Hello,
if you want to answer to this mail, please send it directly to me.
I have found a big issue with the following command "doveadm -search -A". It
whatsoever works by setting doveadm_worker_count = 0 in the dovecot.conf
configuration file.
The problem is that doveadm-server or something similar uses privileges of
"nobody" and so it fails searching e-mails. Instead also the process tries to
create a maildir for "nobody":
Debug: Namespace : /var/mail/nobody doesn't exist yet, using default permissions
Debug: Namespace : Using permissions from /var/mail/nobody: mode=0700
gid=default
Error: User initialization failed: Namespace '': mkdir(/var/mail/nobody)
failed: Permission denied (euid=65534(nobody) egid=65534(nobody) missing +w
perm: /var/mail, we're not in group 12(mail), dir owned by 0:12 mode=0775)
Error: search: User init failed
Error: userdb lookup: connect(/var/run/dovecot//auth-userdb) failed: Permission
denied (euid=65534(nobody) egid=65534(nobody) missing +r perm:
/var/run/dovecot//auth-userdb, we're not in group 12(mail), dir owned by 0:0
mode=0755)
Error: search: User lookup failed: Internal error occurred. Refer to server log
for more information.
Even after setting permissions, so that the process can create a maildir for
"nobody" in the /var/mail location, it fails to "setresgid" to the particular
user to be scanned.
It canĀ“t work because it is not possible to gain other user privileges from
another user.
# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux Gentoo Base System release 2.2
auth_cache_negative_ttl = xx mins
auth_cache_size = xx M
auth_cache_ttl = xx mins
auth_mechanisms = xx xx
auth_worker_max_count = xx
base_dir = /var/run/dovecot/
default_process_limit = xx
dict {
expire = sqlite:/xx
}
doveadm_worker_count = 1
first_valid_gid = xx
first_valid_uid = xx
login_greeting = xx.xx
mail_location = maildir:/xx/xx/%u
mail_privileged_group = xx
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
passdb {
args = scheme=SHA512 /xx/xx/xx.xx
driver = passwd-file
}
plugin {
expire = xx
expire2 = xx
expire_dict = proxy::expire
sieve = ~/.xx.xx
sieve_dir = ~/.xx
}
protocols = imap sieve
service auth {
unix_listener auth-client {
group = xx
mode = 0660
}
unix_listener auth-userdb {
group = xx
mode = 0660
}
}
service dict {
unix_listener dict {
mode = 0666
}
}
service imap-login {
inet_listener imap {
port = 0
}
process_limit = 6
service_count = 1
}
ssl_cert = </xx/xx/xx/xx.xx.xx
ssl_key = </xx/xx/xx/xx.xx.xx
ssl_parameters_regenerate = xx days
userdb {
driver = passwd
}
protocol lda {
mail_plugins = sieve expire
}
protocol imap {
imap_idle_notify_interval = xx mins
mail_max_userip_connections = xx
mail_plugins = expire
}
Regards
Sebastian Kricner
--
http://tuxwave.net -- the difference to think makes it real!
signature.asc
Description: PGP signature
