<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Well, I don't know about yuuuge security risk (not saying there
isn't any...), but if this concerns you, you can also use LTMP
instead, which is probably a better solution here.<br>
</p>
<p>Aki<br>
</p>
<br>
<div class="moz-cite-prefix">On 31.07.2018 13:42, Andras Kemeny
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9bde0fe3-fedd-c716-c6c2-769f8aaf1cbf@pdx.hu">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>yeah, the only problem about that is it's a yuuuge security
risk :), and also, postfix simply won't let me:</p>
<p>Jul 31 02:20:37 rhyno postfix/pipe[29532]: fatal: user=
command-line attribute specifies root privileges<br>
</p>
<p>so it's entirely possible i'm knocking on the wrong door, and
instead i should be asking this in the postfix mailing list.</p>
<p>however, i'm also worried about this: "to bypass this check,
set: service auth { unix_listener /var/run/dovecot/auth-userdb {
mode=0777 } }", as i have done what it says, and the check
wasn't bypassed so i'm wary about something bad coming up once i
somehow fix this initial UID problem.</p>
<p>thanks,<br>
a<br>
</p>
<br>
<div class="moz-cite-prefix">2018. 07. 31. 7:12 keltezéssel, Aki
Tuomi írta:<br>
</div>
<blockquote type="cite"
cite="mid:20180731051259.5338A343768@talvi.dovecot.org">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<div>You could run dovecot-lda as root. It will setuid to
correct account.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="composer_signature">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
---
<div>Aki Tuomi</div>
<div>Dovecot oy</div>
</div>
<div><br>
</div>
<div style="font-size:100%;color:#000000"><!-- originalMessage -->
<div>-------- Original message --------</div>
<div>From: Andras Kemeny <a class="moz-txt-link-rfc2396E"
href="mailto:pdx@pdx.hu" moz-do-not-send="true"><pdx@pdx.hu></a>
</div>
<div>Date: 31/07/2018 04:46 (GMT+02:00) </div>
<div>To: <a class="moz-txt-link-abbreviated"
href="mailto:dovecot@dovecot.org" moz-do-not-send="true">dovecot@dovecot.org</a>
</div>
<div>Subject: uid problem </div>
<div><br>
</div>
</div>
hi,<br>
<br>
contacting this mailing list is my last-ditch effort to somehow
come to <br>
a working configuration where postfix "ends in" dovecot, IE for
special <br>
LDAP-based users, featured in the virtual mailbox delivery,
dovecot <br>
would act as LDA.<br>
<br>
here's the deal.<br>
<br>
i've set up dovecot's access to the LDAP server, and for the
purposes of <br>
being an IMAP server and a SASL auth backend, dovecot works
brilliantly <br>
and without a glitch. i can access my test mailbox (in maildir
format), <br>
i can use the LDA as root and it delivers the message correctly
(after a <br>
switch to the target user's UID), and even postfix's submission
works <br>
with dovecot as its SASL backend.<br>
<br>
what does not work is dovecot as LDA from postfix.<br>
<br>
i'm getting these errors in the log:<br>
<br>
Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth
USER <br>
lookup failed<br>
Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client
doesn't <br>
have lookup permissions for this user: userdb uid (10001)
doesn't match <br>
peer uid (5000) (to bypass this check, set: service auth {
unix_listener <br>
/var/run/dovecot/auth-userdb { mode=0777 } })<br>
Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error
occurred. <br>
Refer to server log for more information.<br>
<br>
for the sake of clarity, i've tried the "to bypass this check" <br>
instructions, didn't help.<br>
<br>
also, for the sake of operational clarity, "aik" is the LDAP
account <br>
with the following parameters:<br>
<br>
dn: uid=aik,ou=People,dc=rhyno,dc=tech<br>
objectClass: account<br>
objectClass: posixAccount<br>
objectClass: postfixUser<br>
cn: aik<br>
uid: aik<br>
uidNumber: 10001<br>
gidNumber: 10001<br>
homeDirectory: /home/aik<br>
loginShell: /bin/sh<br>
gecos: aik<br>
description: User account<br>
structuralObjectClass: account<br>
entryUUID: db947584-0369-1038-98b3-675e2f0cea17<br>
creatorsName: cn=admin,dc=rhyno,dc=tech<br>
createTimestamp: 20180613152616Z<br>
email: ***********<br>
userPassword:: *************************<br>
mailacceptinggeneralid: andras.kemeny<br>
mailacceptinggeneralid: kemeny.andras<br>
mailacceptinggeneralid: aik<br>
mailacceptinggeneralid: pdx<br>
mailacceptinggeneralid: @rhyno.tech<br>
mailacceptinggeneralid: @rhynotechnologies.com<br>
maildrop: aik<br>
<br>
and postfix's master.cf says:<br>
<br>
dovecot unix - n n - - pipe<br>
flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e
-f <br>
${sender} -d ${user}<br>
<br>
so i'm stuck at this point. obviously, if the LDA is spawned
with <br>
vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and
passwd <br>
accounts were once connected, but for security reasons, the
connection <br>
has been severed -- still the /home/aik/mail dir is owned by uid
10001 etc).<br>
<br>
what am i doint wrong?<br>
<br>
thanks,<br>
a<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>