Re: doveadm: Error: open(/proc/self/io) failed
On 6.8.2019 4.20, Tom Diehl via dovecot wrote:
> On Thu, 1 Aug 2019, Timo Sirainen via dovecot wrote:
>
>> On 31 Jul 2019, at 20.45, A. Schulze via dovecot
>> wrote:
>>>
>>>
>>>
>>> Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
service lmtp {
user = vmail
}
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since
version 2.2.36. lmtp will drop root privileges after initialization
but it needs to open /self/proc/io as root before that.
>>>
>>> Hello Sami,
>>>
>>> I don't read "root is required for lmtp" in
>>> https://wiki.dovecot.org/LMTP#Security neither does
>>> https://dovecot.org/doc/NEWS-2.2 say so.
>>> Could you proof that statement somehow?
>>
>>
>> Alternative is:
>>
>> service lmtp {
>> user = vmail
>> drop_priv_before_exec = yes
>> }
>>
>> I'm not sure if you run into other problems with that.
>
> OK, so now I am confused. At https://wiki.dovecot.org/LMTP#Security it
> says
> "If you're using only a single global UID/GID, you can improve
> security by
> running lmtp processes as that user"
>
> So, if I am using a single UID/GID, then is the above wiki article
> correct or
> do I need to change my config?
>
> Regards,
>
This file is used for stats gathering, so if you are not using stats,
it's not a huge problem. You can probably also use
import_environment = PR_SET_DUMPABLE=1
to get rid of the warning. Although this makes your process less secure
as it can be ptrace'd.
Aki
Re: doveadm: Error: open(/proc/self/io) failed
On Thu, 1 Aug 2019, Timo Sirainen via dovecot wrote:
On 31 Jul 2019, at 20.45, A. Schulze via dovecot wrote:
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
service lmtp {
user = vmail
}
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36.
lmtp will drop root privileges after initialization but it needs to open
/self/proc/io as root before that.
Hello Sami,
I don't read "root is required for lmtp" in
https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say
so.
Could you proof that statement somehow?
Alternative is:
service lmtp {
user = vmail
drop_priv_before_exec = yes
}
I'm not sure if you run into other problems with that.
OK, so now I am confused. At https://wiki.dovecot.org/LMTP#Security it says
"If you're using only a single global UID/GID, you can improve security by
running lmtp processes as that user"
So, if I am using a single UID/GID, then is the above wiki article correct or
do I need to change my config?
Regards,
--
Tom m...@tdiehl.org
Re: Solved Re: doveadm: Error: open(/proc/self/io) failed
> On 1 Aug 2019, at 1.51, Tom Diehl via dovecot wrote:
>
> Actually the above works OK but you gave me the clue I needed to
> find the actual problem. I looked at the log message again and
> realized that it says doveadm is having problems.
> Something like this:
> Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed:
> Permission denied
>
> So I took your advice and found that I had the following in my dsync
> config:
> service doveadm {
> inet_listener {
>port = 2525
> }
> user = vmail
> }
>
> Removing the user = vmail above fixed the problem.
Yes, I forgot to mention that the same thing applies to doveadm too.
Sami
Re: doveadm: Error: open(/proc/self/io) failed
On 31 Jul 2019, at 20.45, A. Schulze via dovecot wrote:
>
>
>
> Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
>> service lmtp {
>> user = vmail
>> }
>>
>> please remove user = vmail from here or change it to root.
>>
>> for security reasons lmtp service must be started as root since version
>> 2.2.36. lmtp will drop root privileges after initialisation but it needs to
>> open /self/proc/io as root before that.
>
> Hello Sami,
>
> I don't read "root is required for lmtp" in
> https://wiki.dovecot.org/LMTP#Security neither does
> https://dovecot.org/doc/NEWS-2.2 say so.
> Could you proof that statement somehow?
Alternative is:
service lmtp {
user = vmail
drop_priv_before_exec = yes
}
I'm not sure if you run into other problems with that.
Solved Re: doveadm: Error: open(/proc/self/io) failed
Hi Sami,
Thanks, for taking the time to look at this.
For the archives, the resolution is in line below.
On Wed, 31 Jul 2019, Sami Ketola wrote:
On 30 Jul 2019, at 22.53, Tom Diehl via dovecot wrote:
On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:
On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
Does anyone have an Idea how to fix this?
