Fatal: setgid, imap connections dropped.

J. de Meijer dovecot at filter.demeijer.com
Tue Oct 16 21:32:40 EEST 2018 

I'm still trying to fix this problem. Hopefully someone can help.

I've upgraded dovecot to 2.3.3
# dovecot --version
2.3.3 (dcead646b)

That didn't help.

Next I switched 10-auth.conf to use a local password file (instead of LDAP)

=======================================
# cache all authentication results for one hour
auth_cache_size = 10M
auth_cache_ttl = 1 hour
auth_cache_negative_ttl = 1 hour

# only use plain username/password auth - OK since everything is over TLS
auth_mechanisms = plain

passdb {
  driver = passwd-file
  args = scheme=ssha username_format=%n /usr/local/etc/dovecot/passwd
}

userdb {
  driver = passwd-file
  args = username_format=%n /usr/local/etc/dovecot/passwd
}
======================================

The /usr/local/etc/dovecot/passwd file is in the following format
userA:{SSHA}hashhhhhhhhh:1000:1000::/home/userA

Authentication works, and mail gets delivered. But I'm still getting the
same intermitted errors.

Sep 28 00:03:24 mailserver dovecot: imap(userD)<14864><WT8DguF2MspUUoaT>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))

Also tried disabling the cache in 10-auth.conf, at no avail.

I'm a bit at loss :(

Regards,
J. de Meijer


> Hi,
>
> I'm getting errors with my IMAP setup.
> Basically, everything seems to work.
> Mail is delivered nicely from Postfix to Dovecot via LMTP. Dovecot does
> the authentication to LDAP (also for Postfix). Users are able to send mail
> via authenticated submission (Postfix) and login into IMAP and POP.
>
> However, IMAP connections are dropped frequently with an "ERROR:
> Connection dropped by IMAP server.". After pressing reload on the webmail,
> or refreshing in the client might help for a short period. So it fails
> intermittently.
>
> The errors in the maillog are below. It seems to be mixing up users kind
> of randomly. I think when multiple connections are made at the same time.
> Did a lot of searching, put couldn't find an answer to this problem. All I
> can find is related to LDA, which I'm not using.
>
> Any help would be appreciated.
>
> Errors from the log:
> Sep 28 00:03:24 mailserver dovecot: imap(userD)<14864><WT8DguF2MspUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:03:24 mailserver dovecot: imap(userD)<17009><recJguF2NMpUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:03:26 mailserver dovecot: imap(userD)<12807><8T0iguF2NspUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:06:59 mailserver dovecot: imap(userD)<15661><UcfOjuF2OcpUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:07:54 mailserver dovecot: imap(userA)<45614><NVkakuF2xO5UUoaT>:
> Fatal: setgid(1011(userA) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1011(userA) instead of 1012(userD))
> Sep 28 00:08:08 mailserver dovecot: imap(userF)<45055><AWjtkuF2J/ptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1012(userD))
> Sep 28 00:08:08 mailserver dovecot: imap(userF)<46412><87ntkuF2JvptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1011(userA))
> Sep 28 00:08:08 mailserver dovecot: imap(userF)<44858><0nXzkuF2KfptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1012(userD))
> Sep 28 00:08:14 mailserver dovecot: imap(userF)<36517><v/NHk+F2K/ptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1017(userC), gid=1017(userC), egid=1017(userC): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1017(userC))
> Sep 28 00:08:36 mailserver dovecot: imap(userF)<10531><wpKdlOF2MfptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1011(userA))
>
> # dovecot --version
> 2.3.2.1 (0719df592)
>
> # 2.3.2.1 (0719df592): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.2 (7704de5e)
> # OS: FreeBSD 11.2-RELEASE amd64
> # Hostname: mailserver
> auth_cache_size = 10 M
> auth_debug = yes
> imap_idle_notify_interval = 29 mins
> mail_debug = yes
> mail_fsync = never
> mail_location = maildir:~/Maildir
> mail_plugins = " fts fts_solr"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Archive {
>     auto = subscribe
>     special_use = \Archive
>   }
>   mailbox Drafts {
>     auto = create
>     special_use = \Drafts
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Trash {
>     auto = subscribe
>     special_use = \Trash
>   }
>   prefix =
>   separator = /
> }
> passdb {
>   args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   fts = solr
>   fts_autoindex = yes
>   fts_solr = url=http://127.0.0.1:8983/solr/dovecot/
>   recipient_delimiter = +
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   sieve_after = /usr/local/etc/dovecot/sieve-after.d
>   sieve_before = /usr/local/etc/dovecot/sieve-before.d
>   sieve_quota_max_storage = 50M
> }
> protocols = imap pop3 lmtp sieve
> service auth {
>   client_limit = 1600
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service imap-login {
>   inet_listener imap {
>     address = 127.0.0.1, ::1
>   }
>   process_min_avail = 3
>   service_count = 1
> }
> service imap {
>   process_min_avail = 3
>   service_count = 256
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0600
>     user = postfix
>   }
> }
> service pop3-login {
>   inet_listener pop3 {
>     address = 127.0.0.1, ::1
>   }
>   service_count = 1
> }
> ssl = required
> ssl_cert = </usr/local/etc/ssl/mail.example.com.dovecot.crt
> ssl_cipher_list =
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> ssl_dh =  # hidden, use -P to show it
> ssl_key =  # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> userdb {
>   args = /usr/local/etc/dovecot/dovecot-ldap-user.conf.ext
>   driver = ldap
> }
> protocol lda {
>   mail_fsync = optimized
>   mail_plugins = " fts fts_solr sieve"
> }
> protocol imap {
>   mail_max_userip_connections = 50
>   mail_plugins = " fts fts_solr imap_sieve"
> }
> protocol lmtp {
>   lmtp_save_to_detail_mailbox = yes
>   mail_fsync = optimized
>   mail_plugins = " fts fts_solr quota sieve"
>   postmaster_address = webmaster at example.com
> }
>
> In /usr/local/etc/dovecot/dovecot-ldap.conf.ext:
> hosts = localhost
> dn = cn=reader,ou=Roles,dc=example,dc=com
> dnpass = secretpassword
> auth_bind = yes
> base = ou=People,dc=example,dc=com
> deref = never
> scope = subtree
> user_attrs = uid=uid,homeDirectory=home,uidNumber=uid,gidNumber=gid
> user_filter = (&(objectClass=posixAccount)(uid=%n))
> pass_attrs = uid=user,userPassword=password
> pass_filter = (&(objectClass=posixAccount)(uid=%u))
> default_pass_scheme = SSHA
>
> dovecot-ldap-user.conf.ext is the same as dovecot-ldap.conf.ext
>
> # freebsd-version
> 11.2-RELEASE-p3
>
> Everything is installed from ports.

More information about the dovecot mailing list