[Dovecot] deliver LDA permission problem

Timo Sirainen tss at iki.fi
Thu Feb 15 14:27:41 UTC 2007


On Thu, 2007-02-08 at 13:53 +0000, Dick Middleton wrote:
> Feb  8 13:09:35 deliver(<email-addr>): setgid(5002) failed: Operation not permitted
> Feb  8 13:09:36 deliver(<email-addr>): setgid(5001) failed: Operation not permitted

Your different users have different GIDs? But do they still have all the
same UID? Or do you care about GIDs at all? There are two possibilities:

1) Make deliver setuid-root so it has permissions to do the setgid()
calls (and make sure only Postfix has permissions to start the deliver).

2) Don't use those GIDs. Make userdb return the same GID as what deliver
already runs as.

> Feb  8 13:09:36 Devil postfix/pipe[9622]: 5AD5C103C: to=<<email-addr>>, 
> orig_to=<<email-addr>>, relay=dovecot, delay=0.05, delays=0.01/0/0/0.04, 
> dsn=5.3.0, status=bounced (Command died with status 89: 
> \"/usr/libexec/dovecot/deliver\")
> 
> 
> When deliver fails because it can't connect to auth-master socket it returns an 
> undeliverable status which causes postfix to defer delivery.  I think it should 
> do the same here.

Yea, it should. This has been in my TODO list for a while. Finally
implemented:

http://dovecot.org/list/dovecot-cvs/2007-February/007688.html
http://dovecot.org/list/dovecot-cvs/2007-February/007689.html

> The real question is how I give deliver the permission to do the setgid?  Is it 
> enough to just add user vmail to each of the virtual user groups in /etc/group.

No, Dovecot doesn't care about /etc/group.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070215/10d407a5/attachment.pgp 


More information about the dovecot mailing list