newbie userdb lookup problem

Michael Fox news at mefox.org
Thu Jun 23 05:01:32 UTC 2016 

I'm new to Dovecot and I'm having trouble getting basic, flat file userdb
lookups to work.  This must have been asked before, but if so, I can't find
it.

 

I'm following the basic setup here:
http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor
differences.  Output of doveconf -n is below, as well as relevant entries
from postfix main.cf and master.cf.

 

When I send a message to a virtual user that will be handled by Dovecot,
Postfix hands it off to Dovecot LDA.  But I get the following error in the
log:

 

Jun 22 20:53:33 xxxxx dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=5000(vmail) egid=5000(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)

 

/var/run/dovecot/ is indeed owned by root:root with 0755 permissions.

The actual passwd file used for userdb/passdb is currently owned by
root:vmail with 0640 permissions.

 

I read http://wiki2.dovecot.org/UserIds but I just don't understand the
section on "Authentication process user".  It's very vague.  It doesn't
explain which service is used for which circumstances or how to correlate
the userdb/passdb file permissions with the service user/group settings for
best security.  

The http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall link mentions
nothing about having to modify the auth or auth-worker services.  

And the http://wiki2.dovecot.org/HowTo/VirtualUserFlatFilesPostfix page
mentions a new "doveauth" user which isn't described elsewhere and sets
service auth to user postfix and group postfix, something not mentioned
anywhere else.

/etc/doveconf/10-master.conf says that the service auth socket is typically
readable only by root.  Uhm.  OK.  Well, my passwd file is owned by root.  I
don't know how that relates to the socket.  So I don't understand the
problem.

Bottom line, each information source seems to say something completely
different.  I can't correlate the information in the above sources into any
actionable result.

 

Questions:

Basically, can someone please explain how the permissions for userdb and
passdb lookup work (i.e. file permissions vs. service permissions)?

What's the best solution to solve the above problem permission problem in
the most secure way?  Adjust the config of service auth?  If so, how and
why?  Or adjust my passwd file ownership?  If so, how and why?  I'm really
trying to understand the why, not just the what.

 

Thanks much.

 

Michael

 

 

Output of doveconf -n follows:

 

# 2.0.19: /etc/dovecot/dovecot.conf

# OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS

auth_verbose = yes

disable_plaintext_auth = no

mail_gid = vmail

mail_location = maildir:~/Maildir

mail_uid = vmail

passdb {

  driver = pam

}

passdb {

  args = username_format=%n /var/vmail/auth.d/%d/passwd

  driver = passwd-file

}

pop3_uidl_format = %08Xv%08Xu

protocols = pop3

ssl = no

ssl_cert = </etc/ssl/certs/dovecot.pem

ssl_key = </etc/ssl/private/dovecot.pem

userdb {

  driver = passwd

}

userdb {

  args = username_format=%n /var/vmail/auth.d/%d/passwd

  driver = passwd-file

}

protocol lda {

  postmaster_address = postmaster at xxxxx

}

 

Postfix main.cf:

virtual_alias_maps = hash:/etc/postfix/virtual

virtual_mailbox_domains = xxxx

virtual_mailbox_maps = hash:/etc/postfix/vmailbox

virtual_transport = dovecot

 

Postfix master.cf:

# Dovecot LDA

# Ref: http://wiki2.dovecot.org/LDA/Postfix

# Allows user+extension at domain.com (recipient_deliminter = + in main.cf)

dovecot   unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender}
-d ${user}@${nexthop} -m ${extension}

More information about the dovecot mailing list