Re: [exim] New install EXIM + Dovecot - auth permission error
On 2023-02-01 Gary Stainburn via Exim-users wrote:
> Hi folks.
> I'm setting up Dovecot and local user accounts on an existing Centos 7 +
> EXIM install.
[...]
> However, when I try authenticate as a user, the following errors get logged:
> 2023-02-01 12:50:11 dovecot_login authenticator failed for hub.
> ([10.1.1.103]) [**.**.**.**]: 435 Unable to authenticate at present: unable
> to connect to UNIX socket (/var/run/dovecot/auth-client): Permission denied
> The socket exists, but does not have suitable permissions.
> [root@vps2 exim]# ll /var/run/dovecot/auth-client
> srw---. 1 dovecot root 0 Feb 1 11:47 /var/run/dovecot/auth-client
> [root@vps2 exim]#
> Is it simply a case of changing ownership / permissions, and if so, what do
> I change them to?
> If not, can anyone tell me what I need to do please.
On Debian I have configured dovecot to open a socket for exim with
exim-tailored permissions:
/etc/dovecot/conf.d/10-master.conf
[...]
### SASL listener for exim start
# SASL exim
unix_listener /var/spool/exim4/dovecot.auth-client {
mode = 0660
group = Debian-exim
}
### SASL listener for exim end
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
On Wed, Feb 1, 2023 at 7:12 PM Slavko via Exim-users wrote: > Dňa 1. februára 2023 13:39:26 UTC používateľ nb via Exim-users < > exim-users@exim.org> napísal: > > >I think it should be: > >srw-rw dovecot > > being the group that exim user runs under. > > Or simple 666 rights, if one need access (auth) from multiple > daemons. It depends, of course, on particular environment... > > regards > I solved this issue with running Exim with exim_user=mailnull, same to dovecot also running as mailnull. I said to myself, maulnull has no shell; Exim and Dovecot handle the same email. What else can go wrong? Exim gets compromised, Dovecot too suffers?? Let them suffer :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
Dňa 1. februára 2023 13:39:26 UTC používateľ nb via Exim-users napísal: >I think it should be: >srw-rw dovecot > being the group that exim user runs under. Or simple 666 rights, if one need access (auth) from multiple daemons. It depends, of course, on particular environment... regards -- Slavko https://www.slavino.sk/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
Le 2023-02-01 13:02, Gary Stainburn via Exim-users a écrit : > > [root@vps2 exim]# ll /var/run/dovecot/auth-client > srw---. 1 dovecot root 0 Feb 1 11:47 /var/run/dovecot/auth-client I think it should be: srw-rw dovecot being the group that exim user runs under. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
Hi, I may be totally wrong, but… Gary Stainburn via Exim-users (Mi 01 Feb 2023 14:02:06 CET): > driver = dovecot > public_name = LOGIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > > dovecot_plain: > driver = dovecot > public_name = PLAIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver? > 2023-02-01 12:50:11 dovecot_login authenticator failed for hub. > ([10.1.1.103]) [**.**.**.**]: 435 Unable to authenticate at present: unable > to connect to UNIX socket (/var/run/dovecot/auth-client): Permission denied Yes, Exim connects to the socket as the Exim runtime user, but the permissions on the socket are a way to tight. I think, either set the socket to 666, or make 660 and assign it to a group, Exim belongs to (though I'm not sure, if Exim "joins" its supplementary groups (aka initgroups(3)) for auth purpose.) I'm not sure about the security impact of widening the permissions on this socket. In theory it can be used to do mass-checking of auth credentials. The permissions and ownership of the socket can be set in the dovecot config file. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
On 01/02/2023 13:26, Heiko Schlittermann via Exim-users wrote: Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver? Not for the dovecot driver (only for the plaintext driver). $auth1 is correct, here, -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
