On Tue, Sep 25, 2007 at 09:07:24PM -0400, Bill Cole wrote: > At 7:19 PM -0500 9/25/07, Rich Winkel imposed structure on a stream > of electrons, yielding:
a flux of gibberish!!! > >Does deliver run as root, as the recipient's ID, sendmail's ID or > >sendmail's GID? (I'm running freebsd) > > Ideally, it should run SUID+SGID to a user and group that exist to > make mail delivery permissions work. See > http://wiki.dovecot.org/LDA/Sendmail and http://wiki.dovecot.org/LDA > > The key bit is on the main LDA page where it describes the master > socket config and on the Sendmail page where it discusses 'non-root' > sendmail setups, which is really applicable to all common setups of > modern Sendmail. Ok, I've done: chown dovecot:dovecot /usr/local/libexec/dovecot/deliver chmod ug+s /usr/local/libexec/dovecot/deliver and set socket listen { master { # Master socket provides access to userdb information. It's typically # used to give Dovecot's local delivery agent access to userdb so it # can find mailbox locations. path = /var/run/dovecot/auth-master mode = 0660 # Default user/group is the one who started dovecot-auth (root) user = dovecot group = dovecot } in dovecot.conf. Then I got: deliver(userid): setgid(10) failed: Operation not permitted So I tried chown root:dovecot /usr/local/libexec/dovecot/deliver nd now it seems to be working ... I think! > >Or am I totally clueless ?? > > Well, the Mizzou address argues one way, but I'll give you the > benefit of the doubt and say maybe not... > :) Doh! Walked right into that one :) > The bottom line: make up a user and group to own the master socket, > structure your inbox permissions so that deliver can run that way and > write to them, and make deliver SUID/SGID. > > Structuring inbox permissions so that can work is a potentially > complex problem. So I see ... Danke kindly, Rich
