Daniel,
Just wanted to respond back and let you know that changing permissions to
dovecot:dovecot as you suggested seems to have resolved the issue; I've
not seen any more occurrences of this error.
Thanks again for your assistance!
Chris
On Sun, March 3, 2013 5:13 pm, Daniel Parthey wrote:
> Hi Chris,
>
> Chris Richards wrote:
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0666
>> user = postfix
>> }
>> unix_listener auth-userdb {
>> group = vmail
>> mode = 0600
>> user = vmail
>> }
>> user = $default_internal_user
>> }
>
> In order for dovecot-lda to work, default internal user "dovecot"
> seems to need permission for the user listing. This should work,
> but you should try to narrow the permissions down:
>
> service auth {
> unix_listener auth-userdb {
> group = dovecot
> mode = 0666
> user = dovecot
> }
> }
>
> Documentation http://wiki2.dovecot.org/LDA says:
>
> The auth-userdb socket can be used to do userdb lookups for given
> usernames or
> get a list of all users. Typically the result will contain the user's UID,
> GID
> and home directory, but depending on your configuration it may return
> other
> information as well. So the information is similar to what can be found
> from
> eg. /etc/passwd for system users. This means that it's probably not a
> problem
> to use mode=0666 for the socket, but you should try to restrict it more
> just to
> be safe.
>
>> hermes conf.d # stat /usr/libexec/dovecot/deliver
>> File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda'
>> Size: 11 Blocks: 0 IO Block: 4096 symbolic
>> link
>> Device: 805h/2053d Inode: 267375 Links: 1
>> Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
>> Access: 2012-11-24 17:44:04.440976879 +0000
>> Modify: 2012-11-24 17:44:04.440976879 +0000
>> Change: 2012-11-24 17:44:04.440976879 +0000
>> Birth: -
>
> deliver is a symbolic link to dovecot-lda, so its basically the same.
>
>> hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
>> File: '/usr/libexec/dovecot/dovecot-lda'
>> Size: 22432 Blocks: 48 IO Block: 4096 regular file
>> Device: 805h/2053d Inode: 849010 Links: 1
>> Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
>> Access: 2012-11-24 17:43:57.124794021 +0000
>> Modify: 2012-11-24 17:44:02.204920992 +0000
>> Change: 2012-11-24 17:44:04.444976978 +0000
>> Birth: -
>
> No setuid/setgid flags set.
>
>> >> In Postfix master.cf, I have the following:
>> >> dovecot unix - n n - - pipe
>> >> flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
>> >> ${sender} -d ${user}@${nexthop}
>
> I'm wondering why user=vmail:users does not have the desired effect
> and dovecot-lda uses the effective uid "dovecot" and effective gid
> "dovecot"
> to do the user lookups.
>
> Regards
> Daniel
