Ashraf Hassanein
asked on
How I can I change the permissions of dovecot-lda executable to run as root on centos6.3?
I have dovecot+postfix+squirrelma il are installed on a centos6.3 based server, I have no problem so far in send emails, however when receiving emails I have a problem with dovecot-lda
Where I am always getting error:
Dec 19 23:56:17 myserver dovecot: lda(myself@mydomain.com): Fatal: setresgid(500(vmail),500(v mail),12(m ail)) failed with euid=500(vmail): Operation not permitted
I tried even to run command /usr/libexec/dovecot/dovec ot-lda -d myself@mydomain.com and I getting the same error.
I have checked and I found that it is an issue with the permissions of the running process dovecot-lda were it has to run as root perviliges but we some extra contrains to avoid that to be abused, however they provided the solution in Debian as:
#Setuid-root dovecot-lda
# chgrp secmail /usr/local/libexec/dovecot /dovecot-l da
# chmod 04750 /usr/local/libexec/dovecot /dovecot-l da
# ls -l /usr/local/libexec/dovecot /dovecot-l da
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda
the setuid-root is not a centos command I understood that stresgid is equivalent to it in centos, but I can not find much examples in the internet, can some one please guide me on the commands needed to executed on centos to have the same results?
Remark: In the maillog I can see the email accepted by postfix.
My Configurations are:
Both Dovecot and postfix are connected to a postgres database called postfix, and here the list of tables:
# su - postgres
-bash-4.1$ psql -d postfix
psql (8.4.18)
Type "help" for help.
postfix=# \dt
List of relations
Schema | Name | Type | Owner
--------+----------------- ------+--- ----+----- -----
public | admin | table | postfix
public | alias | table | postfix
public | alias_domain | table | postfix
public | config | table | postfix
public | domain | table | postfix
public | domain_admins | table | postfix
public | fetchmail | table | postfix
public | log | table | postfix
public | mailbox | table | postfix
public | quota | table | postfix
public | quota2 | table | postfix
public | users | table | postgres
public | vacation | table | postfix
public | vacation_notification | table | postfix
\d+ mailbox
Table "public.mailbox"
Column | Type | Modifiers
| Storage | Description
------------+------------- ---------- ---+------ ---------- ---------- ---------- ----
+----------+-------------
username | character varying(255) | not null
| extended |
password | character varying(255) | not null default ''::character varying
| extended |
name | character varying(255) | not null default ''::character varying
| extended |
maildir | character varying(255) | not null default ''::character varying
| extended |
quota | bigint | not null default 0
| plain |
created | timestamp with time zone | default now()
| plain |
modified | timestamp with time zone | default now()
| plain |
active | boolean | not null default true
| plain |
domain | character varying(255) |
| extended |
local_part | character varying(255) | not null | extended |
postfix=# \d+ quota
Table "public.quota"
Column | Type | Modifiers | Storage | Description
----------+--------------- ---------+ ---------- -+-------- --+------- ------
username | character varying(255) | not null | extended |
path | character varying(100) | not null | extended |
current | bigint | | plain |
Indexes:
"quota_pkey" PRIMARY KEY, btree (username, path)
Triggers:
postfix=# \d+ quota2
Table "public.quota2"
Column | Type | Modifiers | Storage | Description
----------+--------------- ---------+ ---------- ---------- +--------- -+-------- -----
username | character varying(100) | not null | extended |
bytes | bigint | not null default 0 | plain |
messages | integer | not null default 0 | plain |
Indexes:
My main.cf config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
smtpd_recipient_restrictio ns = permit_sasl_authenticated
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost mydomain.com
myhostname = mydomain.com
mynetworks = <My public IP>/32, $myhostname
newaliases_path = /usr/bin/newaliases.postfi x
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1 0.2/README _FILES
sample_directory = no
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictio ns = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_netw orks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_option s = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/mailserver/myserv er_com.pem
smtpd_tls_key_file = /etc/ssl/mailserver/myserv er_com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_session_cache_da tabase = btree:/var/spool/postfix/s mtpd_tls_s ession_cac he
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_re ject_code = 550
virtual_alias_maps = pgsql:$config_directory/pg sql_virtua l_alias_ma ps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:pgsql:$config_direct ory/pgsql_ virtual_do mains_maps .cf
virtual_mailbox_maps = proxy:pgsql:$config_direct ory/pgsql_ virtual_ma ilbox_maps .cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500
#use amavisd as filter on port 10024
content_filter=amavisfeed: [127.0.0.1 ]:10024
My Dovecot.conf:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-028stab101.1 x86_64 CentOS release 6.3 (Final) reiserfs
base_dir = /var/run/dovecot/
disable_plaintext_auth = yes
first_valid_uid = 500
last_valid_uid = 500
log_timestamp = "%d-%m-%y %H:%M:%S "
mail_access_groups = mail
mail_location = maildir:/home/vmail/%u
mail_max_userip_connection s = 100
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.c onf
driver = sql
}
plugin {
quota = maildir:User quota
quota_rule = *:storage=2G
quota_rule2 = Trash:storage=+100M
quota_exceeded_message = Quota exceeded, You have exceeded the storage quota (2G) assigned for your mailbaox please detele some emails and clean your trash.
