Re: [Dovecot] Random LDA failure to access auth socket
Daniel,
Just wanted to respond back and let you know that changing permissions to
dovecot:dovecot as you suggested seems to have resolved the issue; I've
not seen any more occurrences of this error.
Thanks again for your assistance!
Chris
On Sun, March 3, 2013 5:13 pm, Daniel Parthey wrote:
> Hi Chris,
>
> Chris Richards wrote:
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0666
>> user = postfix
>> }
>> unix_listener auth-userdb {
>> group = vmail
>> mode = 0600
>> user = vmail
>> }
>> user = $default_internal_user
>> }
>
> In order for dovecot-lda to work, default internal user "dovecot"
> seems to need permission for the user listing. This should work,
> but you should try to narrow the permissions down:
>
> service auth {
> unix_listener auth-userdb {
> group = dovecot
> mode = 0666
> user = dovecot
> }
> }
>
> Documentation http://wiki2.dovecot.org/LDA says:
>
> The auth-userdb socket can be used to do userdb lookups for given
> usernames or
> get a list of all users. Typically the result will contain the user's UID,
> GID
> and home directory, but depending on your configuration it may return
> other
> information as well. So the information is similar to what can be found
> from
> eg. /etc/passwd for system users. This means that it's probably not a
> problem
> to use mode=0666 for the socket, but you should try to restrict it more
> just to
> be safe.
>
>> hermes conf.d # stat /usr/libexec/dovecot/deliver
>> File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda'
>> Size: 11 Blocks: 0 IO Block: 4096 symbolic
>> link
>> Device: 805h/2053d Inode: 267375 Links: 1
>> Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root)
>> Access: 2012-11-24 17:44:04.440976879 +
>> Modify: 2012-11-24 17:44:04.440976879 +
>> Change: 2012-11-24 17:44:04.440976879 +
>> Birth: -
>
> deliver is a symbolic link to dovecot-lda, so its basically the same.
>
>> hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
>> File: '/usr/libexec/dovecot/dovecot-lda'
>> Size: 22432 Blocks: 48 IO Block: 4096 regular file
>> Device: 805h/2053d Inode: 849010 Links: 1
>> Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)
>> Access: 2012-11-24 17:43:57.124794021 +
>> Modify: 2012-11-24 17:44:02.204920992 +
>> Change: 2012-11-24 17:44:04.444976978 +
>> Birth: -
>
> No setuid/setgid flags set.
>
>> >> In Postfix master.cf, I have the following:
>> >> dovecot unix -n n - - pipe
>> >> flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
>> >> ${sender} -d ${user}@${nexthop}
>
> I'm wondering why user=vmail:users does not have the desired effect
> and dovecot-lda uses the effective uid "dovecot" and effective gid
> "dovecot"
> to do the user lookups.
>
> Regards
> Daniel
Re: [Dovecot] Random LDA failure to access auth socket
I was finally able to make this change. It doesn't appear to have broken
anything, which is a plus. ;)
I'll ping back in a couple of days or so and let you know if the issue
appears resolved.
Thanks again for your help!
Chris
On Sun, March 3, 2013 6:31 pm, Chris Richards wrote:
>
>> In order for dovecot-lda to work, default internal user "dovecot"
>> seems to need permission for the user listing. This should work,
>> but you should try to narrow the permissions down:
>>
>> service auth {
>> unix_listener auth-userdb {
>> group = dovecot
>> mode = 0666
>> user = dovecot
>> }
>> }
>
> I'll give this a whirl tomorrow during off-mail time. I'm thinking there
> was a reason I did vmail:users, but it's not coming to me at the moment.
>
> I'm also puzzled by why lda is using dovecot:dovecot rather than
> vmail:users. Does it drop back to dovecot:dovecot and retry if the
> requested uid:gid fails to work? I can't imagine where postfix would get
> uid:gid of dovecot:dovecot to call with, so I don't think it's a postfix
> problem.
>
> Thanks for your help!
>
> Chris
>
>
Re: [Dovecot] Random LDA failure to access auth socket
> In order for dovecot-lda to work, default internal user "dovecot"
> seems to need permission for the user listing. This should work,
> but you should try to narrow the permissions down:
>
> service auth {
> unix_listener auth-userdb {
> group = dovecot
> mode = 0666
> user = dovecot
> }
> }
I'll give this a whirl tomorrow during off-mail time. I'm thinking there
was a reason I did vmail:users, but it's not coming to me at the moment.