Perhaps see if there are any denials in SELinux audit log:
Selinux is in permissive.
If I do:
(vmail1 pts9) # ll /proc/self/io -r 1 root root 0 Jul 30 15:27
/proc/self/io
(vmail1 pts9) #
It is obvious to me why I get permission denied. The problem is you
cannot chmod on /proc. I suspect I have something mis-configured but
the question is what?
service lmtp {
executable = lmtp -L
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
process_min_avail = 5
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
user = vmail
}
please remove user = vmail from here or change it to root.
Actually the above works OK but you gave me the clue I needed to
find the actual problem. I looked at the log message again and
realized that it says doveadm is having problems.
Something like this:
Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed:
Permission denied
So I took your advice and found that I had the following in my dsync
config:
service doveadm {
inet_listener {
port = 2525
}
user = vmail
}
Removing the user = vmail above fixed the problem.
Thanks again.
Regards,
--
Tom m...@tdiehl.org
Re: doveadm: Error: open(/proc/self/io) failed
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
> service lmtp {
> user = vmail
> }
>
> please remove user = vmail from here or change it to root.
>
> for security reasons lmtp service must be started as root since version
> 2.2.36. lmtp will drop root privileges after initialisation but it needs to
> open /self/proc/io as root before that.
Hello Sami,
I don't read "root is required for lmtp" in
https://wiki.dovecot.org/LMTP#Security neither does
https://dovecot.org/doc/NEWS-2.2 say so.
Could you proof that statement somehow?
Andreas
Re: doveadm: Error: open(/proc/self/io) failed
> On 30 Jul 2019, at 22.53, Tom Diehl via dovecot wrote:
>
> On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:
>
>> On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
>>>
>>> Does anyone have an Idea how to fix this?
>>
>> Perhaps see if there are any denials in SELinux audit log:
>
> Selinux is in permissive.
>
> If I do:
> (vmail1 pts9) # ll /proc/self/io -r 1 root root 0 Jul 30 15:27
> /proc/self/io
> (vmail1 pts9) #
>
> It is obvious to me why I get permission denied. The problem is you
> cannot chmod on /proc. I suspect I have something mis-configured but
> the question is what?
service lmtp {
executable = lmtp -L
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
process_min_avail = 5
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
user = vmail
}
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36.
lmtp will drop root privileges after initialisation but it needs to open
/self/proc/io as root before that.
Sami
Re: doveadm: Error: open(/proc/self/io) failed
On Tue, 30 Jul 2019, Reio Remma via dovecot wrote: On 30.07.2019 20:07, Tom Diehl via dovecot wrote: Does anyone have an Idea how to fix this? Perhaps see if there are any denials in SELinux audit log: Selinux is in permissive. If I do: (vmail1 pts9) # ll /proc/self/io -r 1 root root 0 Jul 30 15:27 /proc/self/io (vmail1 pts9) # It is obvious to me why I get permission denied. The problem is you cannot chmod on /proc. I suspect I have something mis-configured but the question is what? Regards, -- Tom m...@tdiehl.org
Re: doveadm: Error: open(/proc/self/io) failed
Am 30.07.2019 um 20:12 schrieb Alexander Dalloz via dovecot: aausearch -m avc -c dovecot | audit2why sorry, "ausearch" is the proper command
Re: doveadm: Error: open(/proc/self/io) failed
Am 30.07.2019 um 19:33 schrieb Reio Remma via dovecot: On 30.07.2019 20:07, Tom Diehl via dovecot wrote: Does anyone have an Idea how to fix this? Regards, Perhaps see if there are any denials in SELinux audit log: sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a Good luck, Reio The proper search for dovecot AVCs would be: aausearch -m avc -c dovecot | audit2why audit2allow is not that helpful in the first approach. Alexander
Re: doveadm: Error: open(/proc/self/io) failed
On 30.07.2019 20:07, Tom Diehl via dovecot wrote: Does anyone have an Idea how to fix this? Regards, Perhaps see if there are any denials in SELinux audit log: sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a Good luck, Reio
Re: doveadm: Error: open(/proc/self/io) failed
Does anyone have an Idea how to fix this?
