Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

dovecot userdb authentication

Posted on 2013-05-28
1
Medium Priority
?
1,090 Views
Last Modified: 2013-06-23
Hi

I have a remaining issue with a mail server setup.

Composed of Postfix and Dovecote it is is a 'local' mail server
At first I relied upon Mysql to store the various parameters, and then switched to a flat file approach

I also initially set the server up to handle virtual users, but then I realized that it was destined to manage local system accounts only. So I reconfigured it accordingly

Relying on system accounts for authentication means that the domain name component is absent from the username (as opposed to virtual user identifiers)

This caused me some difficulty at first with roundcube, but I was able to get around it through a manual adjustment in Mysql

The remaining aspect that isn't working is the delivery of emails.

The entry in master.cf for dovecot looks looks this:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${recipient}

The problem is that the recipient equates to the users email address, which can't in fact be used for authentication purposes with system accounts.

I then tried replacing recipient with user:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}

There seems to be a rights issue because I get the following error:

dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail), egid=8(mail): Operation not permitted

Any ideas ?

thanks

yann
0
Comment
Question by:Yann Shukor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
Yann Shukor earned 0 total points
ID: 39203994
Here is the response I obtained from Ben Morrow, courtesy of the Dovecot support mailing list:

At 10PM +0200 on 28/05/13 you (Yann Shukor) wrote:
>
> The remaining aspect that isn't working is the delivery of emails.
>
> The entry in master.cf for dovecot looks looks this:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deli
> ver -d ${recipient}

[Just like someone who was posting a little while ago, your Dovecot
binaries are under /usr/lib. This is very weird: they should really be
under /usr/libexec...]


> The problem is that the recipient equates to the users email address,
> which can't in fact be used for authentication purposes with system
> accounts.

You can get around this problem with auth_username_format on the Dovecot
side. On my system I have

    auth_username_format = %Lu

which instructs Dovecot to look up users by the lowercased username part
only. It's also best, when passing a recipient address to the LDA, to
use -a rather than -d, since this will also strip off any +extension to
the username (assuming you've configured Postfix and Dovecot to use the
same extension character), while making it available to Sieve scripts
later on.

> I then tried replacing recipient with user:
>
> dovecot   unix  -       n       n       -       -       pipe
>      flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -d ${user}
>
> There seems to be a rights issue because I get the following error:
>
> dovecot Fatal: setgid(100(users)) failed with euid=8(mail), gid=8(mail),
> egid=8(mail): Operation not permitted

Think a bit about what's going on here. Postfix is running deliver as
user 'mail', and you're passing the -d argument, so deliver looks up
that user in the userdb and tries to setuid and setgid to the uid and
gid for that user. Since 'mail' is neither the target u/gid nor root, it
is not allowed to do that.

There are three basic strategies here. The first, and in some ways the
simplest, is to forget you're using 'system users' and store all the
mails under the 'mail' userid. This means you need to configure Dovecot
just as you had for virtual users: in particular, the Dovecot userdb
should return mail's u/gid for all users, and each user needs a 'Dovecot
home directory' owned by 'mail'. (You can easily do this with the
'static' userdb, just as you would have for virtual users.)

The advantage here is the simplicity. The disadvantages are: first, that
users logged in to the mail server can't access their own mail spool
directly but have to go through IMAP (probably not important, but this
was the historical reason for doing deliveries as the delivered-to
user); second, that if you have any OS-level filesystem quotas set up a
user's mail will be counted against mail's quota rather than their own;
and third, that there is a small chance a user might find some way to
break Dovecot's 'imap' process and use it to read or modify other
people's mail.

The second, which is what I currently do, is to use Postfix's local(8)
delivery agent, which runs as root and setuids down to the delivered-to
user's uid before doing final delivery. You can get local(8) to deliver
through Dovecot by setting Postfix's mailbox_command parameter: the
important thing here is that when the LDA is invoked it already has the
correct u/gid. With this method you keep the other features of local(8),
like /etc/aliases and .forward files; this may be an advantage or a
disadvantage depending on your setup.

The third is to have the Dovcot delivery process running as root, so it
can successfully setuid down to the user's credentials itself. Probably
the easiest way to do this is to use the LMTP server (and Postfix's
lmtp(8) transport rather than a dedicated Dovecot master.cf entry),
though I would expect that if you simply changed that LDA entry to
'user=root:wheel' that the LDA would correctly setuid down to the user's
credentials before doing any deliveries. This is what I would recommend
for a new installation; the only reason I don't do this is because I
upgraded from 1.2, which didn't have LMTP, and I haven't got round to
migrating yet.

> # 1.2.15: /etc/dovecot/dovecot.conf

Oh Lord, you're still using 1.2... Don't do that. Use the latest 2.1.
You can get Debian packages from
http://wiki2.dovecot.org/PrebuiltBinaries .

Ben
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question