-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 1 Jan 2013, Torpey List wrote:
Dovecot-lda – I have had issues getting it configured.
What issues? If you were trying to get the LDA to deliver to /var/mail,
it's possible you were running into permissions problems. The best
solution is to deliver into the mdbox instead, or just leave Sendmail to
deliver to /var/mail.
Sendmail changes
FEATURE(`local_procmail',
`/usr/libexec/dovecot/dovecot-lda',`/usr/libexec/dovecot/dovecot-lda
-d $u')
MODIFY_MAILER_FLAGS(`LOCAL', `-f')
MAILER(procmail)dnl
I do use:
FEATURE(`local_procmail', `/etc/mail/smrsh/dovecot-deliver',
`/etc/mail/smrsh/dovecot-deliver -f $g -d $u -m $h')dnl
Note, you need a symlink in your "smrsh"-directory anyway.
The option that has gone the furthest is *Making dovecot-lda setuid-root*.
I don't use a setuid-root LDA.
However, I have errors. Here are the permissions.
-rwxr-xr-x. 1 root secmail 26512 Aug 18 2011
/usr/libexec/dovecot/dovecot-lda
Your LDA is not setuid-root ;-)
srw-------. 1 mail root 0 Jan 1 08:39 /var/run/dovecot/auth-userdb
Do you need to protect /var/run/dovecot/auth-userdb that tight? I mean, is
this server used by users via ssh or something? Otherwise make the Unix
permission of that socket so, that any system user can read from it (aka
0666).
Maybe, put all mail users into the same group and use 0660. Change group
of auth-userdb to mail ... .
Errors.....
==> /var/log/maillog <==
Jan 1 08:24:02 nala sendmail[20154]: r01EO2qc020154: from=<[email protected]>,
size=5723, class=0, nrcpts=1,
msgid=<[email protected]>, proto=ESMTP,
daemon=MTA, relay=mail.example.com [192.168.1.152]
Jan 01 08:24:02 lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=0(root)
egid=0(root) missing +r perm: /var/run/dovecot/auth-userdb, euid is dir owner)
Jan 01 08:24:02 lda: Fatal: Internal error occurred. Refer to server log for
more information.
That error seems to indicate a Dovecot permission check failure, but IMHO
root is allowed to connect always. You could try to chmod +x
/var/run/dovecot/auth-userdb, the x-perm disables the check of Dovecot.
Jan 1 08:24:02 nala sendmail[20155]: r01EO2qc020154: [email protected],
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=35889, dsn=4.0.0,
stat=Deferred: local mailer (/usr/libexec/dovecot/dovecot-lda) exited with
EX_TEMPFAIL
==> /var/log/messages <==
Jan 1 08:24:02 nala kernel: type=1400 audit(1357050242.947:42): avc: denied {
dac_override } for pid=20156 comm="dovecot-lda" capability=1
scontext=unconfined_u:system_r:dovecot_deliver_t:s0
tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability
Jan 1 08:24:02 nala kernel: type=1400 audit(1357050242.947:43): avc: denied {
dac_override } for pid=20156 comm="dovecot-lda" capability=1
scontext=unconfined_u:system_r:dovecot_deliver_t:s0
tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability
Jan 1 08:24:02 nala kernel: type=1400 audit(1357050242.947:44): avc: denied {
dac_read_search } for pid=20156 comm="dovecot-lda" capability=2
scontext=unconfined_u:system_r:dovecot_deliver_t:s0
tcontext=unconfined_u:system_r:dovecot_deliver_t:s0 tclass=capability
This is a AppArmor / SELinux entry?? Did you configured your policy?
Security policies would overrule Unix and Dovecot permission checks.
So, the error appears to be related to /var/run/dovecot/auth-userdb. I
have made various permission and owner changes; however, restarting
dovecot always returns it to the permissions above. So, even if I find
a combination that works, dovecot is going to put it back.
You can change the default permission and ownership in the config file.
Regards,
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUOUtBmoxLS8a3A9mAQKpMwgAsZ1UmJAMcmjWul1fx8MsMZk4TEHeOT8E
Ns7HaVnizwooYiDy1bY2jGrhG8xegCXzC7fpWqCXloji7qmVoe5prqLhZsTIpusc
wpXf9VAnQ38Fbm4hRj+75zPBIxUYBO7/ulIZsLPkZhRII9WK+QGNNrJnP6ycNcqn
+4supaV0AR3KC8uLntfBsrgBWz+2/ZNJu+yZUFpyZpGJHKBkqsaEk7cDnhgHQCzE
lhk05MNP+w13QKFb9ZPi9/tv3bhEkBr4R9yA4/xp+Nk7JnrY8ry8Oy2guMXda0a8
Iym6Qgt9XfUFAQ+Urujbu1OlI5KiRIcJV+EyRdM4uVcmAmVZAtI3ow==
=K9zr
-----END PGP SIGNATURE-----
