On Wednesday, April 6, 2016 8:33 PM, Wietse Venema <wie...@porcupine.org> wrote:
>Next, have a look at the permissions of the saslauthd socket AND >of its parent directories. Are the directories mode 755, is the >socket mode 644? If it is group-restricted then that may not work. I thought maildrop relied on it's own authentication daemon (courier-authdaemon). I didn't have to change anything in saslauthd, only authdaemon. Quoting from my previous mail : >I ended up changing master.cf back as it was before (just user=vmail) and >changing the file permissions of the directory /var/run/courier/authdaemon >like this : > >root@messagerie[10.10.10.20] /var/run/courier # chmod o+xr authdaemon/ > >So now I have > >root <at> messagerie[10.10.10.20] /var/run/courier # ls >total 16K >drwxr-xr-x 2 daemon daemon 100 Apr 5 14:22 authdaemon >-rw-r--r-- 1 root root 5 Apr 5 14:22 imapd.pid >-rw------- 1 root root 0 Mar 7 16:39 imapd.pid.lock >-rw-r--r-- 1 root root 5 Apr 5 14:22 imapd-ssl.pid >-rw------- 1 root root 0 Mar 7 16:39 imapd-ssl.pid.lock >-rw-r--r-- 1 root root 5 Apr 5 14:22 pop3d.pid >-rw------- 1 root root 0 Mar 7 16:39 pop3d.pid.lock >-rw-r--r-- 1 root root 5 Apr 5 14:22 pop3d-ssl.pid >-rw------- 1 root root 0 Mar 7 16:39 pop3d-ssl.pid.lock >root@messagerie[10.10.10.20] /var/run/courier # >[...] >Now maildrop finally works but at the cost of exposing this directory to the >world. I don't know which is better though : to expose that directory to the world or to root setuid maildrop ? my reasonning is that if maildrop is exploited that the attacker can do anything. In contrast, it the /var/run/courier/authdaemon directory is compromised, and since my passwords are encrypted, the only security problem I could face is my encrypted passwords to be stolen. Yassine.
