[Dovecot] Calling dovecot-lda from within Antispam pipe script (bash) seems to have no effect

Ben Johnson ben at indietorrent.org
Fri Jun 21 22:54:48 EEST 2013

On 6/21/2013 3:01 PM, Mrten wrote:
> On 21/6/2013 19:34 , Ben Johnson wrote:
>> Please do reply if you have any additional thoughts. I'm at my wit's
>> end here!
> When all else failes, use strace -f -F :)
> (add it in front of the deliver call and expect LOTS of output)
> Maarten.

YES! Brilliant, Maarten! That tells us what we need to know. Here is the
relevant bit:

write(2, "\1\00429770 user sa-training at exampl"..., 139^A^D29770 user
sa-training at example.com: Error reading configuration:
net_connect_unix(/var/run/dovecot/config) failed: Permission denied

It seems the issue here is that "root" is the only user who is allowed
to read Dovecot's configuration file. Presumably, Dovecot, like most
services, is started as "root" and then drops its permissions to
least-required once started.

Obviously, it would be imprudent to modify the permissions on
/var/run/dovecot/config; they're set that way for a good reason.

What are the other options? I did see the "System Users" section at
http://wiki.dovecot.org/LDA , and maybe that's what I missed.

System users

You can use deliver with a few selected system users (ie. user is found
from /etc/passwd / NSS) by calling deliver in the user's ~/.forward file:

| "/usr/local/libexec/dovecot/deliver"
This should work with any MTA which supports per-user .forward files.
For qmail's per-user setup, see LDA/Qmail.

This method doesn't require the authentication socket explained below
since it's executed as the user itself.

I'm struggling to identify this section's relevance to my situation. I
thought, "Maybe I need to add the above-cited line to the vmail user's
~/.forward file." But I don't see how that will have any effect.

I feel like I'm almost there; just need one more nudge :)

Thanks for all the help!


More information about the dovecot mailing list