dovecot - Sep 2018 - Fatal: setgid, imap connections dropped.

Hi,

I'm getting errors with my IMAP setup.
Basically, everything seems to work.
Mail is delivered nicely from Postfix to Dovecot via LMTP. Dovecot does
the authentication to LDAP (also for Postfix). Users are able to send mail
via authenticated submission (Postfix) and login into IMAP and POP.

However, IMAP connections are dropped frequently with an "ERROR:
Connection dropped by IMAP server.". After pressing reload on the webmail,
or refreshing in the client might help for a short period. So it fails
intermittently.

The errors in the maillog are below. It seems to be mixing up users kind
of randomly. I think when multiple connections are made at the same time.
Did a lot of searching, put couldn't find an answer to this problem. All I
can find is related to LDA, which I'm not using.

Any help would be appreciated.

Errors from the log:
Sep 28 00:03:24 mailserver dovecot:
imap(userD)<14864><WT8DguF2MspUUoaT>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))
Sep 28 00:03:24 mailserver dovecot:
imap(userD)<17009><recJguF2NMpUUoaT>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))
Sep 28 00:03:26 mailserver dovecot:
imap(userD)<12807><8T0iguF2NspUUoaT>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))
Sep 28 00:06:59 mailserver dovecot:
imap(userD)<15661><UcfOjuF2OcpUUoaT>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))
Sep 28 00:07:54 mailserver dovecot:
imap(userA)<45614><NVkakuF2xO5UUoaT>:
Fatal: setgid(1011(userA) from userdb lookup) failed with
euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
permitted (This binary should probably be called with process group set to
1011(userA) instead of 1012(userD))
Sep 28 00:08:08 mailserver dovecot:
imap(userF)<45055><AWjtkuF2J/ptSCYM>:
Fatal: setgid(1033(userF) from userdb lookup) failed with
euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
permitted (This binary should probably be called with process group set to
1033(userF) instead of 1012(userD))
Sep 28 00:08:08 mailserver dovecot:
imap(userF)<46412><87ntkuF2JvptSCYM>:
Fatal: setgid(1033(userF) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1033(userF) instead of 1011(userA))
Sep 28 00:08:08 mailserver dovecot:
imap(userF)<44858><0nXzkuF2KfptSCYM>:
Fatal: setgid(1033(userF) from userdb lookup) failed with
euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
permitted (This binary should probably be called with process group set to
1033(userF) instead of 1012(userD))
Sep 28 00:08:14 mailserver dovecot:
imap(userF)<36517><v/NHk+F2K/ptSCYM>:
Fatal: setgid(1033(userF) from userdb lookup) failed with
euid=1017(userC), gid=1017(userC), egid=1017(userC): Operation not
permitted (This binary should probably be called with process group set to
1033(userF) instead of 1017(userC))
Sep 28 00:08:36 mailserver dovecot:
imap(userF)<10531><wpKdlOF2MfptSCYM>:
Fatal: setgid(1033(userF) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1033(userF) instead of 1011(userA))

# dovecot --version
2.3.2.1 (0719df592)

# 2.3.2.1 (0719df592): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.2 (7704de5e)
# OS: FreeBSD 11.2-RELEASE amd64
# Hostname: callisto
auth_cache_size = 10 M
auth_debug = yes
imap_idle_notify_interval = 29 mins
mail_debug = yes
mail_fsync = never
mail_location = maildir:~/Maildir
mail_plugins = " fts fts_solr"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location   mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Drafts {
    auto = create
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix   separator = /
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://127.0.0.1:8983/solr/dovecot/
  recipient_delimiter = +
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_after = /usr/local/etc/dovecot/sieve-after.d
  sieve_before = /usr/local/etc/dovecot/sieve-before.d
  sieve_quota_max_storage = 50M
}
protocols = imap pop3 lmtp sieve
service auth {
  client_limit = 1600
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    address = 127.0.0.1, ::1
  }
  process_min_avail = 3
  service_count = 1
}
service imap {
  process_min_avail = 3
  service_count = 256
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service pop3-login {
  inet_listener pop3 {
    address = 127.0.0.1, ::1
  }
  service_count = 1
}
ssl = required
ssl_cert = </usr/local/etc/ssl/mail.demeijer.com.dovecot.crt
ssl_cipher_list
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
userdb {
  args = /usr/local/etc/dovecot/dovecot-ldap-user.conf.ext
  driver = ldap
}
protocol lda {
  mail_fsync = optimized
  mail_plugins = " fts fts_solr sieve"
}
protocol imap {
  mail_max_userip_connections = 50
  mail_plugins = " fts fts_solr imap_sieve"
}
protocol lmtp {
  lmtp_save_to_detail_mailbox = yes
  mail_fsync = optimized
  mail_plugins = " fts fts_solr quota sieve"
  postmaster_address = webmaster at example.com
}

In /usr/local/etc/dovecot/dovecot-ldap.conf.ext:
hosts = localhost
dn = cn=reader,ou=Roles,dc=example,dc=com
dnpass = secretpassword
auth_bind = yes
base = ou=People,dc=example,dc=com
deref = never
scope = subtree
user_attrs = uid=uid,homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = SSHA

dovecot-ldap-user.conf.ext is the same as dovecot-ldap.conf.ext

# freebsd-version
11.2-RELEASE-p3

Everything is installed from ports.

I'm still trying to fix this problem. Hopefully someone can help.