Regards,
--
Tom m...@tdiehl.org
On Mon, 22 Jul 2019, Tom Diehl via dovecot wrote:
Hi,
I am running dovecot-2.2.36-3.el7.x86_64 on a Centos 7 machine. I keep seeing
the following errors in the dovecot.log:
Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed:
Permission denied
Dovecot -n is listed below:
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 3.10.0-957.21.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810
# (Core) Hostname: vmail2.kmg.mydomain.com
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope},
subject=%{subject}, msgid=%m, size=%{size}, %$
dict {
acl = mysql:/etc/dovecot/dovecot-share-folder.conf
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
doveadm_password = # hidden, use -P to show it
doveadm_port = 2525
first_valid_uid = 2000
last_valid_uid = 2000
mail_gid = 2000
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
mail_plugins = quota mailbox_alias acl mail_log notify stats replication
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace {
inbox = yes
location =
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = no
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
namespace {
list = children
location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
prefix = Shared/%%u/
separator = /
subscriptions = yes
type = shared
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-master-users
driver = passwd-file
master = yes
}
plugin {
acl = vfile
acl_shared_dict = proxy::acl
fts_autoindex = yes
fts_autoindex_max_recent_msgs = 50
imapsieve_mailbox1_before =
file:/usr/lib64/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
mail_log_events = delete undelete expunge mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size from subject
mail_replica = tcp:vmail1.kmg.mydomain.com
mailbox_alias_new = Sent Messages
mailbox_alias_new2 = Sent Items
mailbox_alias_old = Sent
mailbox_alias_old2 = Sent
quota = dict:user::proxy::quotadict
quota_grace = 10%%
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
sieve = ~/sieve/dovecot.sieve
sieve_before = /var/vmail/sieve/dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /var/vmail/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
sieve_max_redirects = 30
sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_vacation_send_from_recipient = yes
stats_refresh = 30 secs
stats_track_cmds = yes
}
protocols = pop3 imap sieve lmtp
service aggregator {
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service config {
unix_listener config {
user = vmail
}
}
service dict {
unix_listener dict {
group = vmail
mode = 0660
user = vmail
}
}
service doveadm {
inet_listener {
port = 2525
}
user = vmail
}
service imap-login {
process_limit = 500
service_count = 1
}
service lmtp {
executable = lmtp -L
inet_listener lmtp
doveadm: Error: open(/proc/self/io) failed
Hi,
I am running dovecot-2.2.36-3.el7.x86_64 on a Centos 7 machine. I keep seeing
the following errors in the dovecot.log:
Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed:
Permission denied
Dovecot -n is listed below:
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 3.10.0-957.21.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)
# Hostname: vmail2.kmg.mydomain.com
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope},
subject=%{subject}, msgid=%m, size=%{size}, %$
dict {
acl = mysql:/etc/dovecot/dovecot-share-folder.conf
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
doveadm_password = # hidden, use -P to show it
doveadm_port = 2525
first_valid_uid = 2000
last_valid_uid = 2000
mail_gid = 2000
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
mail_plugins = quota mailbox_alias acl mail_log notify stats replication
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace {
inbox = yes
location =
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = no
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
namespace {
list = children
location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
prefix = Shared/%%u/
separator = /
subscriptions = yes
type = shared
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-master-users
driver = passwd-file
master = yes
}
plugin {
acl = vfile
acl_shared_dict = proxy::acl
fts_autoindex = yes
fts_autoindex_max_recent_msgs = 50
imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
mail_log_events = delete undelete expunge mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size from subject
mail_replica = tcp:vmail1.kmg.mydomain.com
mailbox_alias_new = Sent Messages
mailbox_alias_new2 = Sent Items
mailbox_alias_old = Sent
mailbox_alias_old2 = Sent
quota = dict:user::proxy::quotadict
quota_grace = 10%%
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
sieve = ~/sieve/dovecot.sieve
sieve_before = /var/vmail/sieve/dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /var/vmail/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
sieve_max_redirects = 30
sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_vacation_send_from_recipient = yes
stats_refresh = 30 secs
stats_track_cmds = yes
}
protocols = pop3 imap sieve lmtp
service aggregator {
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service config {
unix_listener config {
user = vmail
}
}
service dict {
unix_listener dict {
group = vmail
mode = 0660
user = vmail
}
}
service doveadm {
inet_listener {
port = 2525
}
user = vmail
}
service imap-login {
process_limit = 500
service_count = 1
}
service lmtp {
executable = lmtp -L
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
process_min_avail = 5
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 06
