Solved

Permission problem between postfix and dovecot

Posted on 2013-12-19
18
1,526 Views
Last Modified: 2014-01-05
I have dovecot and postfix on a centos based server, I had a problem initially in recieving the email, where dovecot-lda can not receive the email because of permissions, with the support of the dovecot site and experts here I managed to change the permission of the file of the dovecot-lda to be as the advice of the website:

#chmod 04750 /usr/libexec/dovecot/dovecot-lda
#ls -l /usr/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root root 25144 Nov 22 16:10 /usr/libexec/dovecot/dovecot-lda

And I restarted both postfix and dovecot and I got another problem where I am getting the following error in the delivery:
Dec 20 02:51:19 myserver postfix/pipe[25018]: EEB07DECFA: to=<myself@mydomain.com>, relay=dovecot, delay=17324, delays=17324/0.04/0/0.07, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /usr/libexec/dovecot/deliver: Permission denied )

I searched and I found that the /usr/libexec/dovecot/deliver is symbolic of /usr/libexec/dovecot/dovecot-lda and have the following permissions:

lrwxrwxrwx 1 root root 11 Dec 10 22:05 /usr/libexec/dovecot/deliver -> dovecot-lda

So it appears now the postfix can execute this file.
This file is configured as per the following in the master.cf of the postfix:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
dovecot  unix  -             n            n           -           -             pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f $(sender) -d $(recipient)


So I have changed the permission to:
chmod 04755 /usr/libexec/dovecot/dovecot-lda

Now I have warning:
Dec 20 03:02:48 myserver postfix/pipe[25121]: A5AE0DED09: to=<myself@mydomain.com>, relay=dovecot, delay=0.06, delays=0.04/0/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/libexec/dovecot/deliver must not be both world-executable and setuid-root. This allows root exploits. See http://wiki.dovecot.org/LDA#multipleuids )

Any idea how can this be solved?
0
Comment
Question by:Ashraf Hassanein
  • 9
  • 6
  • 3
18 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Your ownership group might be the issue.
Secmail group
Ref link bellow.

http://wiki2.dovecot.org/LDA
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
Thanks that helped a lot I have found many issues, so to solve it I have done the following:
Well my mail user is in vmail and secmail so I did the following:
1- chgrp vmail /usr/libexec/dovecot/dovecot-lda
2- chmod 04750 /usr/libexec/dovecot/dovecot-lda
3- Add postfix user to vmail
4- And I think the main mistake was in my master.cf, so I changed:

dovecot  unix  -             n            n           -           -             pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f $(sender) -d $(recipient)

To

dovecot  unix  -             n            n           -           -             pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

The only problem right now when when I execute any of the following commands I get user or directory not found:


/usr/libexec/dovecot/dovecot-lda -a user
/usr/libexec/dovecot/dovecot-lda -a user@mydomain.com
/usr/libexec/dovecot/dovecot-lda -d user
/usr/libexec/dovecot/dovecot-lda -d user@mydomain.com

Can you tell me what I am doing wrong?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
What does your postfix/dovecot use for the backend user management?
since you use vmail, is mysql the user/domain repository?
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
I am using the backend to store home and mail directories login credentials for the mail server as well as the forum , I am not sure if I need it as well as for quota or not as the quota is not assigned oer user but globally but honestly I failed to configure it either ways , the database was creatwd in the first place eith postixadmin and it is a postgres db.
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
Honstly I have strong doubt about my dovecot-sql.conf as there is no clear one explaination on how to configure and what to write all so all the dovecote and doveadm attributes will work
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Is postfix also using mysql for user info.
Dovecot just adds to that additional columns/rows/....
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
Yes postfix does that as well
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It seems that you are using a guide per component versus a single guide using all the components.

A postfix, dovecot mysql will provide you with a single guide to configure.

Does postfix with mysql to deliver messages.
Not sure whether your setup is such that postfix uses one database within mysql and dovecot uses another versus both referencing the same databse for user/homedir references.
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
Here are the sql files for both dovecot and postfix
 pgsql_virtual_alias_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = alias
    select_field = goto
    where_field = address
    additional_conditions = and active = '1'
    #query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

pgsql_virtual_domains_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = domain
    select_field = domain
    where_field = domain
    additional_conditions = and backupmx = '0' and active = '1'
    #query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'

pgsql_virtual_mailbox_limit_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = mailbox
    select_field = quota
    where_field = username
    additional_conditions = and active = '1'
    #query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

pgsql_virtual_mailbox_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = mailbox
    select_field = maildir
    where_field = username
    additional_conditions = and active = '1'
    #query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'



dovecot-sql.conf

    driver = pgsql
    connect = host=localhost dbname=postfix user=postfix password=<Password>
    password_query =  SELECT username as user, password, '/home/vmail/%n'||'@'||'%d' as userdb_home, 'maildir:/var/vmail/%n'||'@'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
    user_query = select '/home/vmail/%n'  as home, 'maildir:/home/vmail/'||'%n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
    # For using doveadm -A:
    iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:Ashraf Hassanein
Comment Utility
Can you guide me what is wrong?
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
I am using the same database for both
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
Comment Utility
Postfix is right - if program rewrites any file in system as root it should not try to execute it.

I have file on my system in same place with same timestamp and different size

sha1sum
383aee1031992cb9c95ae7c71306e88378d9d303  /usr/libexec/dovecot/dovecot-lda
ls -l /usr/libexec/dovecot/dovecot-lda
-rwxr-xr-x 1 root root 18456 Nov 22 16:10 /usr/libexec/dovecot/dovecot-lda

Hell your system is backdoored..

Install new one, due yesterday...
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
`Thank you so much for the support
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The difficulty it is not clear to me what is going on.

Your LDA permissions are once again rot/root and do not have the Setuid bit 4750

Where did you get the dovecot package from?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
i got mine from yum install....
probably asker too and then somebody modified hos and made setuid...

PS i'd recommend having some system integrity checks in place for next system like rkhunter or chkrootkit from Fedora's EPEL repository...
0
 

Author Comment

by:Ashraf Hassanein
Comment Utility
Sorry for getting too late, but I was suffering in fixing the problem.
The reason I needed to compile postfix is that the one with normal yum does not have a support for mysql or postgres.
Now when I do doveadm -a user@mydomain.com I can see the quota there, however I am a bit puzzeled, as I understood earlier that if the dovecot.conf has the quota mentioned in it it will make use of the quota in the file and not from the database correct? how can I make the dovecot make use of the the quota in the database? shall I remove any existance of the quota in dovecot.conf? or any other advice?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Usually, mysql is compiled into the package.

look at the dovecot config to deal with the examples.

http://wiki2.dovecot.org/Quota/Configuration
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
dovecot-lda is from dovecot. just reinstall dovecot...
yum reinstall dovecot

centosplus has one with postgresql support too (edit /etc/yum.repos.d/*.repo, enable=1 and exclude=kernel* in respective place)

Postfix van easily envorce mbox file quotas, no need to invoke dovecot-lda
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This Micro Tutorial demonstrates  how Internet marketers work with competitive analysis data, and a common task in data preparation is creating separate column for domains. You will then extract from a list of URLs.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now