On 19. May 2020, at 17.34, Joseph Nahmias <j...@nahmias.net> wrote:
>
> I have my machine configured to run fetchmail via cron, which retrieves my
> emails from various different services. My .forward then sends all mail
> through
> procmail, for filtering, sorting into folders, etc... Procmail then calls the
> dovecot-lda program to actually deliver the mail using the .procmailrc config
> line DELIVER="/usr/lib/dovecot/deliver -d $LOGNAME". I can then access my mail
> via dovecot using a standard IMAP client.
>
> The problem:
>
> I recently upgrade my machine from stretch to buster, bringing with it a new
> version of dovecot. Now, the fetchmail cron job is throwing errors like the
> following:
>
> lda($USER,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
> Permission denied
>
> I see that the stats-writer socket is owned by root:dovecot with 0660
> permissions. Should the dovecot-lda program be set as setgid dovecot to allow
> it to write to the socket? How is this socket really used? Are there any
> security considerations I should be aware of prior to doing this?
In newer versions you could disable this with "stats_writer_socket_path=" but
not with v2.3.4.
I don't recommend setting dovecot-lda as setgid - it's not hardened for it. A
safer way is to just make stats-writer world-writable, there's not that much
harm that anyone can do with it (just mess up statistics and maybe cause it to
waste memory / crash).
service stats {
unix_listener tats-writer {
mode = 0666
}
}
