[Dovecot] auth-master: Permission denied [sigh]

James Butler jbutler at thebestdefense.com
Sun Apr 12 19:27:11 EEST 2009 

I've been messing with this for too long, now, and I'm blind to whatever's
wrong. Or I'm simply being dense. Either way, I need help with a common
issue.

I'm trying to get Postfix+Spamassassin+Dovecot going on Fedora 10. (I'll
get back to the global Sieve thingy soon, but I need to get this going,
first.)

When using the simple:
 mailbox_command = /usr/local/libexec/dovecot/deliver
everything is cool, except there's no Spamassassin involvement, obviously.

The problem shows itself when the Spamassassin user hands off to the
recipient user and Deliver + the recipient user tries to access
/var/run/dovecot/auth-master.

Thank you for any insight you can provide.

/var/run/dovecot: 755 root:dovecot
/var/run/dovecot/login: 750 root:dovecot
/var/run/dovecot/auth-master: 750 root:dovecot
(I think. auth-master is a temporary file? Comes and goes.)

>From /etc/postfix/main.cf

mailbox_transport = spamassassin

>From /etc/postfix/master.cf:

spamassassin unix - n n - - pipe
  user=spam argv=/usr/bin/spamc -f -e /usr/libexec/dovecot/deliver
  -f ${sender} -d ${user} -m ${extension}

Here's my 'socket listen' section from /usr/local/etc/dovecot.conf:

socket listen {
 master {
  path = /var/run/dovecot/auth-master
  mode = 0666
  #user =
  group = dovecot
 }
 client {
  path = /var/run/dovecot/auth-client
  mode = 0666
  #user =
  group = dovecot
 }
}

>From /var/log/maillog:

Postfix receives the message:

postfix/smtpd[29447]: connect from \
 IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
postfix/smtpd[29447]: 60990FA01BA: \
 client=IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
postfix/cleanup[29451]: 60990FA01BA: \
 message-id=<49E20BF2.4090408 at example-send.com>
postfix/qmgr[29441]: 60990FA01BA: from=<sender at example-send.com>, \
 size=812, nrcpt=1 (queue active)
postfix/smtpd[29447]: disconnect from \
 IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]

Spamassassin processes the message as user 'spam':

spamd[4121]: spamd: processing message\
 <49E20BF2.4090408 at example-send.com> for spam:653
spamd[4121]: spamd: clean message (3.0/5.0) for spam:653 in 5.2 seconds,\
 793 bytes.
spamd[4121]: spamd: result: . 2 - RDNS_DYNAMIC,TVD_SPACE_RATIO \
 scantime=5.2,size=793,user=spam,uid=653,required_score=5.0, \
 rhost=localhost.localdomain,raddr=127.0.0.1,rport=42493, \
 mid=<49E20BF2.4090408 at example-send.com>,autolearn=no

Spamassassin pipes result to Deliver which runs as recipient user.

Deliver as recipient user doesn't have permission to auth:

deliver(recipient): Can't connect to auth server at \
 /var/run/dovecot/auth-master: Permission denied
postfix/pipe[29452]: 60990FA01BA: to=<recipient at example-receive.com>, \
 relay=spamassassin, delay=6, delays=0.33/0.01/0/5.7, dsn=4.3.0, \
 status=deferred (temporary failure)

1) I must use the 'user=' arg for spamc
2) Can't use 'user=${user}' or $user:
   fatal: get_service_attr: unknown username: ${user}
3) Must use '-d ${user}' Deliver arg, otherwise
   message gets delivered to user 'spam'

AArrgh! TIA.

More information about the dovecot mailing list