<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" dir="auto" class=""><div class="">I’m trying to configure dovecot lmtp in multi-user mode. My error logs are filled with messages saying that an imap process cannot do a setuid to another user:</div><div class=""><br class=""></div><div class=""><div class=""><blockquote type="cite" class="">May 21 22:28:46 imap(pid 17441 user myuser): Fatal: setuid(512(myuser) from userdb lookup) failed with euid=501(adminuser): Operation not permitted (This binary should probably be called with process user set to 512(myuser) instead of 501(adminuser))</blockquote></div><div class=""><br class=""></div>I see that others have had similar issues, but I am not able to apply any of the fixes or workarounds to solve this issue (e.g. setting libexec/dovecot/imap as setuid-root). I’ve also tried other fixes like setting the permissions to 0777 on the userdb auth for postfix smtpd.</div><div class=""><br class=""></div><div class="">According to the code (restrict-access.c, linked below), it appears that when a user authenticates, an imap worker process is launched that has the bid of the authenticator. When another user authenticates, this last process is used, but it does not have the permissions to perform a setuid to the new user, resulting in the Fatal error that appears in the logs.</div><div class=""><br class=""></div><div class="">Is this a bug, or a configuration issue? I’ve posted my doveconf below.</div><div class=""><br class=""></div><div class="">Any pointers would be greatly appreciated.</div><div class=""><br class=""></div><div class="">Steve</div><div class=""><br class="Apple-interchange-newline"><br class=""></div>Related:<div class=""><ul class="MailOutline"><li class=""><a href="https://serverfault.com/questions/930245/dovecot-operation-not-permitted" class="">https://serverfault.com/questions/930245/dovecot-operation-not-permitted</a></li><li class=""><a href="https://dovecot.org/list/dovecot/2012-May/135549.html" class="">https://dovecot.org/list/dovecot/2012-May/135549.html</a></li><li class=""><a href="https://trac.macports.org/ticket/58506" class="">https://trac.macports.org/ticket/58506</a></li></ul><div class=""><br class=""></div><div class="">Code at <a href="https://github.com/dovecot/core/blob/master/src/lib/restrict-access.c" class="">https://github.com/dovecot/core/blob/master/src/lib/restrict-access.c</a>:</div><div class=""><ul class="MailOutline"><li class=""><a href="https://github.com/dovecot/core/blob/863887d4272f962926ab279ac4cf37855dd2008d/src/lib/restrict-access.c#L238-L256" class="">https://github.com/dovecot/core/blob/863887d4272f962926ab279ac4cf37855dd2008d/src/lib/restrict-access.c#L238-L256</a></li><li class=""><a href="https://github.com/dovecot/core/blob/863887d4272f962926ab279ac4cf37855dd2008d/src/lib/restrict-access.c#L342-L346" class="">https://github.com/dovecot/core/blob/863887d4272f962926ab279ac4cf37855dd2008d/src/lib/restrict-access.c#L342-L346</a></li></ul><div class=""><br class=""></div></div><div class="">doveconf -n:</div><div class=""><blockquote type="cite" class=""><div class=""># 2.3.0.1 (ffd8a29): /opt/local/etc/dovecot/dovecot.conf</div><div class=""># Pigeonhole version 0.5.0.1 (d33dca20)</div><div class=""># OS: Darwin 18.6.0 x86_64  apfs</div><div class="">auth_cache_size = 10 M</div><div class="">auth_gssapi_hostname = $ALL</div><div class="">auth_krb5_keytab = /opt/local/etc/dovecot/imap.keytab</div><div class="">auth_mechanisms = plain gssapi</div><div class="">auth_realms = host.domain.tld</div><div class="">auth_socket_path = /opt/local/var/run/dovecot/auth-userdb</div><div class="">auth_username_format = %Ln</div><div class="">debug_log_path = /opt/local/var/log/mail/mail-debug.log</div><div class="">default_internal_user = _dovecot</div><div class="">default_login_user = _dovenull</div><div