Fatal: setgid from userdb lookup fails with wrong gid

J. de Meijer dovecot at filter.demeijer.com
Wed Oct 14 10:11:16 EEST 2020


Hi,

Not sure if this is it, but I used to have the same error when I started
with dovecot.

Aki's response was the following (and solved my problem).

-------------
Hi!

You can't set

service imap {
 service_count = 256
}

if you are using multiple system UIDs. See
https://wiki.dovecot.org/Services#imap.2C_pop3.2C_submission.2C_managesieve

*service_count* can be changed from 1 if only a single UID is used for
mail users. This is improves performance, but it's less secure, because
bugs in code may leak email data from another user's earlier connection.

Aki
-----------

Regards,
Jeroen


> Hello all,
>
> I'm quite new as well to Dovecot, just installed it on a FreeBSD system
with Postfix and Rspamd as side apps. Things are running semi-smoothly
for all users but I do have quite a few errors in the logs :
>
> Oct 13 19:43:56 apollo dovecot[24478]:
> imap(user1)<34412><zIeI9ZCxXDmsFhZG>: Fatal: setgid(1030(user1) from
userdb lookup) failed with euid=1022(user4), gid=1022(user4),
> egid=1022(user4): Operation not permitted (This binary should probably
be called with process group set to 1030(user1) instead of 1022(user4))
Oct 13 19:43:59 apollo dovecot[24478]:
> imap(user1)<37376><pPS79ZCx+kasFhZG>: Fatal: setgid(1030(user1) from
userdb lookup) failed with euid=1124(user3), gid=1124(user3),
> egid=1124(user3): Operation not permitted (This binary should probably
be called with process group set to 1030(user1) instead of 1124(user3))
Oct 13 19:46:45 apollo dovecot[24478]:
> imap(user2)<38858><3hOk/5CxVO1dBDTq>: Fatal: setgid(1136(user2) from
userdb lookup) failed with euid=1038(user5), gid=1038(user5),
> egid=1038(user5): Operation not permitted (This binary should probably
be called with process group set to 1136(user2) instead of 1038(user5))
Oct 13 19:48:55 apollo dovecot[24478]:
> imap(user3)<40607><jQtWB5GxHuwKAkQ2>: Fatal: setgid(1124(user3) from
userdb lookup) failed with euid=1022(user4), gid=1022(user4),
> egid=1022(user4): Operation not permitted (This binary should probably
be called with process group set to 1124(user3) instead of 1022(user4))
>
> There seems to be confusion. The logs are trying to be helpful but I
can't quite process it. Could someone point me in the right direction ?
>
> system is used by about 60 users.
>
> Thanks,
>
> j.
>
> --
>
> doveconf -n
> # 2.3.11.3 (502c39af9): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.11 (d71e0372)
> # OS: FreeBSD 12.1-RELEASE-p10 amd64
> # Hostname: apollo.domain1.tld
> auth_mechanisms = plain login cram-md5
> auth_username_format = %Ln
> mail_location = maildir:~/Maildir
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
extracttext imapsieve vnd.dovecot.imapsieve
> namespace inbox {
>    inbox = yes
>    location =
>    mailbox Drafts {
>      special_use = \Drafts
>    }
>    mailbox Junk {
>      special_use = \Junk
>    }
>    mailbox Sent {
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      special_use = \Sent
>    }
>    mailbox Trash {
>      special_use = \Trash
>    }
>    prefix =
>    type = private
> }
> passdb {
>    args = scheme=cram-md5 /usr/local/etc/dovecot/cram-md5.pwd
>    driver = passwd-file
> }
> plugin {
>    imapsieve_mailbox1_before =
> file:/var/vmail/sieve/global/learn-spam.sieve
>    imapsieve_mailbox1_causes = COPY
>    imapsieve_mailbox1_name = Spam
>    imapsieve_mailbox2_before =
> file:/var/vmail/sieve/global/learn-ham.sieve
>    imapsieve_mailbox2_causes = COPY
>    imapsieve_mailbox2_from = Spam
>    imapsieve_mailbox2_name = *
>    quota = maildir:User quota
>    quota_exceeded_message = Benutzer %u hat das Speichervolumen
> überschritten. / User %u has exhausted allowed storage space.
>    sieve = file:~/sieve;active=~/.dovecot.sieve
>    sieve_before = /var/vmail/sieve/global/spam-global.sieve
>    sieve_global_extensions = +vnd.dovecot.pipe
>    sieve_pipe_bin_dir = /usr/local/bin
>    sieve_plugins = sieve_imapsieve sieve_extprograms
> }
> postmaster_address = postmaster at apollo.domain1.tld
> protocols = imap lmtp sieve
> service auth {
>    client_limit = 3000
>    unix_listener /var/spool/postfix/private/auth {
>      group = postfix
>      mode = 0666
>      user = postfix
>    }
> }
> service imap-login {
>    service_count = 0
> }
> service imap {
>    process_min_avail = 4
>    service_count = 512
>    vsz_limit = 1 G
> }
> service lmtp {
>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>      group = postfix
>      mode = 0600
>      user = postfix
>    }
>    vsz_limit = 1 G
> }
> ssl_cert =
> </usr/local/etc/letsencrypt/live/apollo.domain1.tld/fullchain.pem
ssl_cipher_list =
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_prefer_server_ciphers = yes
> syslog_facility = local5
> userdb {
>    driver = passwd
> }
> protocol lda {
>    mail_plugins = sieve
> }
> protocol lmtp {
>    mail_plugins = quota sieve
>    postmaster_address = postmaster at domain1.tld
> }
> protocol imap {
>    mail_max_userip_connections = 100
>    mail_plugins = " quota imap_quota imap_sieve"
> }
> local_name imap.domain2.tld {
>    ssl_cert =
> </usr/local/etc/letsencrypt/live/mail.domain2.tld/fullchain.pem
>    ssl_key = # hidden, use -P to show it
> }
> local_name mail.domain2.tld {
>    ssl_cert =
> </usr/local/etc/letsencrypt/live/mail.domain2.tld/fullchain.pem
>    ssl_key = # hidden, use -P to show it
> }
>






More information about the dovecot mailing list