Solved

Permission problem between postfix and dovecot

Posted on 2013-12-19
18
1,580 Views
Last Modified: 2014-01-05
I have dovecot and postfix on a centos based server, I had a problem initially in recieving the email, where dovecot-lda can not receive the email because of permissions, with the support of the dovecot site and experts here I managed to change the permission of the file of the dovecot-lda to be as the advice of the website:

#chmod 04750 /usr/libexec/dovecot/dovecot-lda
#ls -l /usr/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root root 25144 Nov 22 16:10 /usr/libexec/dovecot/dovecot-lda

And I restarted both postfix and dovecot and I got another problem where I am getting the following error in the delivery:
Dec 20 02:51:19 myserver postfix/pipe[25018]: EEB07DECFA: to=<myself@mydomain.com>, relay=dovecot, delay=17324, delays=17324/0.04/0/0.07, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /usr/libexec/dovecot/deliver: Permission denied )

I searched and I found that the /usr/libexec/dovecot/deliver is symbolic of /usr/libexec/dovecot/dovecot-lda and have the following permissions:

lrwxrwxrwx 1 root root 11 Dec 10 22:05 /usr/libexec/dovecot/deliver -> dovecot-lda

So it appears now the postfix can execute this file.
This file is configured as per the following in the master.cf of the postfix:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
dovecot  unix  -             n            n           -           -             pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f $(sender) -d $(recipient)


So I have changed the permission to:
chmod 04755 /usr/libexec/dovecot/dovecot-lda

Now I have warning:
Dec 20 03:02:48 myserver postfix/pipe[25121]: A5AE0DED09: to=<myself@mydomain.com>, relay=dovecot, delay=0.06, delays=0.04/0/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/libexec/dovecot/deliver must not be both world-executable and setuid-root. This allows root exploits. See http://wiki.dovecot.org/LDA#multipleuids )

Any idea how can this be solved?
0
Comment
Question by:Ashraf Hassanein
  • 9
  • 6
  • 3
18 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39731070
Your ownership group might be the issue.
Secmail group
Ref link bellow.

http://wiki2.dovecot.org/LDA
0
 

Author Comment

by:Ashraf Hassanein
ID: 39731306
Thanks that helped a lot I have found many issues, so to solve it I have done the following:
Well my mail user is in vmail and secmail so I did the following:
1- chgrp vmail /usr/libexec/dovecot/dovecot-lda
2- chmod 04750 /usr/libexec/dovecot/dovecot-lda
3- Add postfix user to vmail
4- And I think the main mistake was in my master.cf, so I changed:

dovecot  unix  -             n            n           -           -             pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f $(sender) -d $(recipient)

To

dovecot  unix  -             n            n           -           -             pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

The only problem right now when when I execute any of the following commands I get user or directory not found:


/usr/libexec/dovecot/dovecot-lda -a user
/usr/libexec/dovecot/dovecot-lda -a user@mydomain.com
/usr/libexec/dovecot/dovecot-lda -d user
/usr/libexec/dovecot/dovecot-lda -d user@mydomain.com

Can you tell me what I am doing wrong?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39732140
What does your postfix/dovecot use for the backend user management?
since you use vmail, is mysql the user/domain repository?
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732249
I am using the backend to store home and mail directories login credentials for the mail server as well as the forum , I am not sure if I need it as well as for quota or not as the quota is not assigned oer user but globally but honestly I failed to configure it either ways , the database was creatwd in the first place eith postixadmin and it is a postgres db.
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732256
Honstly I have strong doubt about my dovecot-sql.conf as there is no clear one explaination on how to configure and what to write all so all the dovecote and doveadm attributes will work
0
 
LVL 77

Expert Comment

by:arnold
ID: 39732379
Is postfix also using mysql for user info.
Dovecot just adds to that additional columns/rows/....
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732409
Yes postfix does that as well
0
 
LVL 77

Expert Comment

by:arnold
ID: 39732423
It seems that you are using a guide per component versus a single guide using all the components.

A postfix, dovecot mysql will provide you with a single guide to configure.

