Using dovecot-lda with sendmail

Chris Szilagyi chris at apex-internet.com
Sat Nov 15 15:17:02 UTC 2014


>
>>
>> It seems that sendamil is running the lda, but the lda has problems
>> that are reported by by exiting with tempfail. You should check the
>> logging that is emitted by dovecot-lda to find what the problem is.
>>
>> Ownership of the binary should not be one of them, I think, but show
>> us logging from dovecot-lda and we can tell you more. 'dovecot -n'
>> output would also help a lot.
>>
>> Regards,
>> 	Tom
>
> I've enabled dovecot-lda logging with:
>
> protocol lda {
>   log_path =
>   info_log_path =
>   syslog_facility = mail
> }
>
> However it's not producing any entries in the mail syslog.  I'm wondering if
> it's not even executing dovecot-lda then.  As a test I tried running
> "/usr/libexec/dovecot/dovecot-lda -d username" directly as root to see what
> happens, and I got a blank email delivered to "username" OK.  So based on
> this I think lda is OK?  I am not seeing any errors logged when sendmail
> tries to use dovecot-lda though.
>
> Here's what "dovecot -n" shows:
>
> # 2.2.10: /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-123.9.2.el7.x86_64 x86_64 CentOS Linux release 7.0.1406
> (Core)  ext4
> mail_location = mbox:/mail/home/%u/mail:INBOX=/mail/spool/%u
> mail_plugins = " quota"
> mail_privileged_group = mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date ihave
> mbox_write_locks = fcntl
> namespace inbox {
>   inbox = yes
>   location =
>   prefix =
> }
> passdb {
>   driver = pam
> }
> plugin {
>   quota = fs:User quota:user
>   quota_rule = *:storage=1G
>   quota_rule2 = Trash:storage=+100M
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
> }
> postmaster_address = postmaster at localhost
> protocols = imap pop3 sieve
> service managesieve-login {
>   inet_listener sieve {
>     port = 4190
>   }
> }
> ssl_cert = </etc/pki/tls/certs/mailcert.crt
> ssl_key = </etc/pki/tls/private/mailcert.key
> userdb {
>   driver = passwd
> }
> protocol lda {
>   info_log_path =
>   log_path =
>   syslog_facility = mail
> }
> protocol imap {
>   mail_plugins = " quota imap_quota"
> }
>
>
> Thank you very much for any further thoughts on this.
> --
> Chris
>

These errors just started showing up in the mail syslog, FINALLY.  Not sure
why it took this long.

dovecot: lda(username): Fatal:
setresgid(1000(username),1000(username),12(mail)) failed with euid=0(root):
Operation not permitted

After turning off SELinux, mail was finally being delivered!  So, I adjusted
SELinux to allow a few denied errors for dovecot-lda (including filesystem
quotas):

audit2allow -m local -l -i /var/log/audit/audit.log > dovecotlda.te

Then, verified the contents of "dovecotlda.te":

module local 1.0;
require {
        type fs_t;
        type mqueue_spool_t;
        type dovecot_deliver_t;
        class capability { setuid setgid };
        class file write;
        class filesystem quotaget;
}
#============= dovecot_deliver_t ==============
allow dovecot_deliver_t fs_t:filesystem quotaget;
allow dovecot_deliver_t mqueue_spool_t:file write;
allow dovecot_deliver_t self:capability { setuid setgid };


Then create the policy file and activate it:

checkmodule -M -m -o dovecotlda.mod dovecotlda.te
semodule_package -o dovecotlda.pp -m dovecotlda.mod
semodule -i dovecotlda.pp

Now with SELinux enforcing, I'm getting mail delivered OK.

Also just to confirm, this is the line I'm using in /etc/mail/sendmail.mc:

FEATURE(`local_procmail',
`/usr/libexec/dovecot/dovecot-lda',`/usr/libexec/dovecot/dovecot-lda -d
$u')dnl

Thanks again for the help, hopefully this helps others in the future with
sendmail.

--
Chris



More information about the dovecot mailing list