Link to home
Start Free TrialLog in
Avatar of Ashraf Hassanein
Ashraf Hassanein

asked on

How I can I change the permissions of dovecot-lda executable to run as root on centos6.3?

I have dovecot+postfix+squirrelmail are installed on a centos6.3 based server, I have no problem so far in send emails, however when receiving emails I have a problem with dovecot-lda
Where I am always getting error:

Dec 19 23:56:17 myserver dovecot: lda(myself@mydomain.com): Fatal: setresgid(500(vmail),500(vmail),12(mail)) failed with euid=500(vmail): Operation not permitted

I tried even to run command /usr/libexec/dovecot/dovecot-lda -d myself@mydomain.com and I getting the same error.
I have checked and I found that it is an issue with the permissions of the running process dovecot-lda were it has to run as root perviliges but we some extra contrains to avoid that to be abused, however they provided the solution in Debian as:

#Setuid-root dovecot-lda
# chgrp secmail /usr/local/libexec/dovecot/dovecot-lda
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda
# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

the setuid-root is not a centos command I understood that stresgid is equivalent to it in centos, but I can not find much examples in the internet, can some one please guide me on the commands needed to executed on centos to have the same results?
Remark: In the maillog I can see the email accepted by postfix.

My Configurations are:

Both Dovecot and postfix are connected to a postgres database called postfix, and here the list of tables:
# su - postgres
-bash-4.1$ psql -d postfix
psql (8.4.18)
Type "help" for help.

postfix=# \dt
                 List of relations
 Schema |         Name          | Type  |  Owner
--------+-----------------------+-------+----------
 public | admin                 | table | postfix
 public | alias                 | table | postfix
 public | alias_domain          | table | postfix
 public | config                | table | postfix
 public | domain                | table | postfix
 public | domain_admins         | table | postfix
 public | fetchmail             | table | postfix
 public | log                   | table | postfix
 public | mailbox               | table | postfix
 public | quota                 | table | postfix
 public | quota2                | table | postfix
 public | users                 | table | postgres
 public | vacation              | table | postfix
 public | vacation_notification | table | postfix

\d+ mailbox
                                         Table "public.mailbox"
   Column   |           Type           |               Modifiers
| Storage  | Description
------------+--------------------------+----------------------------------------
+----------+-------------
 username   | character varying(255)   | not null
| extended |
 password   | character varying(255)   | not null default ''::character varying
| extended |
 name       | character varying(255)   | not null default ''::character varying
| extended |
 maildir    | character varying(255)   | not null default ''::character varying
| extended |
 quota      | bigint                   | not null default 0
| plain    |
 created    | timestamp with time zone | default now()
| plain    |
 modified   | timestamp with time zone | default now()
| plain    |
 active     | boolean                  | not null default true
| plain    |
 domain     | character varying(255)   |
| extended |
 local_part | character varying(255)   | not null                               | extended |


postfix=# \d+ quota
                          Table "public.quota"
  Column  |          Type          | Modifiers | Storage  | Description
----------+------------------------+-----------+----------+-------------
 username | character varying(255) | not null  | extended |
 path     | character varying(100) | not null  | extended |
 current  | bigint                 |           | plain    |
Indexes:
    "quota_pkey" PRIMARY KEY, btree (username, path)
Triggers:


postfix=# \d+ quota2
                              Table "public.quota2"
  Column  |          Type          |     Modifiers      | Storage  | Description
----------+------------------------+--------------------+----------+-------------
 username | character varying(100) | not null           | extended |
 bytes    | bigint                 | not null default 0 | plain    |
 messages | integer                | not null default 0 | plain    |
Indexes:

My main.cf config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
smtpd_recipient_restrictions = permit_sasl_authenticated
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost mydomain.com
myhostname = mydomain.com
mynetworks = <My public IP>/32, $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.2/README_FILES
sample_directory = no
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/mailserver/myserver_com.pem
smtpd_tls_key_file = /etc/ssl/mailserver/myserver_com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:$config_directory/pgsql_virtual_alias_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:pgsql:$config_directory/pgsql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:$config_directory/pgsql_virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500
#use amavisd as filter on port 10024
content_filter=amavisfeed:[127.0.0.1]:10024

My Dovecot.conf:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-028stab101.1 x86_64 CentOS release 6.3 (Final) reiserfs
base_dir = /var/run/dovecot/
disable_plaintext_auth = yes
first_valid_uid = 500
last_valid_uid = 500
log_timestamp = "%d-%m-%y %H:%M:%S "
mail_access_groups = mail
mail_location = maildir:/home/vmail/%u
mail_max_userip_connections = 100
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
   quota = maildir:User quota
   quota_rule = *:storage=2G
   quota_rule2 = Trash:storage=+100M
   quota_exceeded_message = Quota exceeded, You have exceeded the storage quota (2G) assigned for your mailbaox please detele some emails and clean your trash.
}
protocols = pop3 imap
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
mail_plugins = quota
}
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0666
}
   unix_listener auth-userdb {
    mode = 0600
    user = vmail
    group = vmail
  }
}
service pop3-login {
    inet_listener pop3 {
    address = 127.0.0.1
    port = 110
  }
}
service imap-login {
  executable = /usr/libexec/dovecot/imap-login
  inet_listener imap {
    address = 127.0.0.1
    port = 143
  }
  inet_listener imaps {
    address = 127.0.0.1
    port = 993
  }
}
service imap {
executable = /usr/libexec/dovecot/imap
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
}
ssl_cert = </etc/ssl/mailserver/mail.mydomain.com.pem
ssl_key = </etc/ssl/mailserver/mail.mydomain.com.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster@mydomain.com
sendmail_path = /usr/lib/sendmail
mail_plugins = quota
}
protocol imap {
imap_max_line_length = 64 k
mail_plugins = quota imap_quota
}
My pgsql_virtual_alias_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

My pgsql_virtual_domains_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'

My pgsql_virtual_mailbox_limit_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = '1'
#query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

My pgsql_virtual_mailbox_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
#query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

My Dovecot-sql.comf:
driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=<Password>
password_query =  SELECT username as user, password, '/home/vmail/%n'||'@'||'%d' as userdb_home, 'maildir:/var/vmail/%n'||'@'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
user_query = select '/home/vmail/%n'  as home, 'maildir:/home/vmail/'||'%n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
# For using doveadm -A:
iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'

Can Someone please explain to me what is wrong that I doing? I want to enable a quote for every mailbox, but when I do this config even the dovecot does not startup
ASKER CERTIFIED SOLUTION
Avatar of JJSmith
JJSmith
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ashraf Hassanein
Ashraf Hassanein

ASKER

Thanks that has solved the problem
I've requested that this question be closed as follows:

Accepted answer: 0 points for AshrafHassanein's comment #a39730836

for the following reason:

Accurate answer