I'm also puzzled by why lda is using dovecot:dovecot rather than
vmail:users. Does it drop back to dovecot:dovecot and retry if the
requested uid:gid fails to work? I can't imagine where postfix would get
uid:gid of dovecot:dovecot to call with, so I don't think it's a postfix
problem.
Thanks for your help!
Chris
Re: [Dovecot] Random LDA failure to access auth socket
Hi Chris,
Chris Richards wrote:
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
> }
> unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
> }
> user = $default_internal_user
> }
In order for dovecot-lda to work, default internal user "dovecot"
seems to need permission for the user listing. This should work,
but you should try to narrow the permissions down:
service auth {
unix_listener auth-userdb {
group = dovecot
mode = 0666
user = dovecot
}
}
Documentation http://wiki2.dovecot.org/LDA says:
The auth-userdb socket can be used to do userdb lookups for given usernames or
get a list of all users. Typically the result will contain the user's UID, GID
and home directory, but depending on your configuration it may return other
information as well. So the information is similar to what can be found from
eg. /etc/passwd for system users. This means that it's probably not a problem
to use mode=0666 for the socket, but you should try to restrict it more just to
be safe.
> hermes conf.d # stat /usr/libexec/dovecot/deliver
> File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda'
> Size: 11 Blocks: 0 IO Block: 4096 symbolic link
> Device: 805h/2053d Inode: 267375 Links: 1
> Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root)
> Access: 2012-11-24 17:44:04.440976879 +
> Modify: 2012-11-24 17:44:04.440976879 +
> Change: 2012-11-24 17:44:04.440976879 +
> Birth: -
deliver is a symbolic link to dovecot-lda, so its basically the same.
> hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
> File: '/usr/libexec/dovecot/dovecot-lda'
> Size: 22432 Blocks: 48 IO Block: 4096 regular file
> Device: 805h/2053d Inode: 849010 Links: 1
> Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)
> Access: 2012-11-24 17:43:57.124794021 +
> Modify: 2012-11-24 17:44:02.204920992 +
> Change: 2012-11-24 17:44:04.444976978 +
> Birth: -
No setuid/setgid flags set.
> >> In Postfix master.cf, I have the following:
> >> dovecot unix -n n - - pipe
> >> flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
> >> ${sender} -d ${user}@${nexthop}
I'm wondering why user=vmail:users does not have the desired effect
and dovecot-lda uses the effective uid "dovecot" and effective gid "dovecot"
to do the user lookups.
Regards
Daniel
--
https://plus.google.com/103021802792276734820
Re: [Dovecot] Random LDA failure to access auth socket
Thanks for the links: those were what I followed when I set things up.
The dovecot user is the $default_internal_user.
hermes conf.d # dovecot -n
# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.4.2-hardened-r1-bordernet x86_64 Gentoo Base System release
2.1 ext4
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@&
auth_verbose_passwords = plain
disable_plaintext_auth = no
login_greeting = Awaiting command...
mail_location = maildir:/home/vmail/%d/%n/Maildir
mail_plugins = " quota"
mail_privileged_group = 100
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
expire = Trash 7
expire2 = Trash/* 7
expire3 = Spam 7
quota = maildir:User quota
quota_rule = *:storage=200M
quota_warning = storage=95%% quota-warning 95 %n %d
quota_warning2 = storage=80%% quota-warning 80 %n %d
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /home/vmail/dovecot/sieve
sieve_global_path = /home/vmail/dovecot/sieve/default.sieve
}
protocols = imap pop3 sieve
service auth-worker {
user = $default_internal_user
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
user = $default_internal_user
}
service quota-warning {
executable = script /etc/dovecot/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = dovecot
}
ssl_cert = 'dovecot-lda'
Size: 11 Blocks: 0 IO Block: 4096 symbolic link
Device: 805h/2053d Inode: 267375 Links: 1
Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root)
Access: 2012-11-24 17:44:04.440976879 +
Modify: 2012-11-24 17:44:04.440976879 +
Change: 2012-11-24 17:44:04.440976879 +
Birth: -
hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
File: '/usr/libexec/dovecot/dovecot-lda'
Size: 22432 Blocks: 48 IO Block: 4096 regular file
Device: 805h/2053d Inode: 849010 Links: 1
Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)
Access: 2012-11-24 17:43:57.124794021 +
Modify: 2012-11-24 17:44:02.204920992 +
Change: 2012-11-24 17:44:04.444976978 +
Birth: -
Thanks in advance for your help.
