[Dovecot] Running LMTP as a user other than the root user
Hello,
With this one in Postfix' main.cf:
virtual_transport = lmtp:unix:/_ROOT/var/run/dovecot/lmtpand Dovecot settings reproduced at the end of this message, there is no problem for having mail delivered into a user's INBOX.
But as soon as I try the security improvement suggested in the docs:
service lmtp {
user = dovemailer
}this is what I get in the logs:
postfix/smtpd[52588]: connect from localhost[127.0.0.1]
postfix/smtpd[52588]: E86B5BD2BA0: client=localhost[127.0.0.1]
postfix/cleanup[52594]: E86B5BD2BA0: message-id=<20130416171203.E86B5BD2BA0@ALMba.local>
postfix/qmgr[88232]: E86B5BD2BA0: from=<test@example.com>, size=315, nrcpt=1 (queue active)
dovecot[52568]: lmtp(52596): Debug: none: root=, index=, control=, inbox=, alt=
dovecot[52568]: lmtp(52596): Connect from local
dovecot[52568]: lmtp(52596): Debug: Loading modules from directory: /_ROOT/dovecot-2.1.16-0.3.4/lib/dovecot
dovecot[52568]: lmtp(52596): Debug: Module loaded: /_ROOT/dovecot-2.1.16-0.3.4/lib/dovecot/lib10_quota_plugin.so
dovecot[52568]: auth: Error: userdb(test@example.com): client doesn't have lookup permissions for this user: userdb reply doesn't contain uid (to bypass this check, set: service auth { unix_listener /_ROOT/var/run/dovecot/auth-userdb { mode=0777 } })
dovecot[52568]: lmtp(52596): Error: user test@example.com: Auth USER lookup failed
dovecot[52568]: lmtp(52596): Debug: auth input:
postfix/lmtp[52595]: E86B5BD2BA0: to=<test@example.com>, relay=ALMba.local[/_ROOT/var/run/dovecot/lmtp], delay=19, delays=19/0.02/0.17/0.06, dsn=4.3.0, status=deferred (host ALMba.local[/_ROOT/var/run/dovecot/lmtp] said: 451 4.3.0 <test@example.com> Internal error occurred. Refer to server log for more information. (in reply to RCPT TO command))
dovecot[52568]: lmtp(52596): Disconnect from local: Client quit (in reset)
postfix/smtpd[52588]: disconnect from localhost[127.0.0.1]and the message of course remains in Postfix' queue.
I understand that the +x workaround suggested for the auth-userdb socket (so as to have 0777 permissions instead of 0666) relies on provisions made in Dovecot's code in order to relax some requirements.
But I still need help for a correct interpretation...
The socket receives 0666 permissions by default; any process should thus be able to read from/write to that socket. So, why set such a default, since it is anyway going to yield un-intuitive results?
And, as far as the log messages are concerned:
"client doesn't have lookup permissions...". Who's the client here?
Still from the log: "client doesn't have lookup permissions for this user:". Which user?
"userdb reply doesn't contain uid" The userdb query seems to have failed; but does it mean that is should explicitly return a uid?
TIA, Axel
$ doveconf -n
# 2.1.16: /_ROOT/etc/dovecot/dovecot.conf
# OS: Darwin 12.3.0 x86_64
auth_verbose = yes
disable_plaintext_auth = no
mail_debug = yes
mail_gid = dovemailer
mail_location = mbox:~/mboxes:INBOX=~/mboxes/inbox
mail_uid = dovemailer
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
mbox_write_locks = fcntl
passdb {
args = /_ROOT/etc/dovecot/db.conf
driver = sql
}
plugin {
quota = dirsize:User quota
quota_rule = *:storage=1M
}
ssl = no
userdb {
driver = prefetch
}
userdb {
args = /_ROOT/etc/dovecot/db.conf
driver = sql
}
protocol lmtp {
mail_plugins = quota
}
protocol pop3 {
mail_plugins = quota
pop3_uidl_format = %08Xv%08Xu
}
protocol imap {
mail_plugins = quota
}
With above settings, the permissions on socket auth-userdb are:
srw-rw-rw- 1 dovecot wheel 0 16 avr 16:05 auth-userdband the full config for service lmtp is:
$ doveconf service/lmtp
service lmtp {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = lmtp
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
type =
unix_listener lmtp {
group =
mode = 0666
user =
}
user =
vsz_limit = 18446744073709551615 B
}Le 16 avr. 2013 à 19:47, Axel Luttgens a écrit :
[...]
Mea culpa.
I missed a few enlightening lines in 10-master.conf, at the beginning of the "service auth" section.
They are terribly useful for understanding the coding choices and to conclude that everything "works as intended".
Axel
participants (1)
-
Axel Luttgens