hi,
contacting this mailing list is my last-ditch effort to somehow come to 
a working configuration where postfix "ends in" dovecot, IE for
special
LDAP-based users, featured in the virtual mailbox delivery, dovecot 
would act as LDA.
here's the deal.
i've set up dovecot's access to the LDAP server, and for the purposes of
being an IMAP server and a SASL auth backend, dovecot works brilliantly 
and without a glitch. i can access my test mailbox (in maildir format), 
i can use the LDA as root and it delivers the message correctly (after a 
switch to the target user's UID), and even postfix's submission works 
with dovecot as its SASL backend.
what does not work is dovecot as LDA from postfix.
i'm getting these errors in the log:
Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER 
lookup failed
Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't 
have lookup permissions for this user: userdb uid (10001) doesn't match 
peer uid (5000) (to bypass this check, set: service auth { unix_listener 
/var/run/dovecot/auth-userdb { mode=0777 } })
Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error occurred. 
Refer to server log for more information.
for the sake of clarity, i've tried the "to bypass this check" 
instructions, didn't help.
also, for the sake of operational clarity, "aik" is the LDAP account 
with the following parameters:
dn: uid=aik,ou=People,dc=rhyno,dc=tech
objectClass: account
objectClass: posixAccount
objectClass: postfixUser
cn: aik
uid: aik
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/aik
loginShell: /bin/sh
gecos: aik
description: User account
structuralObjectClass: account
entryUUID: db947584-0369-1038-98b3-675e2f0cea17
creatorsName: cn=admin,dc=rhyno,dc=tech
createTimestamp: 20180613152616Z
email: ***********
userPassword:: *************************
mailacceptinggeneralid: andras.kemeny
mailacceptinggeneralid: kemeny.andras
mailacceptinggeneralid: aik
mailacceptinggeneralid: pdx
mailacceptinggeneralid: @rhyno.tech
mailacceptinggeneralid: @rhynotechnologies.com
maildrop: aik
and postfix's master.cf says:
dovecot?? unix? -?????? n?????? n?????? -?????? -?????? pipe
 ? flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f 
${sender} -d ${user}
so i'm stuck at this point. obviously, if the LDA is spawned with 
vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and passwd 
accounts were once connected, but for security reasons, the connection 
has been severed -- still the /home/aik/mail dir is owned by uid 10001 etc).
what am i doint wrong?
thanks,
a
You could run dovecot-lda as root. It will setuid to correct account.
---Aki TuomiDovecot oy
-------- Original message --------From: Andras Kemeny <pdx at pdx.hu>
Date: 31/07/2018  04:46  (GMT+02:00) To: dovecot at dovecot.org Subject: uid
problem
hi,
contacting this mailing list is my last-ditch effort to somehow come to 
a working configuration where postfix "ends in" dovecot, IE for
special
LDAP-based users, featured in the virtual mailbox delivery, dovecot 
would act as LDA.
here's the deal.
i've set up dovecot's access to the LDAP server, and for the purposes of
being an IMAP server and a SASL auth backend, dovecot works brilliantly 
and without a glitch. i can access my test mailbox (in maildir format), 
i can use the LDA as root and it delivers the message correctly (after a 
switch to the target user's UID), and even postfix's submission works 
with dovecot as its SASL backend.
what does not work is dovecot as LDA from postfix.
i'm getting these errors in the log:
Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER 
lookup failed
Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't 
have lookup permissions for this user: userdb uid (10001) doesn't match 
peer uid (5000) (to bypass this check, set: service auth { unix_listener 
/var/run/dovecot/auth-userdb { mode=0777 } })
Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error occurred. 
Refer to server log for more information.
for the sake of clarity, i've tried the "to bypass this check" 
instructions, didn't help.
also, for the sake of operational clarity, "aik" is the LDAP account 
with the following parameters:
dn: uid=aik,ou=People,dc=rhyno,dc=tech
objectClass: account
objectClass: posixAccount
objectClass: postfixUser
cn: aik
uid: aik
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/aik
loginShell: /bin/sh
gecos: aik
description: User account
structuralObjectClass: account
entryUUID: db947584-0369-1038-98b3-675e2f0cea17
creatorsName: cn=admin,dc=rhyno,dc=tech
createTimestamp: 20180613152616Z
email: ***********
userPassword:: *************************
mailacceptinggeneralid: andras.kemeny
mailacceptinggeneralid: kemeny.andras
mailacceptinggeneralid: aik
mailacceptinggeneralid: pdx
mailacceptinggeneralid: @rhyno.tech
mailacceptinggeneralid: @rhynotechnologies.com
maildrop: aik
and postfix's master.cf says:
dovecot?? unix? -?????? n?????? n?????? -?????? -?????? pipe
 ? flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f 
${sender} -d ${user}
so i'm stuck at this point. obviously, if the LDA is spawned with 
vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and passwd 
accounts were once connected, but for security reasons, the connection 
has been severed -- still the /home/aik/mail dir is owned by uid 10001 etc).
what am i doint wrong?
thanks,
a
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180731/5556c77c/attachment.html>