[Dovecot] LDA and auth-userdb socket permissions

Timo Sirainen tss at iki.fi
Tue Aug 23 19:43:56 EEST 2011

On 23.8.2011, at 19.37, a.smith at ukgrid.net wrote:

>> No, that's the least of its troubles. If you can't run dovecot-lda as root, it won't be able to change its UID to the user's UID (and so won't have enough permissions to be able to write mails to user's mailbox). So you need to run dovecot-lda as root in some way, and after that it becomes pretty much irrelevant what auth-userdb's permissions are.
> Hmmm, well in my setup dovecot-lda is called from Exim with "user=" set to a MySQL query.

Are you sure you even need Dovecot to do a userdb lookup then? If Exim can set up also the other needed things (home dir?) it shouldn't be necessary.

> I'd guess that that means Exim runs dovecot-lda as the user directly so I don't have the issue you mention above. But where the permission on the auth-userdb socket are root:vmail 0660, the dovecot-lda is called as vmail and the vmail user is a member of the vmail group I get the error:
> Aug 11 03:38:06 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=25110(vmail) egid=25110(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner)

Hmm. So if dovecot-lda is running as vmail group and /var/run/dovecot/auth-userdb has group=vmail and 0660 permissions, this error shouldn' t happen. Check two things:

1) ls -ln /var/run/dovecot/auth-userdb actually shows group as 25110 and mode being 0660

2) If you've any SELinux or app-armor stuff enabled, try disabling them

More information about the dovecot mailing list