class="">disable_plaintext_auth = no</div><div class="">first_valid_gid = 6</div><div class="">first_valid_uid = 6</div><div class="">imap_id_log = *</div><div class="">imap_id_send = "name" * "version" *</div><div class="">imap_idle_notify_interval = 29 mins</div><div class="">imap_urlauth_submit_user = submit</div><div class="">info_log_path = /opt/local/var/log/mail/mail-info.log</div><div class="">last_valid_gid = 100</div><div class="">lda_mailbox_autocreate = yes</div><div class="">log_path = /opt/local/var/log/mail/mail-err.log</div><div class="">login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c</div><div class="">mail_access_groups = mail</div><div class="">mail_attachment_dir = /private/var/mail/tld.domain.mail/attachments</div><div class="">mail_attachment_fs = sis posix:mode=0666</div><div class="">mail_debug = yes</div><div class="">mail_gid = mail</div><div class="">mail_home = /private/var/mail/tld.domain.mail</div></blockquote><blockquote type="cite" class=""><div class="">mail_location = mdbox:/private/var/mail/tld.domain.mail/%Ln/mdbox</div></blockquote><blockquote type="cite" class=""><div class="">mail_log_prefix = "%s(pid %p user %u): "</div><div class="">mail_plugins = quota zlib acl fts fts_solr fts_lucene</div><div class="">mail_privileged_group = mail</div><div class="">mail_uid = _dovecot</div><div class="">managesieve_notify_capability = mailto</div><div class="">managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve</div><div class="">mdbox_rotate_size = 200 M</div><div class="">namespace inbox {</div><div class="">  inbox = yes</div><div class="">  location = </div><div class="">  mailbox Archive {</div><div class="">    auto = subscribe</div><div class="">    special_use = \Archive</div><div class="">  }</div><div class="">  mailbox Drafts {</div><div class="">    auto = subscribe</div><div class="">    special_use = \Drafts</div><div class="">  }</div><div class="">  mailbox Junk {</div><div class="">    auto = create</div><div class="">    special_use = \Junk</div><div class="">  }</div><div class="">  mailbox Notspam_train {</div><div class="">    auto = create</div><div class="">    special_use = \Junk</div><div class="">  }</div><div class="">  mailbox Sent {</div><div class="">    auto = subscribe</div><div class="">    special_use = \Sent</div><div class="">  }</div><div class="">  mailbox Spam_train {</div><div class="">    auto = create</div><div class="">    special_use = \Junk</div><div class="">  }</div><div class="">  mailbox Trash {</div><div class="">    auto = create</div><div class="">    special_use = \Trash</div><div class="">  }</div><div class="">  prefix = </div><div class="">  separator = /</div><div class="">}</div><div class="">passdb {</div><div class="">  driver = pam</div><div class="">  name = pam</div><div class="">}</div><div class="">plugin {</div><div class="">  fts = solr</div><div class="">  fts_autoindex = yes</div><div class="">  fts_autoindex_exclude = \Junk</div><div class="">  fts_solr = url=<a href="http://127.0.0.1:8983/solr/dovecot/" class="">http://127.0.0.1:8983/solr/dovecot/</a></div><div class="">  imapsieve_mailbox1_before = file:/opt/local/etc/dovecot/sieve/report-spam.sieve</div><div class="">  imapsieve_mailbox1_causes = COPY APPEND</div><div class="">  imapsieve_mailbox1_name = Spam_train</div><div class="">  imapsieve_mailbox2_before = file:/opt/local/etc/dovecot/sieve/report-ham.sieve</div><div class="">  imapsieve_mailbox2_causes = COPY APPEND</div><div class="">  imapsieve_mailbox2_name = Notspam_train</div><div class="">  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename</div><div class="">  mail_log_fields = uid box msgid from subject size flags</div><div class="">  quota_grace = 10%%</div><div class="">  quota_rule = *:storage=16G</div><div class="">  quota_rule2 = Trash:storage=+256M</div><div