Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1125
  • Last Modified:

dovecot userdb authentication

Hi

I have a remaining issue with a mail server setup.

Composed of Postfix and Dovecote it is is a 'local' mail server
At first I relied upon Mysql to store the various parameters, and then switched to a flat file approach

I also initially set the server up to handle virtual users, but then I realized that it was destined to manage local system accounts only. So I reconfigured it accordingly

Relying on system accounts for authentication means that the domain name component is absent from the username (as opposed to virtual user identifiers)

This caused me some difficulty at first with roundcube, but I was able to get around it through a manual adjustment in Mysql

The remaining aspect that isn't working is the delivery of emails.

The entry in master.cf for dovecot looks looks this:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${recipient}

The problem is that the recipient equates to the users email address, which can't in fact be used for authentication purposes with system accounts.

I then tried replacing recipient with user:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}

There seems to be a rights issue because I get the following error:

dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail), egid=8(mail): Operation not permitted

Any ideas ?

thanks

yann
0
Yann Shukor
Asked:
Yann Shukor
1 Solution
 
Yann ShukorAuthor Commented:
Here is the response I obtained from Ben Morrow, courtesy of the Dovecot support mailing list:

At 10PM +0200 on 28/05/13 you (Yann Shukor) wrote:
>
> The remaining aspect that isn't working is the delivery of emails.
>
> The entry in master.cf for dovecot looks looks this:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deli
> ver -d ${recipient}

[Just like someone who was posting a little while ago, your Dovecot
binaries are under /usr/lib. This is very weird: they should really be
under /usr/libexec...]


> The problem is that the recipient equates to the users email address,
> which can't in fact be used for authentication purposes with system
> accounts.

You can get around this problem with auth_username_format on the Dovecot
side. On my system I have

    auth_username_format = %Lu

which instructs Dovecot to look up users by the lowercased username part
only. It's also best, when passing a recipient address to the LDA, to
use -a rather than -d, since this will also strip off any +extension to
the username (assuming you've configured Postfix and Dovecot to use the
same extension character), while making it available to Sieve scripts
later on.

> I then tried replacing recipient with user:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}
>
> There seems to be a rights issue because I get the following error:
>
> dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail),
> egid=8(mail): Operation not permitted

Think a bit about what's going on here. Postfix is running deliver as
user 'mail', and you're passing the -d argument, so deliver looks up
that user in the userdb and tries to setuid and setgid to the uid and
gid for that user. Since 'mail' is neither the target u/gid nor root, it
is not allowed to do that.

There are three basic strategies here. The first, and in some ways the
simplest, is to forget you're using 'system users' and store all the
mails under the 'mail' userid. This means you need to configure Dovecot
just as you had for virtual users: in particular, the Dovecot userdb
should return mail's u/gid for all users, and each user needs a 'Dovecot
home directory' owned by 'mail'. (You can easily do this with the
'static' userdb, just as you would have for virtual users.)

The advantage here is the simplicity. The disadvantages are: first, that
users logged in to the mail server can't access their own mail spool
directly but have to go through IMAP (probably not important, but this
was the historical reason for doing deliveries as the delivered-to
user); second, that if you have any OS-level filesystem quotas set up a
user's mail will be counted against mail's quota rather than their own;
and third, that there is a small chance a user might find some way to
break Dovecot's 'imap' process and use it to read or modify other
people's mail.

The second, which is what I currently do, is to use Postfix's local(8)
delivery agent, which runs as root and setuids down to the delivered-to
user's uid before doing final delivery. You can get local(8) to deliver
through Dovecot by setting Postfix's mailbox_command parameter: the
important thing here is that when the LDA is invoked it already has the
correct u/gid. With this method you keep the other features of local(8),
like /etc/aliases and .forward files; this may be an advantage or a
disadvantage depending on your setup.

The third is to have the Dovcot delivery process running as root, so it
can successfully setuid down to the user's credentials itself. Probably
the easiest way to do this is to use the LMTP server (and Postfix's
lmtp(8) transport rather than a dedicated Dovecot master.cf entry),
though I would expect that if you simply changed that LDA entry to
'user=root:wheel' that the LDA would correctly setuid down to the user's
credentials before doing any deliveries. This is what I would recommend
for a new installation; the only reason I don't do this is because I
upgraded from 1.2, which didn't have LMTP, and I haven't got round to
migrating yet.

> # 1.2.15: /etc/dovecot/dovecot.conf

Oh Lord, you're still using 1.2... Don't do that. Use the latest 2.1.
You can get Debian packages from
http://wiki2.dovecot.org/PrebuiltBinaries .

Ben
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now