[Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
I'm currently trying to set up a Dovecot 2.0.0 server for backup purposes. There's an existing server which I successfully migrated to Dovecot 2.0.0, and it uses LDAP for authentication. For the backup server, which will not be exposed to users, I tried both PAM and PASSWD authentication, but all I are syslog entries like these:
dovecot: imap-login: Login: user=<foo>, method=PLAIN, rip=[...], lip=[...], mpid=20059, TLS dovecot: imap(foo): Error: user foo: Couldn't drop privileges: Mail access not allowed for root dovecot: imap(foo): Error: Internal error occurred. Refer to server log for more information.
Here is my current configuration:
# doveconf -n # 2.0.0: /usr/local/dovecot-2.0/etc/dovecot/dovecot.conf # OS: Linux 2.6.35-gentoo-r1-v3 x86_64 Gentoo Base System release 2.0.1 auth_mechanisms = plain login base_dir = /var/run/dovecot/ listen = * mail_location = maildir:~/.maildir passdb { args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd driver = passwd-file } protocols = imap ssl_cert =
The password file contents:
# cat /usr/local/dovecot-2.0/etc/dovecot/passwd foo:{CRYPT}xxx:1000:1000:Foo Backup:/home/foo:/bin/bash
I searched the Dovecot Wiki and also tried MARC and Google, but I can't seem to find a solution for this problem. Could you please point me in the right direction? I have probably missed something.
Thanks!
-Ralph
On Fri, 2010-08-20 at 20:07 +0200, Ralph Seichter wrote:
dovecot: imap(foo): Error: user foo: Couldn't drop privileges: Mail access not allowed for root passdb { args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd driver = passwd-file }
You don't have a userdb defined or mail_uid/mail_gid setting..
# cat /usr/local/dovecot-2.0/etc/dovecot/passwd foo:{CRYPT}xxx:1000:1000:Foo Backup:/home/foo:/bin/bash
I guess you should add:
userdb { args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd driver = passwd-file }
The error message is bad though. I'm pretty sure it was better in v1.2. I'll see about fixing that.
On 20.08.10 20:36, Timo Sirainen wrote:
I guess you should add:
userdb { args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd driver = passwd-file }
I think you meant "args = /usr/local/dovecot-2.0/etc/dovecot/passwd", without "scheme=crypt". Adding the userdb setting to my Dovecot config does the trick, thank you!
The error message is bad though. I'm pretty sure it was better in v1.2. I'll see about fixing that.
Good idea. The current message is rather misleading.
-Ralph
Hi Timo,
thanks again for pointing out the missing userdb configuration entry yesterday. Now that both Dovecot 2.0.0 servers are running fine, I use the following command to backup mail data from serverA to serverB in a shell script running on serverB, looping over user names:
/usr/local/dovecot-2.0/bin/dsync -v -R -u $user backup
ssh -i /home/$user/.ssh/id_dsa $user@serverA /usr/local/dovecot-2.0/bin/dsync
I made a small mistake during setup and had one of the id_dsa files owned by root instead of $user. This was deliberate, because the sync script is run by root and I thought that the SSH key should thus be owned by root aswell. The resulting error message was:
Permission denied (publickey,keyboard-interactive). dsync-local(foouser): Error: read() from worker server failed: EOF dsync-local(foouser): Fatal: dsync backup: Looks like you're trying to run backup in wrong direction. Source is empty and destination is not.
The first line is generated by SSH, because serverA allows key-based authentication only and the key file on serverB was unreadable as dsync seems to drop root privileges in this case (at least that's my guess).
Do you think one should add an example for key-based authentication to http://wiki2.dovecot.org/Tools/Dsync ?
-Ralph
On Sat, 2010-08-21 at 11:10 +0200, Ralph Seichter wrote:
I made a small mistake during setup and had one of the id_dsa files owned by root instead of $user. This was deliberate, because the sync script is run by root and I thought that the SSH key should thus be owned by root aswell.
Yeah, that's how I thought it should work too. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/83f98d61bea2
The resulting error message was:
Permission denied (publickey,keyboard-interactive). dsync-local(foouser): Error: read() from worker server failed: EOF
This is ok.
dsync-local(foouser): Fatal: dsync backup: Looks like you're trying to run backup in wrong direction. Source is empty and destination is not.
This should have been logged. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/6ef21adeb61d
Do you think one should add an example for key-based authentication to http://wiki2.dovecot.org/Tools/Dsync ?
With the above changes, I guess all that's needed for that is to add "-i id_dsa.backup" parameter to:
dsync -u username mirror ssh mailuser@example.com dsync -u username
On 23.08.10 15:37, Timo Sirainen wrote:
Yeah, that's how I thought it should work too. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/83f98d61bea2
I just installed Dovecot from Mercurial on the server running the dsync backup script. I can confirm that with your changes the SSH key file can be root-readable-only, which I consider a significant security improvement. Thank you!
-Ralph
participants (2)
-
Ralph Seichter
-
Timo Sirainen