class="">  quota_warning = storage=100%% quota-exceeded %u</div><div class="">  quota_warning2 = storage=80%% quota-warning %u</div><div class="">  recipient_delimiter = +</div><div class="">  sieve = /private/var/mail/tld.domain.mail/rules/%Ln/dovecot.sieve</div></blockquote><blockquote type="cite" class=""><div class="">  sieve_after = /opt/local/etc/dovecot/sieve-after.d</div><div class="">  sieve_before = /opt/local/etc/dovecot/sieve-before.d</div><div class="">  sieve_dir = /private/var/mail/tld.domain.mail/rules/%Ln/%u</div></blockquote><blockquote type="cite" class=""><div class="">  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment</div><div class="">  sieve_pipe_bin_dir = /opt/local/etc/dovecot/sieve</div><div class="">  sieve_plugins = sieve_imapsieve sieve_extprograms</div><div class="">  sieve_quota_max_storage = 50M</div><div class="">}</div><div class="">postmaster_address = <a href="mailto:postmaster@domain.tld" class="">postmaster@domain.tld</a></div><div class="">protocols = imap lmtp sieve</div><div class="">quota_full_tempfail = yes</div><div class="">sendmail_path = /opt/local/sbin/sendmail</div><div class="">service auth-worker {</div><div class="">  user = root</div><div class="">}</div><div class="">service auth {</div><div class="">  extra_groups = _keytabusers</div><div class="">  idle_kill = 15 mins</div><div class="">  unix_listener /opt/local/var/spool/postfix/private/auth {</div><div class="">    group = mail</div><div class="">    mode = 0660</div><div class="">    user = _postfix</div><div class="">  }</div><div class="">}</div><div class="">service imap-login {</div><div class="">  inet_listener imap {</div><div class="">    address = 127.0.0.1, ::1</div><div class="">    port = 143</div><div class="">  }</div><div class="">  inet_listener imaps {</div><div class="">    port = 993</div><div class="">    ssl = yes</div><div class="">  }</div><div class="">  process_min_avail = 6</div><div class="">  service_count = 0</div><div class="">  vsz_limit = 2 G</div><div class="">}</div><div class="">service imap {</div><div class="">  client_limit = 16</div><div class="">  process_limit = 200</div><div class="">  process_min_avail = 6</div><div class="">  service_count = 0</div><div class="">}</div><div class="">service lmtp {</div><div class="">  unix_listener /opt/local/var/spool/postfix/private/dovecot-lmtp {</div><div class="">    group = mail</div><div class="">    mode = 0660</div><div class="">    user = _postfix</div><div class="">  }</div><div class="">}</div><div class="">ssl = required</div><div class="">ssl_ca = </etc/certificates/chain.pem</div><div class="">ssl_cert = </etc/certificates/cert.pem</div><div class="">ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</div><div class="">ssl_dh =  # hidden, use -P to show it</div><div class="">ssl_key =  # hidden, use -P to show it</div><div class="">ssl_min_protocol = TLSv1.2</div><div class="">ssl_prefer_server_ciphers = yes</div><div class="">userdb {</div><div class="">  driver = passwd</div><div class="">  name = passwd</div><div class="">}</div><div class="">verbose_proctitle = yes</div><div class="">protocol lda {</div><div class="">  mail_fsync = optimized</div><div class="">  mail_plugins = quota zlib acl fts fts_solr fts_lucene sieve</div><div class="">}</div><div class="">protocol imap {</div><div class="">  mail_max_userip_connections = 50</div><div class="">  mail_plugins = quota zlib acl fts fts_solr fts_lucene imap_acl imap_quota imap_zlib imap_sieve</div><div class="">}</div><div class="">protocol lmtp {</div><div class="">  mail_fsync = optimized</div><div class="">  mail_plugins = quota zlib acl fts fts_solr fts_lucene sieve</div><div class="">}</div></blockquote></div><div class=""><div class=""><br class=""></div></div><div class=""><br class=""></div></div></div></div></body></html>