[Dovecot] spamc can't seem to call /usr/lib/dovecot/deliver

/dev/rob0 rob0 at gmx.co.uk
Wed Oct 24 19:32:55 EEST 2012 

There seems to be much confusion in this thread. I might be able to 
help clear up some of it, but probably not all, because I agree with 
Robert about using amavisd-new for filtering and LMTP for delivery.

On Tue, Oct 23, 2012 at 02:52:45PM -0600, Troy Vitullo wrote:
> My server uses a system comprised of postfix, dovecot and dspam to 
> filter and deliver mail.
> 
> Postfix used the following flags in calling spamc and dovecot:
> 
> flags=DRhu user=dovecot:secmail argv=/usr/bin/spamc -u ${recipient} 
> -e /usr/lib/dovecot/deliver -d ${recipient}

This looks like you might be using pipe(8). If so, refer to the 
manual, and note that you are invoking this command as user "dovecot" 
and group "secmail".

That is wrong use of the "dovecot" user. You probably should have 
made and used a dedicated "vmail" user. And according to your own 
post, q.v., the group "secmail" is definitely wrong.

> after an upgrade from Debian lenny to squeeze we were able to get 
> everything working except spam filtering. Spamassassin is able to 
> judge whether the mail coming in is spam but everything stops 
> there.

Automated or semi-automated upgrades are often a source of pain.

> In mail.err I see:
> 
> pamc[3608]: exec failed: Permission denied

I guess that is spamc, and yes, of course.

> spamc shows the same thing in syslog:
> 
> exec failed: Permission denied
> 
> postfix delays the email:
> 
> postfix/pipe[3607]: 50DEFF180EE: to=<[mail]>, relay=dovecot, 
> delay=1.7, delays=0.07/0.01/0/1.6, dsn=4.3.0, status=deferred 
> (system resource problem)
> 
> Here are the permissions for deliver:
> 
> -rwsr-x--- 1 root dovecot 865084 May 25  2011 /usr/lib/dovecot/deliver

The pipe command is not executed as root. Nor is it invoked with the 
GID "dovecot". You specified group "secmail". Therefore the "other" 
permissions are what apply. "---" is no read, no write, no execute.

> Here are the relevant groups:
> 
> s1:~# grep dovecot /etc/group
> secmail:x:119:postfix,spamd,dovecot

This is not relevant. The process has EGID secmail, and the fact that 
dovecot is a member of secmail does not matter. Bottom line here: it 
seems that you misunderstood what the group permissions meant.

> dovecot:x:111:
> 
> here's the dovecot user:
> s1:~# grep dovecot /etc/passwd
> dovecot:x:108:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
> 
> here's dovecot -n:
> 
> # 1.2.15: /etc/dovecot/dovecot.conf

You upgraded -- to 1.2.15? Why?

snip
> Many thanks in advance for any advice you can give.

Again, you should check on the wiki about the appropriate use of the 
"dovecot" user, and also read the wiki about virtual mailboxes. Fix 
that. Even if you make it work with permissions, you are breaking 
Dovecot's security model of privilege separation. The "dovecot" user 
is for Dovecot's internal use only, not for delivering mail and 
ownership of mailboxes.

The poster who was talking about postconf(5) mailbox_command was 
bringing in a red herring. That is for local(8) delivery, and you 
evidently are using pipe(8).
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the dovecot mailing list