uid problem

Aki Tuomi aki.tuomi at dovecot.fi
Tue Jul 31 14:36:26 EEST 2018


https://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP

Aki

On 31.07.2018 14:35, Andras Kemeny wrote:
>
> can you point me to an url regarding LTMP between postfix and dovecot?
> it might be an area worth exploring for me.
>
> thanks,
> a
>
>
> 2018. 07. 31. 12:46 keltezéssel, Aki Tuomi írta:
>>
>> Well, I don't know about yuuuge security risk (not saying there isn't
>> any...), but if this concerns you, you can also use LTMP instead,
>> which is probably a better solution here.
>>
>> Aki
>>
>>
>> On 31.07.2018 13:42, Andras Kemeny wrote:
>>>
>>> yeah, the only problem about that is it's a yuuuge security risk :),
>>> and also, postfix simply won't let me:
>>>
>>> Jul 31 02:20:37 rhyno postfix/pipe[29532]: fatal: user= command-line
>>> attribute specifies root privileges
>>>
>>> so it's entirely possible i'm knocking on the wrong door, and
>>> instead i should be asking this in the postfix mailing list.
>>>
>>> however, i'm also worried about this: "to bypass this check, set:
>>> service auth { unix_listener /var/run/dovecot/auth-userdb {
>>> mode=0777 } }", as i have done what it says, and the check wasn't
>>> bypassed so i'm wary about something bad coming up once i somehow
>>> fix this initial UID problem.
>>>
>>> thanks,
>>> a
>>>
>>>
>>> 2018. 07. 31. 7:12 keltezéssel, Aki Tuomi írta:
>>>> You could run dovecot-lda as root. It will setuid to correct account.
>>>>
>>>>
>>>>
>>>> ---
>>>> Aki Tuomi
>>>> Dovecot oy
>>>>
>>>> -------- Original message --------
>>>> From: Andras Kemeny <pdx at pdx.hu>
>>>> Date: 31/07/2018 04:46 (GMT+02:00)
>>>> To: dovecot at dovecot.org
>>>> Subject: uid problem
>>>>
>>>> hi,
>>>>
>>>> contacting this mailing list is my last-ditch effort to somehow
>>>> come to
>>>> a working configuration where postfix "ends in" dovecot, IE for
>>>> special
>>>> LDAP-based users, featured in the virtual mailbox delivery, dovecot
>>>> would act as LDA.
>>>>
>>>> here's the deal.
>>>>
>>>> i've set up dovecot's access to the LDAP server, and for the
>>>> purposes of
>>>> being an IMAP server and a SASL auth backend, dovecot works
>>>> brilliantly
>>>> and without a glitch. i can access my test mailbox (in maildir
>>>> format),
>>>> i can use the LDA as root and it delivers the message correctly
>>>> (after a
>>>> switch to the target user's UID), and even postfix's submission works
>>>> with dovecot as its SASL backend.
>>>>
>>>> what does not work is dovecot as LDA from postfix.
>>>>
>>>> i'm getting these errors in the log:
>>>>
>>>> Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER
>>>> lookup failed
>>>> Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client
>>>> doesn't
>>>> have lookup permissions for this user: userdb uid (10001) doesn't
>>>> match
>>>> peer uid (5000) (to bypass this check, set: service auth {
>>>> unix_listener
>>>> /var/run/dovecot/auth-userdb { mode=0777 } })
>>>> Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error occurred.
>>>> Refer to server log for more information.
>>>>
>>>> for the sake of clarity, i've tried the "to bypass this check"
>>>> instructions, didn't help.
>>>>
>>>> also, for the sake of operational clarity, "aik" is the LDAP account
>>>> with the following parameters:
>>>>
>>>> dn: uid=aik,ou=People,dc=rhyno,dc=tech
>>>> objectClass: account
>>>> objectClass: posixAccount
>>>> objectClass: postfixUser
>>>> cn: aik
>>>> uid: aik
>>>> uidNumber: 10001
>>>> gidNumber: 10001
>>>> homeDirectory: /home/aik
>>>> loginShell: /bin/sh
>>>> gecos: aik
>>>> description: User account
>>>> structuralObjectClass: account
>>>> entryUUID: db947584-0369-1038-98b3-675e2f0cea17
>>>> creatorsName: cn=admin,dc=rhyno,dc=tech
>>>> createTimestamp: 20180613152616Z
>>>> email: ***********
>>>> userPassword:: *************************
>>>> mailacceptinggeneralid: andras.kemeny
>>>> mailacceptinggeneralid: kemeny.andras
>>>> mailacceptinggeneralid: aik
>>>> mailacceptinggeneralid: pdx
>>>> mailacceptinggeneralid: @rhyno.tech
>>>> mailacceptinggeneralid: @rhynotechnologies.com
>>>> maildrop: aik
>>>>
>>>> and postfix's master.cf says:
>>>>
>>>> dovecot   unix  -       n       n       -       -       pipe
>>>>   flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f
>>>> ${sender} -d ${user}
>>>>
>>>> so i'm stuck at this point. obviously, if the LDA is spawned with
>>>> vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and
>>>> passwd
>>>> accounts were once connected, but for security reasons, the connection
>>>> has been severed -- still the /home/aik/mail dir is owned by uid
>>>> 10001 etc).
>>>>
>>>> what am i doint wrong?
>>>>
>>>> thanks,
>>>> a
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180731/8b67e123/attachment-0001.html>


More information about the dovecot mailing list