Chris
On Sat, March 2, 2013 11:15 am, Daniel Parthey wrote:
> Chris Richards wrote:
>> I've got a dovecot server running version 2.0.19 on Gentoo Hardened. I
>> have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the
>> mail. Everything is working great, mail is being delivered, and the
>> users
>> are happy.
>>
>> However, I am noticing that I have random entries like this:
>>
>> Mar 1 20:19:23 hermes dovecot: lda: Error: userdb lookup:
>> connect(/var/run/dovecot/auth-userdb) failed: Permission denied
>> (euid=97(dovecot) egid=97(dovecot) missing +r perm:
>> /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
>> Mar 1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred.
>> Refer
>> to server log for more information.
>>
>> In Postfix master.cf, I have the following:
>> dovecot unix -n n - - pipe
>> flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
>> ${sender} -d ${user}@${nexthop}
>>
>> Permissions on the socket are:
>> srw--- 1 vmail vmail 0 Feb 24 23:43 auth-userdb
>>
>> Judging from the log, my problem is that the LDA appears to be trying to
>> access the socket as the dovecot user (rather than the vmail user), but
>> my
>> question is why? What logging can I use to tell me if postfix is
>> calling
>> with the wrong permissions or if the lda is somehow getting confused?
>
> Have a look at
> http://wiki2.dovecot.org/LDA
> http://wiki2.dovecot.org/LDA/Postfix
> Maybe there you will find some helpful hints.
>
> Is /usr/libexec/dovecot/deliver or /usr/libexec/dovecot/dovecot-lda
> somehow setuid or setgid and owner/group dovecot? Where does the
> effective user euid=97(dovecot) and effective group egid=97(dovecot)
> come from, is it somewhere your dovecot config?
>
> Please show full output of
> # doveconf -n
> # stat /usr/libexec/dovecot/deliver
> # stat /usr/libexec/dovecot/dovecot-lda
>
> Regards
> Daniel
Re: [Dovecot] Random LDA failure to access auth socket
Chris Richards wrote:
> I've got a dovecot server running version 2.0.19 on Gentoo Hardened. I
> have Postfix as my MTA, and it is calling the Dovecot LDA to deliver the
> mail. Everything is working great, mail is being delivered, and the users
> are happy.
>
> However, I am noticing that I have random entries like this:
>
> Mar 1 20:19:23 hermes dovecot: lda: Error: userdb lookup:
> connect(/var/run/dovecot/auth-userdb) failed: Permission denied
> (euid=97(dovecot) egid=97(dovecot) missing +r perm:
> /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
> Mar 1 20:19:23 hermes dovecot: lda: Fatal: Internal error occurred. Refer
> to server log for more information.
>
> In Postfix master.cf, I have the following:
> dovecot unix -n n - - pipe
> flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
> ${sender} -d ${user}@${nexthop}
>
> Permissions on the socket are:
> srw--- 1 vmail vmail 0 Feb 24 23:43 auth-userdb
>
> Judging from the log, my problem is that the LDA appears to be trying to
> access the socket as the dovecot user (rather than the vmail user), but my
> question is why? What logging can I use to tell me if postfix is calling
> with the wrong permissions or if the lda is somehow getting confused?
Have a look at
http://wiki2.dovecot.org/LDA
http://wiki2.dovecot.org/LDA/Postfix
Maybe there you will find some helpful hints.
Is /usr/libexec/dovecot/deliver or /usr/libexec/dovecot/dovecot-lda
somehow setuid or setgid and owner/group dovecot? Where does the
effective user euid=97(dovecot) and effective group egid=97(dovecot)
come from, is it somewhere your dovecot config?
Please show full output of
# doveconf -n
# stat /usr/libexec/dovecot/deliver
# stat /usr/libexec/dovecot/dovecot-lda
Regards
Daniel
--
https://plus.google.com/103021802792276734820
