IMAP preauth and stats-writer

Mark Hills mark-dovecot at xwax.org
Sat Jan 5 16:49:05 EET 2019 

I use IMAP preauth; I connect with Alpine over SSH which is very useful.

The last few upgrades this has become more difficult to to. Last time 
(moving 2.2 -> 2.3, I think) I had to put in a workaround:

  stats_writer_socket_path =

It prevented /usr/local/libexec/dovecot/imap attempting to 
connect to a central stats service.

As of an upgrade today (2.3.2.1_1 -> 2.3.4_3 on FreeBSD) it looks like 
that 'fix' stopped working, and I get:

  imap(mark,)Error: net_connect_unix() failed: Permission denied

It goes to stderr, which breaks Alpine.

"()" is actually the filename. It seems that the empty string is no longer 
an indication to disable it. Here it is with the default configuration:

  imap(mark,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

I do also have a dovecot running as a system daemon, and, interestingly, 
disable this and it's 'fixed'; no attempt to connect. However, disabling 
the service is not an option (needed for smartphone)

The best I've come up with so far is when using preauth to hack it to send 
stderr to /dev/null. And yes, probably Alpine is at fault for interpreting 
stderr content (separate issue)

* Is there a way to cleanly disable reporting to the stats service?  
  Previously, running as preauth was all very clean.

* Just wanted to highlight that IMAP preauth is really useful.  Even 
  though it might not be mainstream, it seems healthy to be able to easily 
  install dovecot as an unprivilidged user in a "unixy" way.

I'm on FreeBSD 11.2, with dovecot from ports. dovecot.conf below.

-- 
Mark


#
# Dovecot configuration
#

mail_location = maildir:~/Maildir
postmaster_address = postmaster

namespace {
    inbox = yes
}

ssl = required
ssl_cert = </etc/ssl/lets.crt
ssl_key = </etc/ssl/local.key
ssl_dh = </etc/ssl/dh.pem

#
# No writing of statistics to a priviledged service;
# this is troublesome for a user to run the IMAP client
#

#stats_writer_socket_path =

#
# Authentication: only allow passwords sent over TLS, and
# check against the system password database
#

passdb {
    driver = pam
}

userdb {
    driver = passwd
}

#
# Disable all except standard IMAP with TLS logins
#

service imap-login {
    inet_listener imaps {
        port = 0
    }
}

service pop3-login {
    inet_listener pop3 {
        port = 0
    }

    inet_listener pop3s {
        port = 0
    }
}

#
# An authentication service to allow Exim to use the
# same credentials as Dovecot
#

service auth {
    unix_listener auth-client {
        mode = 0600
        user = mailnull
    }
}

protocol imap {
    mail_max_userip_connections = 40
}

# END

More information about the dovecot mailing list