}
protocols = pop3 imap
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
mail_plugins = quota
}
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private /auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0666
}
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
}
service pop3-login {
inet_listener pop3 {
address = 127.0.0.1
port = 110
}
}
service imap-login {
executable = /usr/libexec/dovecot/imap- login
inet_listener imap {
address = 127.0.0.1
port = 143
}
inet_listener imaps {
address = 127.0.0.1
port = 993
}
}
service imap {
executable = /usr/libexec/dovecot/imap
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
}
ssl_cert = </etc/ssl/mailserver/mail. mydomain.c om.pem
ssl_key = </etc/ssl/mailserver/mail. mydomain.c om.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-sql.c onf
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-mast er
postmaster_address = postmaster@mydomain.com
sendmail_path = /usr/lib/sendmail
mail_plugins = quota
}
protocol imap {
imap_max_line_length = 64 k
mail_plugins = quota imap_quota
}
My pgsql_virtual_alias_maps.c f:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
My pgsql_virtual_domains_maps .cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
My pgsql_virtual_mailbox_limi t_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = '1'
#query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'
My pgsql_virtual_mailbox_maps .cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
#query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
My Dovecot-sql.comf:
driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=<Password>
password_query = SELECT username as user, password, '/home/vmail/%n'||'@'||'%d ' as userdb_home, 'maildir:/var/vmail/%n'||' @'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
user_query = select '/home/vmail/%n' as home, 'maildir:/home/vmail/'||'% n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
# For using doveadm -A:
iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'
Can Someone please explain to me what is wrong that I doing? I want to enable a quote for every mailbox, but when I do this config even the dovecot does not startup
Where I am always getting error:
Dec 19 23:56:17 myserver dovecot: lda(myself@mydomain.com): Fatal: setresgid(500(vmail),500(v
I tried even to run command /usr/libexec/dovecot/dovec
I have checked and I found that it is an issue with the permissions of the running process dovecot-lda were it has to run as root perviliges but we some extra contrains to avoid that to be abused, however they provided the solution in Debian as:
#Setuid-root dovecot-lda
# chgrp secmail /usr/local/libexec/dovecot
# chmod 04750 /usr/local/libexec/dovecot
# ls -l /usr/local/libexec/dovecot
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda
the setuid-root is not a centos command I understood that stresgid is equivalent to it in centos, but I can not find much examples in the internet, can some one please guide me on the commands needed to executed on centos to have the same results?
Remark: In the maillog I can see the email accepted by postfix.
My Configurations are:
Both Dovecot and postfix are connected to a postgres database called postfix, and here the list of tables:
# su - postgres
-bash-4.1$ psql -d postfix
psql (8.4.18)
Type "help" for help.
