[Dovecot] From Sendmail to Dovecot mdbox, what is missing.

Torpey List list at torpey.org
Sun Jan 27 06:12:56 EET 2013 

SOLVED.
It turns out it was SELinux that was causing this error (as well as others):
Jan 26 17:32:58 nala kernel: type=1400 audit(1359243178.285:5768): avc:  denied  { setgid } for  pid=30558 comm="dovecot-lda" capability=6  scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability

The errors were combined into err.txt using the following command.
      grep audit /var/log/messages |grep dovecot-lda >> err.txt

Then a SELinux was generated using:
      audit2allow -i err.txt -M dovecot-lda

which made a file dovecot-lda.te that contained the following:
  module dovecot-lda 2.1;

  require {
          type var_log_t;
          type dovecot_deliver_t;
          type etc_runtime_t;
          class capability { setuid dac_read_search setgid dac_override };
          class file append;
          class dir write;
  }

  #============= dovecot_deliver_t ==============
  allow dovecot_deliver_t etc_runtime_t:file append;
  #!!!! This avc is allowed in the current policy

  allow dovecot_deliver_t self:capability setgid;
  allow dovecot_deliver_t self:capability { setuid dac_read_search dac_override };
  #!!!! The source type 'dovecot_deliver_t' can write to a 'dir' of the following types:
  # user_home_t, dovecot_deliver_tmp_t, user_home_dir_t, tmp_t, mail_spool_t, nfs_t

  allow dovecot_deliver_t var_log_t:dir write;

If you make any changes to dovecot-lda.te, like the version number because you have already tried to get it into SELinux then you have to do the following command:
       make

Finally, to get it incorporated into SELinux:
       semodule -i dovecot-lda.pp

This has been driving me crazy for a month, I am surprised that I could not find straight solution.
I have to give credit to the following bugzilla that helped me use the audit2allow in an automated way that provided the necessary detail to generate dovecot-lda.te listed above.
       https://bugzilla.redhat.com/show_bug.cgi?id=667579

My mail is flowing from tests, now I need to have a larger stream make it work.

Thanks,
Steve


-----Original Message----- 
From: Steffen Kaiser 
Sent: Thursday, January 03, 2013 1:02 AM 
To: Dovecot Mailing List 
Cc: Torpey List 
Subject: Re: [Dovecot] From Sendmail to Dovecot mdbox, what is missing. 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 1 Jan 2013, Torpey List wrote:

>>> Dovecot-lda – I have had issues getting it configured.
>>
>> What issues? If you were trying to get the LDA to deliver to /var/mail,
>> it's possible you were running into permissions problems. The best
>> solution is to deliver into the mdbox instead, or just leave Sendmail to
>> deliver to /var/mail.
>>
>>> Sendmail changes
>>> FEATURE(`local_procmail',
>>> `/usr/libexec/dovecot/dovecot-lda',`/usr/libexec/dovecot/dovecot-lda
>>> -d $u')
>>> MODIFY_MAILER_FLAGS(`LOCAL', `-f')
>>> MAILER(procmail)dnl


I do use:
FEATURE(`local_procmail', `/etc/mail/smrsh/dovecot-deliver', 
`/etc/mail/smrsh/dovecot-deliver -f $g -d $u -m $h')dnl

Note, you need a symlink in your "smrsh"-directory anyway.

> The option that has gone the furthest is *Making dovecot-lda setuid-root*.

I don't use a setuid-root LDA.

> However, I have errors.  Here are the permissions.
>
>           -rwxr-xr-x. 1 root secmail 26512 Aug 18  2011 /usr/libexec/dovecot/dovecot-lda

Your LDA is not setuid-root ;-)

>           srw-------. 1 mail root 0 Jan  1 08:39 /var/run/dovecot/auth-userdb

Do you need to protect /var/run/dovecot/auth-userdb that tight? I mean, is 
this server used by users via ssh or something? Otherwise make the Unix 
permission of that socket so, that any system user can read from it (aka 
0666). 
Maybe, put all mail users into the same group and use 0660. Change group 
of auth-userdb to mail ... .

>
> Errors.....
> ==> /var/log/maillog <==
> Jan  1 08:24:02 nala sendmail[20154]: r01EO2qc020154: from=<user at yahoo.com>, size=5723, class=0, nrcpts=1, msgid=<1357050226.83142.YahooMailNeo at web120205.mail.ne1.yahoo.com>, proto=ESMTP, daemon=MTA, relay=mail.example.com [192.168.1.152]
> Jan 01 08:24:02 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=0(root) egid=0(root) missing +r perm: /var/run/dovecot/auth-userdb, euid is dir owner)
> Jan 01 08:24:02 lda: Fatal: Internal error occurred. Refer to server log for more information.

That error seems to indicate a Dovecot permission check failure, but IMHO 
root is allowed to connect always. You could try to chmod +x 
/var/run/dovecot/auth-userdb, the x-perm disables the check of Dovecot.

> Jan  1 08:24:02 nala sendmail[20155]: r01EO2qc020154: to=user at example.com, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=35889, dsn=4.0.0, stat=Deferred: local mailer (/usr/libexec/dovecot/dovecot-lda) exited with EX_TEMPFAIL
>
> ==> /var/log/messages <==
> Jan  1 08:24:02 nala kernel: type=1400 audit(1357050242.947:42): avc:  denied  { dac_override } for  pid=20156 comm="dovecot-lda" capability=1  scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability
> Jan  1 08:24:02 nala kernel: type=1400 audit(1357050242.947:43): avc:  denied  { dac_override } for  pid=20156 comm="dovecot-lda" capability=1  scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability
> Jan  1 08:24:02 nala kernel: type=1400 audit(1357050242.947:44): avc:  denied  { dac_read_search } for  pid=20156 comm="dovecot-lda" capability=2  scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability

This is a AppArmor / SELinux entry?? Did you configured your policy? 
Security policies would overrule Unix and Dovecot permission checks.

> So, the error appears to be related to /var/run/dovecot/auth-userdb.  I 
> have made various permission and owner changes; however, restarting 
> dovecot always returns it to the permissions above.  So, even if I find 
> a combination that works, dovecot is going to put it back.

You can change the default permission and ownership in the config file.

Regards,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUOUtBmoxLS8a3A9mAQKpMwgAsZ1UmJAMcmjWul1fx8MsMZk4TEHeOT8E
Ns7HaVnizwooYiDy1bY2jGrhG8xegCXzC7fpWqCXloji7qmVoe5prqLhZsTIpusc
wpXf9VAnQ38Fbm4hRj+75zPBIxUYBO7/ulIZsLPkZhRII9WK+QGNNrJnP6ycNcqn
+4supaV0AR3KC8uLntfBsrgBWz+2/ZNJu+yZUFpyZpGJHKBkqsaEk7cDnhgHQCzE
lhk05MNP+w13QKFb9ZPi9/tv3bhEkBr4R9yA4/xp+Nk7JnrY8ry8Oy2guMXda0a8
Iym6Qgt9XfUFAQ+Urujbu1OlI5KiRIcJV+EyRdM4uVcmAmVZAtI3ow==
=K9zr
-----END PGP SIGNATURE-----

More information about the dovecot mailing list