Does postfix with mysql to deliver messages.
Not sure whether your setup is such that postfix uses one database within mysql and dovecot uses another versus both referencing the same databse for user/homedir references.
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732424
Here are the sql files for both dovecot and postfix
 pgsql_virtual_alias_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = alias
    select_field = goto
    where_field = address
    additional_conditions = and active = '1'
    #query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

pgsql_virtual_domains_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = domain
    select_field = domain
    where_field = domain
    additional_conditions = and backupmx = '0' and active = '1'
    #query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'

pgsql_virtual_mailbox_limit_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = mailbox
    select_field = quota
    where_field = username
    additional_conditions = and active = '1'
    #query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

pgsql_virtual_mailbox_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = mailbox
    select_field = maildir
    where_field = username
    additional_conditions = and active = '1'
    #query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'



dovecot-sql.conf

    driver = pgsql
    connect = host=localhost dbname=postfix user=postfix password=<Password>
    password_query =  SELECT username as user, password, '/home/vmail/%n'||'@'||'%d' as userdb_home, 'maildir:/var/vmail/%n'||'@'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
    user_query = select '/home/vmail/%n'  as home, 'maildir:/home/vmail/'||'%n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
    # For using doveadm -A:
    iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Ashraf Hassanein
ID: 39732427
Can you guide me what is wrong?
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732502
I am using the same database for both
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 39732612
Postfix is right - if program rewrites any file in system as root it should not try to execute it.

I have file on my system in same place with same timestamp and different size

sha1sum
383aee1031992cb9c95ae7c71306e88378d9d303  /usr/libexec/dovecot/dovecot-lda
ls -l /usr/libexec/dovecot/dovecot-lda
-rwxr-xr-x 1 root root 18456 Nov 22 16:10 /usr/libexec/dovecot/dovecot-lda

Hell your system is backdoored..

Install new one, due yesterday...
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732712
`Thank you so much for the support
0
 
LVL 77

Expert Comment

by:arnold
ID: 39732809
The difficulty it is not clear to me what is going on.

Your LDA permissions are once again rot/root and do not have the Setuid bit 4750

Where did you get the dovecot package from?
0
 
LVL 61

Expert Comment

by:gheist
ID: 39733352
i got mine from yum install....
probably asker too and then somebody modified hos and made setuid...

PS i'd recommend having some system integrity checks in place for next system like rkhunter or chkrootkit from Fedora's EPEL repository...
0
 

Author Comment

by:Ashraf Hassanein
ID: 39734578
Sorry for getting too late, but I was suffering in fixing the problem.
The reason I needed to compile postfix is that the one with normal yum does not have a support for mysql or postgres.
Now when I do doveadm -a user@mydomain.com I can see the quota there, however I am a bit puzzeled, as I understood earlier that if the dovecot.conf has the quota mentioned in it it will make use of the quota in the file and not from the database correct? how can I make the dovecot make use of the the quota in the database? shall I remove any existance of the quota in dovecot.conf? or any other advice?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39734891
Usually, mysql is compiled into the package.

look at the dovecot config to deal with the examples.

http://wiki2.dovecot.org/Quota/Configuration
0
 
LVL 61

Expert Comment

by:gheist
ID: 39734977
dovecot-lda is from dovecot. just reinstall dovecot...
yum reinstall dovecot

centosplus has one with postgresql support too (edit /etc/yum.repos.d/*.repo, enable=1 and exclude=kernel* in respective place)

Postfix van easily envorce mbox file quotas, no need to invoke dovecot-lda
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best secure sending email service 1 46
cannot connect to openvpn server 9 59
issue in getting eth0 IP in oracale virtual box Linux VM 4 42
Exchange 2010 DAG 18 60
Easy CSR creation in Exchange 2007,2010 and 2013
This is my first article on Expert Exchange on the Manual Method of Exporting Office 365 Mailboxes to PST format by using the eDiscovery mechanism of Office. Hope you will enjoy the article.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This Micro Tutorial will demonstrate the easy use of Gmail embedding images in your email so the recipient of your email can view them in context.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now