?
Solved

Permission problem between postfix and dovecot

Posted on 2013-12-19
18
Medium Priority
?
1,839 Views
Last Modified: 2014-01-05
I have dovecot and postfix on a centos based server, I had a problem initially in recieving the email, where dovecot-lda can not receive the email because of permissions, with the support of the dovecot site and experts here I managed to change the permission of the file of the dovecot-lda to be as the advice of the website:

#chmod 04750 /usr/libexec/dovecot/dovecot-lda
#ls -l /usr/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root root 25144 Nov 22 16:10 /usr/libexec/dovecot/dovecot-lda

And I restarted both postfix and dovecot and I got another problem where I am getting the following error in the delivery:
Dec 20 02:51:19 myserver postfix/pipe[25018]: EEB07DECFA: to=<myself@mydomain.com>, relay=dovecot, delay=17324, delays=17324/0.04/0/0.07, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /usr/libexec/dovecot/deliver: Permission denied )

I searched and I found that the /usr/libexec/dovecot/deliver is symbolic of /usr/libexec/dovecot/dovecot-lda and have the following permissions:

lrwxrwxrwx 1 root root 11 Dec 10 22:05 /usr/libexec/dovecot/deliver -> dovecot-lda

So it appears now the postfix can execute this file.
This file is configured as per the following in the master.cf of the postfix:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
dovecot  unix  -             n            n           -           -             pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f $(sender) -d $(recipient)


So I have changed the permission to:
chmod 04755 /usr/libexec/dovecot/dovecot-lda

Now I have warning:
Dec 20 03:02:48 myserver postfix/pipe[25121]: A5AE0DED09: to=<myself@mydomain.com>, relay=dovecot, delay=0.06, delays=0.04/0/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/libexec/dovecot/deliver must not be both world-executable and setuid-root. This allows root exploits. See http://wiki.dovecot.org/LDA#multipleuids )

Any idea how can this be solved?
0
Comment
Question by:Ashraf Hassanein
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
18 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 39731070
Your ownership group might be the issue.
Secmail group
Ref link bellow.

http://wiki2.dovecot.org/LDA
0
 

Author Comment

by:Ashraf Hassanein
ID: 39731306
Thanks that helped a lot I have found many issues, so to solve it I have done the following:
Well my mail user is in vmail and secmail so I did the following:
1- chgrp vmail /usr/libexec/dovecot/dovecot-lda
2- chmod 04750 /usr/libexec/dovecot/dovecot-lda
3- Add postfix user to vmail
4- And I think the main mistake was in my master.cf, so I changed:

dovecot  unix  -             n            n           -           -             pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f $(sender) -d $(recipient)

To

dovecot  unix  -             n            n           -           -             pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

The only problem right now when when I execute any of the following commands I get user or directory not found:


/usr/libexec/dovecot/dovecot-lda -a user
/usr/libexec/dovecot/dovecot-lda -a user@mydomain.com
/usr/libexec/dovecot/dovecot-lda -d user
/usr/libexec/dovecot/dovecot-lda -d user@mydomain.com

Can you tell me what I am doing wrong?
0
 
LVL 79

Expert Comment

by:arnold
ID: 39732140
What does your postfix/dovecot use for the backend user management?
since you use vmail, is mysql the user/domain repository?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:Ashraf Hassanein
ID: 39732249
I am using the backend to store home and mail directories login credentials for the mail server as well as the forum , I am not sure if I need it as well as for quota or not as the quota is not assigned oer user but globally but honestly I failed to configure it either ways , the database was creatwd in the first place eith postixadmin and it is a postgres db.
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732256
Honstly I have strong doubt about my dovecot-sql.conf as there is no clear one explaination on how to configure and what to write all so all the dovecote and doveadm attributes will work
0
 
LVL 79

Expert Comment

by:arnold
ID: 39732379
Is postfix also using mysql for user info.
Dovecot just adds to that additional columns/rows/....
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732409
Yes postfix does that as well
0
 
LVL 79

Expert Comment

by:arnold
ID: 39732423
It seems that you are using a guide per component versus a single guide using all the components.

A postfix, dovecot mysql will provide you with a single guide to configure.

