[Dovecot] deliver net_connect auth-master failed: Permission denied
Ok, I've ALMOST got this working ... I can run deliver as a user, but when I try using it as the default delivery agent from sendmail, I get deliver(userid): net_connect(/var/run/dovecot/auth-master) failed: Permission denied
Does deliver run as root, as the recipient's ID, sendmail's ID or sendmail's GID? (I'm running freebsd)
Or am I totally clueless ?? Here is dovecot -n:
# 1.0.3: /usr/local/etc/dovecot.conf base_dir: /var/run/dovecot/ listen: localhost:996 ssl_disable: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes first_valid_uid: 100 mail_extra_groups: mail mail_location: mbox:~/mail:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot_indexes/%u lock_method: flock mbox_read_locks: flock mbox_write_locks: flock auth default: passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 432
Thanks!!!!! Rich
At 7:19 PM -0500 9/25/07, Rich Winkel imposed structure on a stream of electrons, yielding:
Ok, I've ALMOST got this working ... I can run deliver as a user, but when I try using it as the default delivery agent from sendmail, I get deliver(userid): net_connect(/var/run/dovecot/auth-master) failed: Permission denied
Does deliver run as root, as the recipient's ID, sendmail's ID or sendmail's GID? (I'm running freebsd)
Ideally, it should run SUID+SGID to a user and group that exist to make mail delivery permissions work. See http://wiki.dovecot.org/LDA/Sendmail and http://wiki.dovecot.org/LDA
The key bit is on the main LDA page where it describes the master socket config and on the Sendmail page where it discusses 'non-root' sendmail setups, which is really applicable to all common setups of modern Sendmail.
Or am I totally clueless ??
Well, the Mizzou address argues one way, but I'll give you the benefit of the doubt and say maybe not... :)
The bottom line: make up a user and group to own the master socket, structure your inbox permissions so that deliver can run that way and write to them, and make deliver SUID/SGID.
Structuring inbox permissions so that can work is a potentially complex problem.
Here is dovecot -n:
# 1.0.3: /usr/local/etc/dovecot.conf base_dir: /var/run/dovecot/ listen: localhost:996 ssl_disable: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes first_valid_uid: 100 mail_extra_groups: mail mail_location: mbox:~/mail:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot_indexes/%u lock_method: flock mbox_read_locks: flock mbox_write_locks: flock auth default: passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 432
Thanks!!!!! Rich
-- Bill Cole bill@scconsult.com
On Tue, Sep 25, 2007 at 09:07:24PM -0400, Bill Cole wrote:
At 7:19 PM -0500 9/25/07, Rich Winkel imposed structure on a stream of electrons, yielding:
a flux of gibberish!!!
Does deliver run as root, as the recipient's ID, sendmail's ID or sendmail's GID? (I'm running freebsd)
Ideally, it should run SUID+SGID to a user and group that exist to make mail delivery permissions work. See http://wiki.dovecot.org/LDA/Sendmail and http://wiki.dovecot.org/LDA
The key bit is on the main LDA page where it describes the master socket config and on the Sendmail page where it discusses 'non-root' sendmail setups, which is really applicable to all common setups of modern Sendmail.
Ok, I've done: chown dovecot:dovecot /usr/local/libexec/dovecot/deliver chmod ug+s /usr/local/libexec/dovecot/deliver and set socket listen { master { # Master socket provides access to userdb information. It's typically # used to give Dovecot's local delivery agent access to userdb so it # can find mailbox locations. path = /var/run/dovecot/auth-master mode = 0660 # Default user/group is the one who started dovecot-auth (root) user = dovecot group = dovecot } in dovecot.conf. Then I got:
deliver(userid): setgid(10) failed: Operation not permitted So I tried chown root:dovecot /usr/local/libexec/dovecot/deliver nd now it seems to be working ... I think!
Or am I totally clueless ??
Well, the Mizzou address argues one way, but I'll give you the benefit of the doubt and say maybe not... :)
Doh! Walked right into that one :)
The bottom line: make up a user and group to own the master socket, structure your inbox permissions so that deliver can run that way and write to them, and make deliver SUID/SGID.
Structuring inbox permissions so that can work is a potentially complex problem.
So I see ...
Danke kindly, Rich
participants (2)
-
Bill Cole
-
Rich Winkel