[Dovecot] need help with dovecot-lda

Ben Morrow ben at morrow.me.uk
Sat Dec 15 14:25:25 EET 2012 

At  9PM +0100 on 14/12/12 Andreas Meyer wrote:
> Ben Morrow <ben at morrow.me.uk> wrote:
> > At  5PM +0100 on 14/12/12 Andreas Meyer wrote:
> > > 
> > > Some month ago I upgraded our dovecot installation from version 1.0.5
> > > to version 2.1.7 without having any trouble. Postfix is delivering
> > > email directly per virtual transport to the maildirs and mailboxes of
> > > the users in /var/spool/vhosts/domains/....
<snip>
> > > I set soft_bounce = yes in main.cf of postfix and delivery of mail
> > > fails with
> > >  
> > > Dec 14 16:13:34 delta postfix/virtual[14082]: BBC0F1B31294:
> > > to=<xyz at anup.de>, relay=virtual, delay=395, delays=395/0.01/0/0.13,
> > > dsn=4.1.1, status=SOFTBOUNCE (unknown user: "xyz at anup.de")
> > 
> > What happens if you run
> > 
> >     echo "foo" | /usr/libexec/dovecot/dovecot-lda \
> >         -f xyz at anup.de -d xyz at anup.de
> > 
> > in the shell (as the vmail user)? Does it fail with exit code 67? This
> > is EX_NOUSER, and is the standard way for LDAs to signal 'I don't know
> > how to deliver to this user'. Either xyz at anup.de is not a valid address
> > at that domain, or you haven't made the auth-userdb socket available to
> > the vmail user. See http://wiki2.dovecot.org/LDA, under the section
> > 'Virtual users'.
> 
> I did this in the shell:
> 
> delta:/ # su vmail
> delta:/ # whoami
> root

So su didn't work. That's often the case with daemon users, because they
often don't have a login shell. Read the manpage for your system's su to
find out if you can override that, and how (I can't help you here, since
your su is probably different from mine). You may have more luck with
sudo, if you've got it installed.

> delta:/ # echo "test" | /usr/libexec/dovecot/dovecot-lda -f
> anmeyer at anup.de -d anmeyer at anup.de
> 
> and the mail was delivered to the mailbox without error. Maybe the
> vmail user is the problem?

That is delivered to 'anmayer at anup.de', which looks a lot more like a
real address than 'xyz at anup.de'.

> When I send an email from my desktop I get this in the mail.log:
> Dec 14 21:19:42 delta postfix/virtual[16185]: A6E511B3128A:
> to=<anmeyer at anup.de>, relay=virtual, delay=0.15,
> delays=0.08/0.01/0/0.06, dsn=4.1.1, status=SOFTBOUNCE (unknown user:
> "anmeyer at anup.de")

So it's likely the vmail user can't read the userdb; do you not get any
logs from dovecot-lda? (You may not if Dovecot is using custom logs
rather than syslog, and vmail doesn't have write access.)

> The line of the /etc/shadow for vmail looks like this:
> vmail::13940:0:99999:7:::

How is that relevant? AFAIK the login shell lives in /etc/passwd on
shadow-password systems.

At 11AM +0100 on 15/12/12 Andreas Meyer wrote:
> 
> # id vmail
> uid=5000(vmail) gid=5000(vmail) Gruppen=5000(vmail)
> 
> # su vmail echo "foo" | /usr/libexec/dovecot/dovecot-lda -f
> anmeyer at anup.de -d anmeyer at anup.de
> an empty email with 0 B gets delivered to the maildir of anmeyer at anup.de

That command-line attempts to run 'echo "foo"' as the vmail user, and
dovecot-lda as root (and I don't know if the arguments to su are
correct; on my system they wouldn't be). You *really* need to learn how
to use your operating system before you try anything relatively
complicated like setting up a mail server.

> > in the shell (as the vmail user)? Does it fail with exit code 67? This
> > is EX_NOUSER, and is the standard way for LDAs to signal 'I don't know
> > how to deliver to this user'. Either xyz at anup.de is not a valid address
> > at that domain, or you haven't made the auth-userdb socket available to
> > the vmail user. See http://wiki2.dovecot.org/LDA, under the section
> > 'Virtual users'.
> 
> I already added
> 
> service auth {
>     unix_listener auth-userdb {
>       mode = 0600
>       user = vmail # User running dovecot-lda
>       group = vmail # Or alternatively mode 0660 + dovecot-lda user in
>       this group

You're supposed to understand the comments and then remove them, not
copy them blindly without reading them.

>     }
> }
> 
> to the dovecot.conf.

Well, that looks OK to me; but the only way to test it is to manually
run dovecot-lda as vmail. Is there an auth-userdb socket in your dovecot
sockets directory? Does it have the right permissions?

> How does dovecot know there is a socket in
> /var/spool/postfix/private/dovecot? And how does dovecot-lda know to
> look there. Am I missunderstanding something?

Yes, you are misunderstanding something. It works (something) like this:

    - A mail comes in to Postfix.
    - Postfix decides this mail is local.
    - Postfix sends the mail through /var/spool/postfix/private/dovecot
      to a Postfix pipe(8) process on the other end.
    - That pipe(8) process runs dovecot-lda, as the vmail user.
    - dovecot-lda reads dovecot.conf.
    - dovecot-lda contacts the Dovecot auth process using the
      auth-userdb socket.
    - If the user exists, it delivers the mail to their mailbox.

No Dovecot process needs to know anything at all about the Postfix
socket, it's just for internal communication between different bits of
Postfix. Have you read the Postfix documentation?

> I am lost. I don't if the mail is handed over to dovecot-lda and if so
> why it can't find the passwd-file.

If the mail was handed over to dovecot-lda, it ought to be logging
*something*. Find out where those logs should go; if they aren't
appearing, you need to fix that. Syslog is IMHO a better bet than custom
log files.

Ben

More information about the dovecot mailing list