Does postfix with mysql to deliver messages.
Not sure whether your setup is such that postfix uses one database within mysql and dovecot uses another versus both referencing the same databse for user/homedir references.
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732424
Here are the sql files for both dovecot and postfix
 pgsql_virtual_alias_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = alias
    select_field = goto
    where_field = address
    additional_conditions = and active = '1'
    #query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

pgsql_virtual_domains_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = domain
    select_field = domain
    where_field = domain
    additional_conditions = and backupmx = '0' and active = '1'
    #query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'

pgsql_virtual_mailbox_limit_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = mailbox
    select_field = quota
    where_field = username
    additional_conditions = and active = '1'
    #query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

pgsql_virtual_mailbox_maps.cf

    user = postfix
    password = <Password>
    hosts = localhost
    dbname = postfix
    table = mailbox
    select_field = maildir
    where_field = username
    additional_conditions = and active = '1'
    #query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'



dovecot-sql.conf

    driver = pgsql
    connect = host=localhost dbname=postfix user=postfix password=<Password>
    password_query =  SELECT username as user, password, '/home/vmail/%n'||'@'||'%d' as userdb_home, 'maildir:/var/vmail/%n'||'@'||'%d' as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM mailbox WHERE username = '%n'||'@'||'%d' AND active = '1'
    user_query = select '/home/vmail/%n'  as home, 'maildir:/home/vmail/'||'%n' as mail , 500 As uid , 500 as gid, 'dirsize:storage=' || quota AS quota from mailbox where username=' n'||'@'||'%d'
    # For using doveadm -A:
    iterate_query = SELECT username, domain FROM mailbox where username='%n'||'@'||'%d'
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732427
Can you guide me what is wrong?
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732502
I am using the same database for both
0
 
LVL 62

Accepted Solution

by:
gheist earned 2000 total points
ID: 39732612
Postfix is right - if program rewrites any file in system as root it should not try to execute it.

I have file on my system in same place with same timestamp and different size

sha1sum
383aee1031992cb9c95ae7c71306e88378d9d303  /usr/libexec/dovecot/dovecot-lda
ls -l /usr/libexec/dovecot/dovecot-lda
-rwxr-xr-x 1 root root 18456 Nov 22 16:10 /usr/libexec/dovecot/dovecot-lda

Hell your system is backdoored..

Install new one, due yesterday...
0
 

Author Comment

by:Ashraf Hassanein
ID: 39732712
`Thank you so much for the support
0
 
LVL 79

Expert Comment

by:arnold
ID: 39732809
The difficulty it is not clear to me what is going on.

Your LDA permissions are once again rot/root and do not have the Setuid bit 4750

Where did you get the dovecot package from?
0
 
LVL 62

Expert Comment

by:gheist
ID: 39733352
i got mine from yum install....
probably asker too and then somebody modified hos and made setuid...

PS i'd recommend having some system integrity checks in place for next system like rkhunter or chkrootkit from Fedora's EPEL repository...
0
 

Author Comment

by:Ashraf Hassanein
ID: 39734578
Sorry for getting too late, but I was suffering in fixing the problem.
The reason I needed to compile postfix is that the one with normal yum does not have a support for mysql or postgres.
Now when I do doveadm -a user@mydomain.com I can see the quota there, however I am a bit puzzeled, as I understood earlier that if the dovecot.conf has the quota mentioned in it it will make use of the quota in the file and not from the database correct? how can I make the dovecot make use of the the quota in the database? shall I remove any existance of the quota in dovecot.conf? or any other advice?
0
 
LVL 79

Expert Comment

by:arnold
ID: 39734891
Usually, mysql is compiled into the package.

look at the dovecot config to deal with the examples.

http://wiki2.dovecot.org/Quota/Configuration
0
 
LVL 62

Expert Comment

by:gheist
ID: 39734977
dovecot-lda is from dovecot. just reinstall dovecot...
yum reinstall dovecot

centosplus has one with postgresql support too (edit /etc/yum.repos.d/*.repo, enable=1 and exclude=kernel* in respective place)

Postfix van easily envorce mbox file quotas, no need to invoke dovecot-lda
0

Featured Post

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month13 days, 3 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question