Re: [Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
On Sat, 2010-08-21 at 11:10 +0200, Ralph Seichter wrote: I made a small mistake during setup and had one of the id_dsa files owned by root instead of $user. This was deliberate, because the sync script is run by root and I thought that the SSH key should thus be owned by root aswell. Yeah, that's how I thought it should work too. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/83f98d61bea2 The resulting error message was: Permission denied (publickey,keyboard-interactive). dsync-local(foouser): Error: read() from worker server failed: EOF This is ok. dsync-local(foouser): Fatal: dsync backup: Looks like you're trying to run backup in wrong direction. Source is empty and destination is not. This should have been logged. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/6ef21adeb61d Do you think one should add an example for key-based authentication to http://wiki2.dovecot.org/Tools/Dsync ? With the above changes, I guess all that's needed for that is to add -i id_dsa.backup parameter to: dsync -u username mirror ssh mailu...@example.com dsync -u username
Re: [Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
On 23.08.10 15:37, Timo Sirainen wrote: Yeah, that's how I thought it should work too. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/83f98d61bea2 I just installed Dovecot from Mercurial on the server running the dsync backup script. I can confirm that with your changes the SSH key file can be root-readable-only, which I consider a significant security improvement. Thank you! -Ralph
Re: [Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
Hi Timo, thanks again for pointing out the missing userdb configuration entry yesterday. Now that both Dovecot 2.0.0 servers are running fine, I use the following command to backup mail data from serverA to serverB in a shell script running on serverB, looping over user names: /usr/local/dovecot-2.0/bin/dsync -v -R -u $user backup \ ssh -i /home/$user/.ssh/id_dsa $u...@servera /usr/local/dovecot-2.0/bin/dsync I made a small mistake during setup and had one of the id_dsa files owned by root instead of $user. This was deliberate, because the sync script is run by root and I thought that the SSH key should thus be owned by root aswell. The resulting error message was: Permission denied (publickey,keyboard-interactive). dsync-local(foouser): Error: read() from worker server failed: EOF dsync-local(foouser): Fatal: dsync backup: Looks like you're trying to run backup in wrong direction. Source is empty and destination is not. The first line is generated by SSH, because serverA allows key-based authentication only and the key file on serverB was unreadable as dsync seems to drop root privileges in this case (at least that's my guess). Do you think one should add an example for key-based authentication to http://wiki2.dovecot.org/Tools/Dsync ? -Ralph
[Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
I'm currently trying to set up a Dovecot 2.0.0 server for backup
purposes. There's an existing server which I successfully migrated to
Dovecot 2.0.0, and it uses LDAP for authentication. For the backup
server, which will not be exposed to users, I tried both PAM and PASSWD
authentication, but all I are syslog entries like these:
dovecot: imap-login: Login: user=foo, method=PLAIN, rip=[...], lip=[...],
mpid=20059, TLS
dovecot: imap(foo): Error: user foo: Couldn't drop privileges: Mail access
not allowed for root
dovecot: imap(foo): Error: Internal error occurred. Refer to server log for
more information.
Here is my current configuration:
# doveconf -n
# 2.0.0: /usr/local/dovecot-2.0/etc/dovecot/dovecot.conf
# OS: Linux 2.6.35-gentoo-r1-v3 x86_64 Gentoo Base System release 2.0.1
auth_mechanisms = plain login
base_dir = /var/run/dovecot/
listen = *
mail_location = maildir:~/.maildir
passdb {
args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd
driver = passwd-file
}
protocols = imap
ssl_cert = /usr/local/dovecot-2.0/etc/dovecot/server.crt
ssl_key = /usr/local/dovecot-2.0/etc/dovecot/server.key
The password file contents:
# cat /usr/local/dovecot-2.0/etc/dovecot/passwd
foo:{CRYPT}xxx:1000:1000:Foo Backup:/home/foo:/bin/bash
I searched the Dovecot Wiki and also tried MARC and Google, but I can't
seem to find a solution for this problem. Could you please point me in
the right direction? I have probably missed something.
Thanks!
-Ralph
Re: [Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
On Fri, 2010-08-20 at 20:07 +0200, Ralph Seichter wrote:
dovecot: imap(foo): Error: user foo: Couldn't drop privileges: Mail access
not allowed for root
passdb {
args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd
driver = passwd-file
}
You don't have a userdb defined or mail_uid/mail_gid setting..
# cat /usr/local/dovecot-2.0/etc/dovecot/passwd
foo:{CRYPT}xxx:1000:1000:Foo Backup:/home/foo:/bin/bash
I guess you should add:
userdb {
args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd
driver = passwd-file
}
The error message is bad though. I'm pretty sure it was better in v1.2.
I'll see about fixing that.
Re: [Dovecot] Authentication woes - Couldn't drop privileges: Mail access not allowed for root
On 20.08.10 20:36, Timo Sirainen wrote:
I guess you should add:
userdb {
args = scheme=crypt /usr/local/dovecot-2.0/etc/dovecot/passwd
driver = passwd-file
}
I think you meant args = /usr/local/dovecot-2.0/etc/dovecot/passwd,
without scheme=crypt. Adding the userdb setting to my Dovecot config
does the trick, thank you!
The error message is bad though. I'm pretty sure it was better in
v1.2. I'll see about fixing that.
Good idea. The current message is rather misleading.
-Ralph
