Re: [Dovecot] auth-master: Permission denied [sigh]
Oh, that was fun.
Making the change below resulted in mail getting deferred with "Fatal: destination user parameter (-d user) not given" ... which apparently is caused by running deliver as 'root'! (http://archive.netbsd.se/?ml=dovecot-general&a=2008-02&t=6558196)
So I am back to:
-rwxr-xr-x 1 root dovecot 4044835 2009-04-03 13:52 deliver
which doesn't produce the error and delivers the mail. Still no joy with Postfix+Spamassassin+Dovecot.
This is unbelievably hard to get going. I started with the default installations of everything on a brand new system. I only made minimal changes as indicated by the docs. Then I made small changes as indicated by this and other mailing lists. I always reverted back to the original defaults between each effort. Now I'm just stumped.
I'm not a newbie ... I've been administrating public servers for over 10 years, and using and working on the Internet since 1968! This is just the first time I've tried to use Postfix+Spamassassin+Dovecot. Previous installations have all used Sendmail+Spamassassin+Dovecot with zero issues. I want the benefits of using the Maildir storage system, but the past two weeks of trying to get this going are making me question whether that benefit is worth it.
Can anyone please post their successful Postfix+Spamassassin+Dovecot setup for me to learn from? I would really appreciate it.
James
I have changed /usr/local/libexec/dovecot/deliver permissions as follows:
-rwsr-s--- 1 root dovecot 4044835 2009-04-03 13:52 deliver
Because of message returned to 'sender@example-send.com':
"local configuration error. Command output: /usr/local/libexec/dovecot/deliver must not be both world-executable and setuid-root. This allows root exploits. See [LDA#multipleuids wiki page]."
Same auth-master "Permission denied" error.
Thanks again.
James
On Tue, 2009-04-14 at 14:17 -0700, James Butler wrote:
Oh, that was fun.
Making the change below resulted in mail getting deferred with "Fatal: destination user parameter (-d user) not given" ... which apparently is caused by running deliver as 'root'!
I thought you wanted to use -d? There's really no way to make deliveries working to multiple users via pipe, unless you use -d.
Perhaps you shouldn't be using the pipe at all. Maybe you should just put the command to mailbox_command and have it do all the work? Then there's no need to worry about things like setuid-roots or whatever.
Please take a look at my post from 1:05PM today with all of my configuration information. Is the problem being caused by something there? I have been working on this for over two weeks, and I have no idea what's what, anymore.
Now I DO understand that it's either setuid-root deliver and use -d from the pipe or do not use setuid-root deliver or -d or a pipe.
As it is, there is no other mechanism that I can think of to include an anti-spam program in the mail delivery stream. And I haven't even gotten started trying to include an anti-virus program! (I'm assuming that, too, will require a pipe.)
If there is a setup guide for running Postfix+Spamassassin+Dovecot that does not require a pipe, I would be MORE than grateful to learn its location. I have yet to discover one. Even within the config files and docs there are no examples of piping to deliver from Spamassassin, which seems a little unusual, considering the popularity of Spamassassin.
James
On Tue, 2009-04-14 at 14:17 -0700, James Butler wrote:
Oh, that was fun.
Making the change below resulted in mail getting deferred with "Fatal: destination user parameter (-d user) not given" ... which apparently is caused by running deliver as 'root'!
I thought you wanted to use -d? There's really no way to make deliveries working to multiple users via pipe, unless you use -d.
Perhaps you shouldn't be using the pipe at all. Maybe you should just put the command to mailbox_command and have it do all the work? Then there's no need to worry about things like setuid-roots or whatever.
On Wed, 2009-04-15 at 07:52, Timo Sirainen wrote:
Perhaps you shouldn't be using the pipe at all. Maybe you should just put the command to mailbox_command and have it do all the work? Then there's no need to worry about things like setuid-roots or whatever.
Given what his conf showed before he's using local users only, so your right, he'd be better off using something like mailbox_command = /path/to/procmail ... and let procmail deal with SA and be done with it.
If he wants advanced he needs to be using MailScanner or amavisd-new, but I think they're overkill for what he wants, so procmail would be better suited.
