[Dovecot] Random LDA failure to access auth socket

Chris Richards gizmo at giz-works.com
Tue Mar 19 05:07:15 EET 2013


Daniel,
Just wanted to respond back and let you know that changing permissions to
dovecot:dovecot as you suggested seems to have resolved the issue; I've
not seen any more occurrences of this error.

Thanks again for your assistance!

Chris

On Sun, March 3, 2013 5:13 pm, Daniel Parthey wrote:
> Hi Chris,
>
> Chris Richards wrote:
>> service auth {
>>   unix_listener /var/spool/postfix/private/auth {
>>     group = postfix
>>     mode = 0666
>>     user = postfix
>>   }
>>   unix_listener auth-userdb {
>>     group = vmail
>>     mode = 0600
>>     user = vmail
>>   }
>>   user = $default_internal_user
>> }
>
> In order for dovecot-lda to work, default internal user "dovecot"
> seems to need permission for the user listing. This should work,
> but you should try to narrow the permissions down:
>
> service auth {
>   unix_listener auth-userdb {
>     group = dovecot
>     mode = 0666
>     user = dovecot
>   }
> }
>
> Documentation http://wiki2.dovecot.org/LDA says:
>
> The auth-userdb socket can be used to do userdb lookups for given
> usernames or
> get a list of all users. Typically the result will contain the user's UID,
> GID
> and home directory, but depending on your configuration it may return
> other
> information as well. So the information is similar to what can be found
> from
> eg. /etc/passwd for system users. This means that it's probably not a
> problem
> to use mode=0666 for the socket, but you should try to restrict it more
> just to
> be safe.
>
>> hermes conf.d # stat /usr/libexec/dovecot/deliver
>>   File: '/usr/libexec/dovecot/deliver' -> 'dovecot-lda'
>>   Size: 11              Blocks: 0          IO Block: 4096   symbolic
>> link
>> Device: 805h/2053d      Inode: 267375      Links: 1
>> Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
>> Access: 2012-11-24 17:44:04.440976879 +0000
>> Modify: 2012-11-24 17:44:04.440976879 +0000
>> Change: 2012-11-24 17:44:04.440976879 +0000
>>  Birth: -
>
> deliver is a symbolic link to dovecot-lda, so its basically the same.
>
>> hermes conf.d # stat /usr/libexec/dovecot/dovecot-lda
>>   File: '/usr/libexec/dovecot/dovecot-lda'
>>   Size: 22432           Blocks: 48         IO Block: 4096   regular file
>> Device: 805h/2053d      Inode: 849010      Links: 1
>> Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
>> Access: 2012-11-24 17:43:57.124794021 +0000
>> Modify: 2012-11-24 17:44:02.204920992 +0000
>> Change: 2012-11-24 17:44:04.444976978 +0000
>>  Birth: -
>
> No setuid/setgid flags set.
>
>> >> In Postfix master.cf, I have the following:
>> >> dovecot   unix -        n       n       -       -       pipe
>> >>   flags=DRhu user=vmail:users argv=/usr/libexec/dovecot/deliver -f
>> >> ${sender} -d ${user}@${nexthop}
>
> I'm wondering why user=vmail:users does not have the desired effect
> and dovecot-lda uses the effective uid "dovecot" and effective gid
> "dovecot"
> to do the user lookups.
>
> Regards
> Daniel




More information about the dovecot mailing list