default internal user "dovecot" seems to need permission for the user listing. This should work, but you should try to narrow the permissions down:
service auth { unix_listener auth-userdb { group = dovecot mode = 0666 user = dovecot } }
Documentation http://wiki2.dovecot.org/LDA says:
The auth-userdb socket can be used to do userdb lookups for given usernames or get a list of all users. Typically the result will contain the user's UID, GID and home directory, but depending on your configuration it may return other information as well. So the information is similar to what can be found from eg. /etc/passwd for system users. This means that it's probably not a problem to use mode=0666 for the socket, but you should try to restrict it more just to be safe.
hermes conf.d # stat /usr/libexec/dovecot/deliver File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda' Size: 11 Blocks: 0 IO Block: 4096 symbolic link Device: 805h/2053d Inode: 267375 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:44:04.440976879 +0000 Modify: 2012-11-24 17:44:04.440976879 +0000 Change: 2012-11-24 17:44:04.440976879 +0000 Birth: -
deliver is a symbolic link to dovecot-lda, so its basically the same.
hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda File: '/usr/libexec/dovecot/dovecot-lda' Size: 22432 Blocks: 48 IO Block: 4096 regular file Device: 805h/2053d Inode: 849010 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:43:57.124794021 +0000 Modify: 2012-11-24 17:44:02.204920992 +0000 Change: 2012-11-24 17:44:04.444976978 +0000 Birth: -
No setuid/setgid flags set.
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
I'm wondering why user=vmail:users does not have the desired effect and dovecot-lda uses the effective uid "dovecot" and effective gid "dovecot" to do the user lookups.
Regards Daniel
In order for dovecot-lda to work, default internal user "dovecot" seems to need permission for the user listing. This should work, but you should try to narrow the permissions down:
service auth { unix_listener auth-userdb { group = dovecot mode = 0666 user = dovecot } }
I'll give this a whirl tomorrow during off-mail time. I'm thinking there was a reason I did vmail:users, but it's not coming to me at the moment.
I'm also puzzled by why lda is using dovecot:dovecot rather than vmail:users. Does it drop back to dovecot:dovecot and retry if the requested uid:gid fails to work? I can't imagine where postfix would get uid:gid of dovecot:dovecot to call with, so I don't think it's a postfix problem.
Thanks for your help!
Chris
I was finally able to make this change. It doesn't appear to have broken anything, which is a plus. ;)
I'll ping back in a couple of days or so and let you know if the issue appears resolved.
Thanks again for your help!
Chris
On Sun, March 3, 2013 6:31 pm, Chris Richards wrote:
In order for dovecot-lda to work, default internal user "dovecot" seems to need permission for the user listing. This should work, but you should try to narrow the permissions down:
service auth { unix_listener auth-userdb { group = dovecot mode = 0666 user = dovecot } }
I'll give this a whirl tomorrow during off-mail time. I'm thinking there was a reason I did vmail:users, but it's not coming to me at the moment.
I'm also puzzled by why lda is using dovecot:dovecot rather than vmail:users. Does it drop back to dovecot:dovecot and retry if the requested uid:gid fails to work? I can't imagine where postfix would get uid:gid of dovecot:dovecot to call with, so I don't think it's a postfix problem.
Thanks for your help!
Chris
Daniel, Just wanted to respond back and let you know that changing permissions to dovecot:dovecot as you suggested seems to have resolved the issue; I've not seen any more occurrences of this error.
Thanks again for your assistance!
Chris
On Sun, March 3, 2013 5:13 pm, Daniel Parthey wrote:
Hi Chris,
Chris Richards wrote:
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = $default_internal_user }
In order for dovecot-lda to work, default internal user "dovecot" seems to need permission for the user listing. This should work, but you should try to narrow the permissions down:
service auth { unix_listener auth-userdb { group = dovecot mode = 0666 user = dovecot } }
Documentation http://wiki2.dovecot.org/LDA says:
The auth-userdb socket can be used to do userdb lookups for given usernames or get a list of all users. Typically the result will contain the user's UID, GID and home directory, but depending on your configuration it may return other information as well. So the information is similar to what can be found from eg. /etc/passwd for system users. This means that it's probably not a problem to use mode=0666 for the socket, but you should try to restrict it more just to be safe.
hermes conf.d # stat /usr/libexec/dovecot/deliver File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda' Size: 11 Blocks: 0 IO Block: 4096 symbolic link Device: 805h/2053d Inode: 267375 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:44:04.440976879 +0000 Modify: 2012-11-24 17:44:04.440976879 +0000 Change: 2012-11-24 17:44:04.440976879 +0000 Birth: -
deliver is a symbolic link to dovecot-lda, so its basically the same.
hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda File: '/usr/libexec/dovecot/dovecot-lda' Size: 22432 Blocks: 48 IO Block: 4096 regular file Device: 805h/2053d Inode: 849010 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2012-11-24 17:43:57.124794021 +0000 Modify: 2012-11-24 17:44:02.204920992 +0000 Change: 2012-11-24 17:44:04.444976978 +0000 Birth: -
No setuid/setgid flags set.
In Postfix master.cf, I have the following: dovecot unix - n n - - pipe flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
I'm wondering why user=vmail:users does not have the desired effect and dovecot-lda uses the effective uid "dovecot" and effective gid "dovecot" to do the user lookups.
Regards Daniel
participants (2)
-
Chris Richards
-
Daniel Parthey