Solved

dovecot userdb authentication

Posted on 2013-05-28
1
1,026 Views
Last Modified: 2013-06-23
Hi

I have a remaining issue with a mail server setup.

Composed of Postfix and Dovecote it is is a 'local' mail server
At first I relied upon Mysql to store the various parameters, and then switched to a flat file approach

I also initially set the server up to handle virtual users, but then I realized that it was destined to manage local system accounts only. So I reconfigured it accordingly

Relying on system accounts for authentication means that the domain name component is absent from the username (as opposed to virtual user identifiers)

This caused me some difficulty at first with roundcube, but I was able to get around it through a manual adjustment in Mysql

The remaining aspect that isn't working is the delivery of emails.

The entry in master.cf for dovecot looks looks this:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${recipient}

The problem is that the recipient equates to the users email address, which can't in fact be used for authentication purposes with system accounts.

I then tried replacing recipient with user:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}

There seems to be a rights issue because I get the following error:

dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail), egid=8(mail): Operation not permitted

Any ideas ?

thanks

yann
0
Comment
Question by:Yann Shukor
1 Comment
 

Accepted Solution

by:
Yann Shukor earned 0 total points
ID: 39203994
Here is the response I obtained from Ben Morrow, courtesy of the Dovecot support mailing list:

At 10PM +0200 on 28/05/13 you (Yann Shukor) wrote:
>
> The remaining aspect that isn't working is the delivery of emails.
>
> The entry in master.cf for dovecot looks looks this:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deli
> ver -d ${recipient}

[Just like someone who was posting a little while ago, your Dovecot
binaries are under /usr/lib. This is very weird: they should really be
under /usr/libexec...]


> The problem is that the recipient equates to the users email address,
> which can't in fact be used for authentication purposes with system
> accounts.

You can get around this problem with auth_username_format on the Dovecot
side. On my system I have

    auth_username_format = %Lu

which instructs Dovecot to look up users by the lowercased username part
only. It's also best, when passing a recipient address to the LDA, to
use -a rather than -d, since this will also strip off any +extension to
the username (assuming you've configured Postfix and Dovecot to use the
same extension character), while making it available to Sieve scripts
later on.

> I then tried replacing recipient with user:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}
>
> There seems to be a rights issue because I get the following error:
>
> dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail),
> egid=8(mail): Operation not permitted

Think a bit about what's going on here. Postfix is running deliver as
user 'mail', and you're passing the -d argument, so deliver looks up
that user in the userdb and tries to setuid and setgid to the uid and
gid for that user. Since 'mail' is neither the target u/gid nor root, it
is not allowed to do that.

There are three basic strategies here. The first, and in some ways the
simplest, is to forget you're using 'system users' and store all the
mails under the 'mail' userid. This means you need to configure Dovecot
just as you had for virtual users: in particular, the Dovecot userdb
should return mail's u/gid for all users, and each user needs a 'Dovecot
home directory' owned by 'mail'. (You can easily do this with the
'static' userdb, just as you would have for virtual users.)

The advantage here is the simplicity. The disadvantages are: first, that
users logged in to the mail server can't access their own mail spool
directly but have to go through IMAP (probably not important, but this
was the historical reason for doing deliveries as the delivered-to
user); second, that if you have any OS-level filesystem quotas set up a
user's mail will be counted against mail's quota rather than their own;
and third, that there is a small chance a user might find some way to
break Dovecot's 'imap' process and use it to read or modify other
people's mail.

The second, which is what I currently do, is to use Postfix's local(8)
delivery agent, which runs as root and setuids down to the delivered-to
user's uid before doing final delivery. You can get local(8) to deliver
through Dovecot by setting Postfix's mailbox_command parameter: the
important thing here is that when the LDA is invoked it already has the
correct u/gid. With this method you keep the other features of local(8),
like /etc/aliases and .forward files; this may be an advantage or a
disadvantage depending on your setup.

The third is to have the Dovcot delivery process running as root, so it
can successfully setuid down to the user's credentials itself. Probably
the easiest way to do this is to use the LMTP server (and Postfix's
lmtp(8) transport rather than a dedicated Dovecot master.cf entry),
though I would expect that if you simply changed that LDA entry to
'user=root:wheel' that the LDA would correctly setuid down to the user's
credentials before doing any deliveries. This is what I would recommend
for a new installation; the only reason I don't do this is because I
upgraded from 1.2, which didn't have LMTP, and I haven't got round to
migrating yet.

> # 1.2.15: /etc/dovecot/dovecot.conf

Oh Lord, you're still using 1.2... Don't do that. Use the latest 2.1.
You can get Debian packages from
http://wiki2.dovecot.org/PrebuiltBinaries .

Ben
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question