Solved

dovecot userdb authentication

Posted on 2013-05-28
1
989 Views
Last Modified: 2013-06-23
Hi

I have a remaining issue with a mail server setup.

Composed of Postfix and Dovecote it is is a 'local' mail server
At first I relied upon Mysql to store the various parameters, and then switched to a flat file approach

I also initially set the server up to handle virtual users, but then I realized that it was destined to manage local system accounts only. So I reconfigured it accordingly

Relying on system accounts for authentication means that the domain name component is absent from the username (as opposed to virtual user identifiers)

This caused me some difficulty at first with roundcube, but I was able to get around it through a manual adjustment in Mysql

The remaining aspect that isn't working is the delivery of emails.

The entry in master.cf for dovecot looks looks this:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${recipient}

The problem is that the recipient equates to the users email address, which can't in fact be used for authentication purposes with system accounts.

I then tried replacing recipient with user:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}

There seems to be a rights issue because I get the following error:

dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail), egid=8(mail): Operation not permitted

Any ideas ?

thanks

yann
0
Comment
Question by:Yann Shukor
1 Comment
 

Accepted Solution

by:
Yann Shukor earned 0 total points
Comment Utility
Here is the response I obtained from Ben Morrow, courtesy of the Dovecot support mailing list:

At 10PM +0200 on 28/05/13 you (Yann Shukor) wrote:
>
> The remaining aspect that isn't working is the delivery of emails.
>
> The entry in master.cf for dovecot looks looks this:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deli
> ver -d ${recipient}

[Just like someone who was posting a little while ago, your Dovecot
binaries are under /usr/lib. This is very weird: they should really be
under /usr/libexec...]


> The problem is that the recipient equates to the users email address,
> which can't in fact be used for authentication purposes with system
> accounts.

You can get around this problem with auth_username_format on the Dovecot
side. On my system I have

    auth_username_format = %Lu

which instructs Dovecot to look up users by the lowercased username part
only. It's also best, when passing a recipient address to the LDA, to
use -a rather than -d, since this will also strip off any +extension to
the username (assuming you've configured Postfix and Dovecot to use the
same extension character), while making it available to Sieve scripts
later on.

> I then tried replacing recipient with user:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}
>
> There seems to be a rights issue because I get the following error:
>
> dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail),
> egid=8(mail): Operation not permitted

Think a bit about what's going on here. Postfix is running deliver as
user 'mail', and you're passing the -d argument, so deliver looks up
that user in the userdb and tries to setuid and setgid to the uid and
gid for that user. Since 'mail' is neither the target u/gid nor root, it
is not allowed to do that.

There are three basic strategies here. The first, and in some ways the
simplest, is to forget you're using 'system users' and store all the
mails under the 'mail' userid. This means you need to configure Dovecot
just as you had for virtual users: in particular, the Dovecot userdb
should return mail's u/gid for all users, and each user needs a 'Dovecot
home directory' owned by 'mail'. (You can easily do this with the
'static' userdb, just as you would have for virtual users.)

The advantage here is the simplicity. The disadvantages are: first, that
users logged in to the mail server can't access their own mail spool
directly but have to go through IMAP (probably not important, but this
was the historical reason for doing deliveries as the delivered-to
user); second, that if you have any OS-level filesystem quotas set up a
user's mail will be counted against mail's quota rather than their own;
and third, that there is a small chance a user might find some way to
break Dovecot's 'imap' process and use it to read or modify other
people's mail.

The second, which is what I currently do, is to use Postfix's local(8)
delivery agent, which runs as root and setuids down to the delivered-to
user's uid before doing final delivery. You can get local(8) to deliver
through Dovecot by setting Postfix's mailbox_command parameter: the
important thing here is that when the LDA is invoked it already has the
correct u/gid. With this method you keep the other features of local(8),
like /etc/aliases and .forward files; this may be an advantage or a
disadvantage depending on your setup.

The third is to have the Dovcot delivery process running as root, so it
can successfully setuid down to the user's credentials itself. Probably
the easiest way to do this is to use the LMTP server (and Postfix's
lmtp(8) transport rather than a dedicated Dovecot master.cf entry),
though I would expect that if you simply changed that LDA entry to
'user=root:wheel' that the LDA would correctly setuid down to the user's
credentials before doing any deliveries. This is what I would recommend
for a new installation; the only reason I don't do this is because I
upgraded from 1.2, which didn't have LMTP, and I haven't got round to
migrating yet.

> # 1.2.15: /etc/dovecot/dovecot.conf

Oh Lord, you're still using 1.2... Don't do that. Use the latest 2.1.
You can get Debian packages from
http://wiki2.dovecot.org/PrebuiltBinaries .

Ben
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now