postfix=# \dt
List of relations
Schema | Name | Type | Owner
--------+-----------------
public | admin | table | postfix
public | alias | table | postfix
public | alias_domain | table | postfix
public | config | table | postfix
public | domain | table | postfix
public | domain_admins | table | postfix
public | fetchmail | table | postfix
public | log | table | postfix
public | mailbox | table | postfix
public | quota | table | postfix
public | quota2 | table | postfix
public | users | table | postgres
public | vacation | table | postfix
public | vacation_notification | table | postfix
\d+ mailbox
Table "public.mailbox"
Column | Type | Modifiers
| Storage | Description
------------+-------------
+----------+-------------
username | character varying(255) | not null
| extended |
password | character varying(255) | not null default ''::character varying
| extended |
name | character varying(255) | not null default ''::character varying
| extended |
maildir | character varying(255) | not null default ''::character varying
| extended |
quota | bigint | not null default 0
| plain |
created | timestamp with time zone | default now()
| plain |
modified | timestamp with time zone | default now()
| plain |
active | boolean | not null default true
| plain |
domain | character varying(255) |
| extended |
local_part | character varying(255) | not null | extended |
postfix=# \d+ quota
Table "public.quota"
Column | Type | Modifiers | Storage | Description
----------+---------------
username | character varying(255) | not null | extended |
path | character varying(100) | not null | extended |
current | bigint | | plain |
Indexes:
"quota_pkey" PRIMARY KEY, btree (username, path)
Triggers:
postfix=# \d+ quota2
Table "public.quota2"
Column | Type | Modifiers | Storage | Description
----------+---------------
username | character varying(100) | not null | extended |
bytes | bigint | not null default 0 | plain |
messages | integer | not null default 0 | plain |
Indexes:
My main.cf config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
smtpd_recipient_restrictio
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost mydomain.com
myhostname = mydomain.com
mynetworks = <My public IP>/32, $myhostname
newaliases_path = /usr/bin/newaliases.postfi
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1
sample_directory = no
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictio
reject_unauth_destination,
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_netw
smtpd_sasl_path = private/auth
smtpd_sasl_security_option
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination,
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/mailserver/myserv
smtpd_tls_key_file = /etc/ssl/mailserver/myserv
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_session_cache_da
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_re
virtual_alias_maps = pgsql:$config_directory/pg
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:pgsql:$config_direct
virtual_mailbox_maps = proxy:pgsql:$config_direct
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500
#use amavisd as filter on port 10024
content_filter=amavisfeed:
My Dovecot.conf:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-028stab101.1 x86_64 CentOS release 6.3 (Final) reiserfs
base_dir = /var/run/dovecot/
disable_plaintext_auth = yes
first_valid_uid = 500
last_valid_uid = 500
log_timestamp = "%d-%m-%y %H:%M:%S "
mail_access_groups = mail
mail_location = maildir:/home/vmail/%u
mail_max_userip_connection
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.c
driver = sql
}
plugin {
quota = maildir:User quota
quota_rule = *:storage=2G
quota_rule2 = Trash:storage=+100M
quota_exceeded_message = Quota exceeded, You have exceeded the storage quota (2G) assigned for your mailbaox please detele some emails and clean your trash.
}
protocols = pop3 imap
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
mail_plugins = quota
}
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0666
}
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
}
service pop3-login {
inet_listener pop3 {
address = 127.0.0.1
port = 110
}
}
service imap-login {
executable = /usr/libexec/dovecot/imap-
inet_listener imap {
address = 127.0.0.1
port = 143
}
inet_listener imaps {
address = 127.0.0.1
port = 993
}
}
service imap {
executable = /usr/libexec/dovecot/imap
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
}
ssl_cert = </etc/ssl/mailserver/mail.
ssl_key = </etc/ssl/mailserver/mail.
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-sql.c
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-mast
postmaster_address = postmaster@mydomain.com
sendmail_path = /usr/lib/sendmail
mail_plugins = quota
}
protocol imap {
imap_max_line_length = 64 k
mail_plugins = quota imap_quota
}
My pgsql_virtual_alias_maps.c
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
My pgsql_virtual_domains_maps
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
My pgsql_virtual_mailbox_limi
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = '1'
#query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'
My pgsql_virtual_mailbox_maps
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
#query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
My Dovecot-sql.comf:
driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=<Password>
password_query = SELECT username as user, password, '/home/vmail/%n'||'@'||'%d
user_query = select '/home/vmail/%n' as home, 'maildir:/home/vmail/'||'%
# For using doveadm -A:
iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'
Can Someone please explain to me what is wrong that I doing? I want to enable a quote for every mailbox, but when I do this config even the dovecot does not startup
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for AshrafHassanein's comment #a39730836
for the following reason:
Accurate answer
Accepted answer: 0 points for AshrafHassanein's comment #a39730836
for the following reason:
Accurate answer
ASKER