Problem using deliver as LDA

[Bastien Semene]

Hi list,

There's something I can't figure out with deliver as LDA configuration.
I'm working with Postfix and Dovecot.
I configured deliver as explained in the official doc and some 
directives in found in the conf file or while googling to resolve my 
issue :

dovecot.conf :
protocol lda {
postmaster = em...@domain.com (actually working email)
sendmail_path = /usr/sbin/sendmail
auth_socket_path = /var/run/dovecot/auth-master
}

auth default {
...
  socket listen {
    master {
      path = /var/run/dovecot/auth-master
      mode = 0600
      user = nobody
      }
    ...
  }
}

postfix/main.cf :
virtual_transport = dovecot

postfix/master.cf :
dovecot    unix   -       n       n       -       -       pipe
   flags=DRhu   user=nobody     argv=/usr/local/libexec/dovecot/deliver 
-f ${sender} -d ${recipient}

But mail is not delivered, and produces the following log lines :
Apr 21 11:21:43 mail dovecot: deliver(em...@domain.com): Fatal: 
setgid(125(postfix)) failed with euid=65534(nobody), gid=65534(nobody), 
egid=65534(nobody): Operation not permitted
Apr 21 11:21:43 mail postfix/pipe[27550]: 21BBF9247DE: 
to=<em...@domain.com>, relay=dovecot, delay=1179, 
delays=1178/0.07/0/0.07, dsn=4.3.0, status=deferred (temporary failure)

I did a "ls" in case some permissions went wrong, but everything seems ok :
c# ls -hal 
/var/run/dovecot                                                          [r...@mail]
total 8
drwxr-xr-x    3 root       wheel     512B   Apr 21 11:11 .
drwxr-xr-x    5 root       wheel     512B   Apr 21 11:11 ..
srw-------     1 nobody  wheel       0B    Apr 21 11:11 auth-master
srw-------     1 root       wheel       0B    Apr 21 11:11 auth-worker.27424
srwxrwxrwx  1 root       wheel       0B    Apr 21 11:11 dict-server
lrwx------     1 root       wheel      27B   Apr 21 11:11 dovecot.conf 
-> /usr/local/etc/dovecot.conf
drwxr-x---    2 root      dovecot   512B Apr 21 11:11 login
-rw-------    1 root       wheel       6B    Apr 21 11:11 master.pid

Dovecot is using MySQL as the userdb backend, but I think auth process 
must pass through this socket to authenticate through dovecot against 
the MySQL server.
Everything works fine while using (postfix) virtual as LDA.
I think the setgid(125(postfix)) can be the problem, but the mailboxes 
uses this uid :
virtual_uid_maps = static:125
# ls -hal /usr/local/mailboxes/domain.com 
                                           [r...@mail]
total 6
drwx------   3 postfix  postfix   512B Nov  2 15:40 .
drwx------   3 postfix  postfix   512B Nov  2 15:40 ..
drwx------  14 postfix  postfix   1.0K Apr 21 09:58 email

# cat /etc/passwd | grep 
125                                                        [r...@mail]
postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin

Maybe the use of postfix as mail owner was a bad idea and the problem 
appears now that pipe(8) doesn't allow postfix as user.
If I'm right, how can I solve this issue?


--
Bastien Semene
Administrateur Réseau&  Système

Cyanide Studio - FRANCE