Noel (not related to James)
On Wed, 2009-04-15 at 07:52, Timo Sirainen wrote:
Perhaps you shouldn't be using the pipe at all. Maybe you should just put the command to mailbox_command and have it do all the work? Then there's no need to worry about things like setuid-roots or whatever.
Given what his conf showed before he's using local users only, so your right, he'd be better off using something like mailbox_command = /path/to/procmail ... and let procmail deal with SA and be done with it.
If he wants advanced he needs to be using MailScanner or amavisd-new, but I think they're overkill for what he wants, so procmail would be better suited.
Already went through Procmail. It knows nothing about Dovecot's mail structure, so everything still needs to be piped through deliver.
In addition, there was/is an issue with Procmail not resolving the {HOME} variable correctly in a Maildir system. Works great with Sendmail and mbox's, just not so good with Maildir's. Again, I couldn't get anyone to share a successful setup, and in fact nobody on the Procmail list had ever gotten Postfix+Procmail+Spamassassin+Dovecot working, so that attempt died.
MailScanner is slowly in the process of being attempted, even though it is simply a wrapper that accepts the mail from Postfix then pipes it over to Spamassassin and other programs like AV apps. When I received your suggestion to try those two programs, yesterday, I started installing all of the various Perl modules required by MailScanner, but it's gotten hung up by not recognizing that MailTools' lates version is, in fact, installed and available, so I stopped working on MailScanner until Postfix+Spamassassin+Dovecot completely ends its run.
Amavisd-new is another type of Perl wrapper. I guess I will need to try that one, if all else fails. I'm not a big fan of wrapping stuff in Perl.
I am not yet satisfied that Postfix+Spamassassin+Dovecot will not work.
James (probably related to Noel, but not invited to Christmas Dinner. :( )
Caution: drifting OT :)
On Wed, 2009-04-15 at 08:16, James Butler wrote:
MailScanner is slowly in the process of being attempted, even though it is simply a wrapper that accepts the mail from Postfix then pipes it over to Spamassassin and other programs like AV apps. When I received your suggestion to try those two programs, yesterday, I started installing all of the various Perl modules required by MailScanner, but it's gotten hung up by not recognizing that MailTools' lates version is, in fact, installed
That can be a problem, I avoid using RPM/DEB systems at all costs if I can, because of those very issues, I know MailScanner is tested on RHEL 4+5 (which also means CentOS 4+5), it's therefor usually workable with latest Fedora versions, even on RPM systems I used to use the tarball and not the RPM versions, I always use ./install.sh --nomodules and resolve manually any deps since MailScanner used to, a long time ago try overwrite newer modules with its older ones, I think that was getting fixed but i'm not on the mailscanner list so I dont know if it ever was, hrmm getting OT now i think.
Amavisd-new is another type of Perl wrapper. I guess I will need to try that one, if all else fails. I'm not a big fan of wrapping stuff in Perl.
Both of these are surprisingly fast for perl, I've used both and prefer mailscanner, it works in batches and is nicer on resources and since its easier to configure i dont get weekend phone calls asking how to change this that and whatever :) highly worth it, and Dovecot only needs to take the mail from postfix and store it where it should be, let postfix, the MTA do its thing with MS/Av-n, which are written to work at the MTA stage, the only interaction here is dovecots 'deliver' is the MDA (we use virtual domains). Yep, now very OT.
And as mentioned earlier my concern over using pf pipe to spamassassin, is I think bounces are generated, therefor generating backscatter, which will get you cursed, blocked and worse by many networks and RBL's. (thats how it used to work years ago ,perhaps there is a method now to stop bounce DSN's *shrug*)
I am not yet satisfied that Postfix+Spamassassin+Dovecot will not work.
Then you need to bring in as you said anti-virus, hence my earlier suggestions
James (probably related to Noel, but not invited to Christmas Dinner. :(
LOL, going by time zones, I think I'm sleeping Christmas off when you're just starting yours (utc+10) :)
N
participants (3)
-
James Butler
-
Noel Butler
-
Timo Sirainen