Solved

How I can I change the permissions of dovecot-lda executable to run as root on centos6.3?

Posted on 2013-12-19
3
1,662 Views
Last Modified: 2013-12-20
I have dovecot+postfix+squirrelmail are installed on a centos6.3 based server, I have no problem so far in send emails, however when receiving emails I have a problem with dovecot-lda
Where I am always getting error:

Dec 19 23:56:17 myserver dovecot: lda(myself@mydomain.com): Fatal: setresgid(500(vmail),500(vmail),12(mail)) failed with euid=500(vmail): Operation not permitted

I tried even to run command /usr/libexec/dovecot/dovecot-lda -d myself@mydomain.com and I getting the same error.
I have checked and I found that it is an issue with the permissions of the running process dovecot-lda were it has to run as root perviliges but we some extra contrains to avoid that to be abused, however they provided the solution in Debian as:

#Setuid-root dovecot-lda
# chgrp secmail /usr/local/libexec/dovecot/dovecot-lda
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda
# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

the setuid-root is not a centos command I understood that stresgid is equivalent to it in centos, but I can not find much examples in the internet, can some one please guide me on the commands needed to executed on centos to have the same results?
Remark: In the maillog I can see the email accepted by postfix.

My Configurations are:

Both Dovecot and postfix are connected to a postgres database called postfix, and here the list of tables:
# su - postgres
-bash-4.1$ psql -d postfix
psql (8.4.18)
Type "help" for help.

postfix=# \dt
                 List of relations
 Schema |         Name          | Type  |  Owner
--------+-----------------------+-------+----------
 public | admin                 | table | postfix
 public | alias                 | table | postfix
 public | alias_domain          | table | postfix
 public | config                | table | postfix
 public | domain                | table | postfix
 public | domain_admins         | table | postfix
 public | fetchmail             | table | postfix
 public | log                   | table | postfix
 public | mailbox               | table | postfix
 public | quota                 | table | postfix
 public | quota2                | table | postfix
 public | users                 | table | postgres
 public | vacation              | table | postfix
 public | vacation_notification | table | postfix

\d+ mailbox
                                         Table "public.mailbox"
   Column   |           Type           |               Modifiers
| Storage  | Description
------------+--------------------------+----------------------------------------
+----------+-------------
 username   | character varying(255)   | not null
| extended |
 password   | character varying(255)   | not null default ''::character varying
| extended |
 name       | character varying(255)   | not null default ''::character varying
| extended |
 maildir    | character varying(255)   | not null default ''::character varying
| extended |
 quota      | bigint                   | not null default 0
| plain    |
 created    | timestamp with time zone | default now()
| plain    |
 modified   | timestamp with time zone | default now()
| plain    |
 active     | boolean                  | not null default true
| plain    |
 domain     | character varying(255)   |
| extended |
 local_part | character varying(255)   | not null                               | extended |


postfix=# \d+ quota
                          Table "public.quota"
  Column  |          Type          | Modifiers | Storage  | Description
----------+------------------------+-----------+----------+-------------
 username | character varying(255) | not null  | extended |
 path     | character varying(100) | not null  | extended |
 current  | bigint                 |           | plain    |
Indexes:
    "quota_pkey" PRIMARY KEY, btree (username, path)
Triggers:


postfix=# \d+ quota2
                              Table "public.quota2"
  Column  |          Type          |     Modifiers      | Storage  | Description
----------+------------------------+--------------------+----------+-------------
 username | character varying(100) | not null           | extended |
 bytes    | bigint                 | not null default 0 | plain    |
 messages | integer                | not null default 0 | plain    |
Indexes:

My main.cf config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
smtpd_recipient_restrictions = permit_sasl_authenticated
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost mydomain.com
myhostname = mydomain.com
mynetworks = <My public IP>/32, $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.2/README_FILES
sample_directory = no
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/mailserver/myserver_com.pem
smtpd_tls_key_file = /etc/ssl/mailserver/myserver_com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:$config_directory/pgsql_virtual_alias_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:pgsql:$config_directory/pgsql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:$config_directory/pgsql_virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500
#use amavisd as filter on port 10024
content_filter=amavisfeed:[127.0.0.1]:10024

My Dovecot.conf:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-028stab101.1 x86_64 CentOS release 6.3 (Final) reiserfs
base_dir = /var/run/dovecot/
disable_plaintext_auth = yes
first_valid_uid = 500
last_valid_uid = 500
log_timestamp = "%d-%m-%y %H:%M:%S "
mail_access_groups = mail
mail_location = maildir:/home/vmail/%u
mail_max_userip_connections = 100
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
   quota = maildir:User quota
   quota_rule = *:storage=2G
   quota_rule2 = Trash:storage=+100M
   quota_exceeded_message = Quota exceeded, You have exceeded the storage quota (2G) assigned for your mailbaox please detele some emails and clean your trash.
}
protocols = pop3 imap
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
mail_plugins = quota
}
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0666
}
   unix_listener auth-userdb {
    mode = 0600
    user = vmail
    group = vmail
  }
}
service pop3-login {
    inet_listener pop3 {
    address = 127.0.0.1
    port = 110
  }
}
service imap-login {
  executable = /usr/libexec/dovecot/imap-login
  inet_listener imap {
    address = 127.0.0.1
    port = 143
  }
  inet_listener imaps {
    address = 127.0.0.1
    port = 993
  }
}
service imap {
executable = /usr/libexec/dovecot/imap
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
}
ssl_cert = </etc/ssl/mailserver/mail.mydomain.com.pem
ssl_key = </etc/ssl/mailserver/mail.mydomain.com.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster@mydomain.com
sendmail_path = /usr/lib/sendmail
mail_plugins = quota
}
protocol imap {
imap_max_line_length = 64 k
mail_plugins = quota imap_quota
}
My pgsql_virtual_alias_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

My pgsql_virtual_domains_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'

My pgsql_virtual_mailbox_limit_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = '1'
#query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

My pgsql_virtual_mailbox_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
#query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

My Dovecot-sql.comf:
driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=<Password>
password_query =  SELECT username as user, password, '/home/vmail/%n'||'@'||'%d' as userdb_home, 'maildir:/var/vmail/%n'||'@'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
user_query = select '/home/vmail/%n'  as home, 'maildir:/home/vmail/'||'%n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
# For using doveadm -A:
iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'

Can Someone please explain to me what is wrong that I doing? I want to enable a quote for every mailbox, but when I do this config even the dovecot does not startup
0
Comment
Question by:Ashraf Hassanein
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
JJSmith earned 500 total points
ID: 39730820
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda

IS setting the effective ID on dovecot-lda , setuid-root isn't a command it's a term that describes a binary file owned by root with the setuid bit on:

# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

the 'x' permission has been replaced with an 's' to show that setuid is applied, so when someone in the secmail group runs this process - it will execute as if root had run it.
0
 

Author Comment

by:Ashraf Hassanein
ID: 39730836
Thanks that has solved the problem
0
 

Author Comment

by:Ashraf Hassanein
ID: 39731292
I've requested that this question be closed as follows:

Accepted answer: 0 points for AshrafHassanein's comment #a39730836

for the following reason:

Accurate answer
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
The purpose of this video is to demonstrate how to use PicMonkey software to customize images for a Mailchimp campaign. Picmonkey is free and simple online software which can be used by users who don’t have robust editing software such as Photoshop,…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now