Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1925
  • Last Modified:

How I can I change the permissions of dovecot-lda executable to run as root on centos6.3?

I have dovecot+postfix+squirrelmail are installed on a centos6.3 based server, I have no problem so far in send emails, however when receiving emails I have a problem with dovecot-lda
Where I am always getting error:

Dec 19 23:56:17 myserver dovecot: lda(myself@mydomain.com): Fatal: setresgid(500(vmail),500(vmail),12(mail)) failed with euid=500(vmail): Operation not permitted

I tried even to run command /usr/libexec/dovecot/dovecot-lda -d myself@mydomain.com and I getting the same error.
I have checked and I found that it is an issue with the permissions of the running process dovecot-lda were it has to run as root perviliges but we some extra contrains to avoid that to be abused, however they provided the solution in Debian as:

#Setuid-root dovecot-lda
# chgrp secmail /usr/local/libexec/dovecot/dovecot-lda
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda
# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

the setuid-root is not a centos command I understood that stresgid is equivalent to it in centos, but I can not find much examples in the internet, can some one please guide me on the commands needed to executed on centos to have the same results?
Remark: In the maillog I can see the email accepted by postfix.

My Configurations are:

Both Dovecot and postfix are connected to a postgres database called postfix, and here the list of tables:
# su - postgres
-bash-4.1$ psql -d postfix
psql (8.4.18)
Type "help" for help.

postfix=# \dt
                 List of relations
 Schema |         Name          | Type  |  Owner
--------+-----------------------+-------+----------
 public | admin                 | table | postfix
 public | alias                 | table | postfix
 public | alias_domain          | table | postfix
 public | config                | table | postfix
 public | domain                | table | postfix
 public | domain_admins         | table | postfix
 public | fetchmail             | table | postfix
 public | log                   | table | postfix
 public | mailbox               | table | postfix
 public | quota                 | table | postfix
 public | quota2                | table | postfix
 public | users                 | table | postgres
 public | vacation              | table | postfix
 public | vacation_notification | table | postfix

\d+ mailbox
                                         Table "public.mailbox"
   Column   |           Type           |               Modifiers
| Storage  | Description
------------+--------------------------+----------------------------------------
+----------+-------------
 username   | character varying(255)   | not null
| extended |
 password   | character varying(255)   | not null default ''::character varying
| extended |
 name       | character varying(255)   | not null default ''::character varying
| extended |
 maildir    | character varying(255)   | not null default ''::character varying
| extended |
 quota      | bigint                   | not null default 0
| plain    |
 created    | timestamp with time zone | default now()
| plain    |
 modified   | timestamp with time zone | default now()
| plain    |
 active     | boolean                  | not null default true
| plain    |
 domain     | character varying(255)   |
| extended |
 local_part | character varying(255)   | not null                               | extended |


postfix=# \d+ quota
                          Table "public.quota"
  Column  |          Type          | Modifiers | Storage  | Description
----------+------------------------+-----------+----------+-------------
 username | character varying(255) | not null  | extended |
 path     | character varying(100) | not null  | extended |
 current  | bigint                 |           | plain    |
Indexes:
    "quota_pkey" PRIMARY KEY, btree (username, path)
Triggers:


postfix=# \d+ quota2
                              Table "public.quota2"
  Column  |          Type          |     Modifiers      | Storage  | Description
----------+------------------------+--------------------+----------+-------------
 username | character varying(100) | not null           | extended |
 bytes    | bigint                 | not null default 0 | plain    |
 messages | integer                | not null default 0 | plain    |
Indexes:

My main.cf config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
smtpd_recipient_restrictions = permit_sasl_authenticated
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost mydomain.com
myhostname = mydomain.com
mynetworks = <My public IP>/32, $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.2/README_FILES
sample_directory = no
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/mailserver/myserver_com.pem
smtpd_tls_key_file = /etc/ssl/mailserver/myserver_com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:$config_directory/pgsql_virtual_alias_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:pgsql:$config_directory/pgsql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:$config_directory/pgsql_virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500
#use amavisd as filter on port 10024
content_filter=amavisfeed:[127.0.0.1]:10024

My Dovecot.conf:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-028stab101.1 x86_64 CentOS release 6.3 (Final) reiserfs
base_dir = /var/run/dovecot/
disable_plaintext_auth = yes
first_valid_uid = 500
last_valid_uid = 500
log_timestamp = "%d-%m-%y %H:%M:%S "
mail_access_groups = mail
mail_location = maildir:/home/vmail/%u
mail_max_userip_connections = 100
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
   quota = maildir:User quota
   quota_rule = *:storage=2G
   quota_rule2 = Trash:storage=+100M
   quota_exceeded_message = Quota exceeded, You have exceeded the storage quota (2G) assigned for your mailbaox please detele some emails and clean your trash.
}
protocols = pop3 imap
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
mail_plugins = quota
}
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0666
}
   unix_listener auth-userdb {
    mode = 0600
    user = vmail
    group = vmail
  }
}
service pop3-login {
    inet_listener pop3 {
    address = 127.0.0.1
    port = 110
  }
}
service imap-login {
  executable = /usr/libexec/dovecot/imap-login
  inet_listener imap {
    address = 127.0.0.1
    port = 143
  }
  inet_listener imaps {
    address = 127.0.0.1
    port = 993
  }
}
service imap {
executable = /usr/libexec/dovecot/imap
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
}
ssl_cert = </etc/ssl/mailserver/mail.mydomain.com.pem
ssl_key = </etc/ssl/mailserver/mail.mydomain.com.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster@mydomain.com
sendmail_path = /usr/lib/sendmail
mail_plugins = quota
}
protocol imap {
imap_max_line_length = 64 k
mail_plugins = quota imap_quota
}
My pgsql_virtual_alias_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

My pgsql_virtual_domains_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'

My pgsql_virtual_mailbox_limit_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = '1'
#query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

My pgsql_virtual_mailbox_maps.cf:
user = postfix
password = <Password>
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
#query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

My Dovecot-sql.comf:
driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=<Password>
password_query =  SELECT username as user, password, '/home/vmail/%n'||'@'||'%d' as userdb_home, 'maildir:/var/vmail/%n'||'@'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
user_query = select '/home/vmail/%n'  as home, 'maildir:/home/vmail/'||'%n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
# For using doveadm -A:
iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'

Can Someone please explain to me what is wrong that I doing? I want to enable a quote for every mailbox, but when I do this config even the dovecot does not startup
0
Ashraf Hassanein
Asked:
Ashraf Hassanein
  • 2
1 Solution
 
JJSmithCommented:
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda

IS setting the effective ID on dovecot-lda , setuid-root isn't a command it's a term that describes a binary file owned by root with the setuid bit on:

# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

the 'x' permission has been replaced with an 's' to show that setuid is applied, so when someone in the secmail group runs this process - it will execute as if root had run it.
0
 
Ashraf HassaneinAuthor Commented:
Thanks that has solved the problem
0
 
Ashraf HassaneinAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for AshrafHassanein's comment #a39730836

for the following reason:

Accurate answer
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now