I've upgraded dovecot to 2.3.3
# dovecot --version
2.3.3 (dcead646b)

That didn't help.

Next I switched 10-auth.conf to use a local password file (instead of LDAP)

======================================# cache all authentication results for one
hour
auth_cache_size = 10M
auth_cache_ttl = 1 hour
auth_cache_negative_ttl = 1 hour

# only use plain username/password auth - OK since everything is over TLS
auth_mechanisms = plain

passdb {
  driver = passwd-file
  args = scheme=ssha username_format=%n /usr/local/etc/dovecot/passwd
}

userdb {
  driver = passwd-file
  args = username_format=%n /usr/local/etc/dovecot/passwd
}
=====================================
The /usr/local/etc/dovecot/passwd file is in the following format
userA:{SSHA}hashhhhhhhhh:1000:1000::/home/userA

Authentication works, and mail gets delivered. But I'm still getting the
same intermitted errors.

Sep 28 00:03:24 mailserver dovecot:
imap(userD)<14864><WT8DguF2MspUUoaT>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))

Also tried disabling the cache in 10-auth.conf, at no avail.

I'm a bit at loss :(

Regards,
J. de Meijer

> Hi,
>
> I'm getting errors with my IMAP setup.
> Basically, everything seems to work.
> Mail is delivered nicely from Postfix to Dovecot via LMTP. Dovecot does
> the authentication to LDAP (also for Postfix). Users are able to send mail
> via authenticated submission (Postfix) and login into IMAP and POP.
>
> However, IMAP connections are dropped frequently with an "ERROR:
> Connection dropped by IMAP server.". After pressing reload on the
webmail,
> or refreshing in the client might help for a short period. So it fails
> intermittently.
>
> The errors in the maillog are below. It seems to be mixing up users kind
> of randomly. I think when multiple connections are made at the same time.
> Did a lot of searching, put couldn't find an answer to this problem.
All I
> can find is related to LDA, which I'm not using.
>
> Any help would be appreciated.
>
> Errors from the log:
> Sep 28 00:03:24 mailserver dovecot:
imap(userD)<14864><WT8DguF2MspUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:03:24 mailserver dovecot:
imap(userD)<17009><recJguF2NMpUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:03:26 mailserver dovecot:
imap(userD)<12807><8T0iguF2NspUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:06:59 mailserver dovecot:
imap(userD)<15661><UcfOjuF2OcpUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:07:54 mailserver dovecot:
imap(userA)<45614><NVkakuF2xO5UUoaT>:
> Fatal: setgid(1011(userA) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1011(userA) instead of 1012(userD))
> Sep 28 00:08:08 mailserver dovecot:
imap(userF)<45055><AWjtkuF2J/ptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1012(userD))
> Sep 28 00:08:08 mailserver dovecot:
imap(userF)<46412><87ntkuF2JvptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1011(userA))
> Sep 28 00:08:08 mailserver dovecot:
imap(userF)<44858><0nXzkuF2KfptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1012(userD))
> Sep 28 00:08:14 mailserver dovecot:
imap(userF)<36517><v/NHk+F2K/ptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1017(userC), gid=1017(userC), egid=1017(userC): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1017(userC))
> Sep 28 00:08:36 mailserver dovecot:
imap(userF)<10531><wpKdlOF2MfptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1011(userA))
>
> # dovecot --version
> 2.3.2.1 (0719df592)
>
> # 2.3.2.1 (0719df592): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.2 (7704de5e)
> # OS: FreeBSD 11.2-RELEASE amd64
> # Hostname: mailserver
> auth_cache_size = 10 M
> auth_debug = yes
> imap_idle_notify_interval = 29 mins
> mail_debug = yes
> mail_fsync = never
> mail_location = maildir:~/Maildir
> mail_plugins = " fts fts_solr"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace inbox {
>   inbox = yes
>   location >   mailbox Archive {
>     auto = subscribe
>     special_use = \Archive
>   }
>   mailbox Drafts {
>     auto = create
>     special_use = \Drafts
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Trash {
>     auto = subscribe
>     special_use = \Trash
>   }
>   prefix >   separator = /
> }
> passdb {
>   args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   fts = solr
>   fts_autoindex = yes
>   fts_solr = url=http://127.0.0.1:8983/solr/dovecot/
>   recipient_delimiter = +
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   sieve_after = /usr/local/etc/dovecot/sieve-after.d
>   sieve_before = /usr/local/etc/dovecot/sieve-before.d
>   sieve_quota_max_storage = 50M
> }
> protocols = imap pop3 lmtp sieve
> service auth {
>   client_limit = 1600
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service imap-login {
>   inet_listener imap {
>     address = 127.0.0.1, ::1
>   }
>   process_min_avail = 3
>   service_count = 1
> }
> service imap {
>   process_min_avail = 3
>   service_count = 256
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0600
>     user = postfix
>   }
> }
> service pop3-login {
>   inet_listener pop3 {
>     address = 127.0.0.1, ::1
>   }
>   service_count = 1
> }
> ssl = required
> ssl_cert = </usr/local/etc/ssl/mail.example.com.dovecot.crt
> ssl_cipher_list >
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> ssl_dh =  # hidden, use -P to show it
> ssl_key =  # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> userdb {
>   args = /usr/local/etc/dovecot/dovecot-ldap-user.conf.ext
>   driver = ldap
> }
> protocol lda {
>   mail_fsync = optimized
>   mail_plugins = " fts fts_solr sieve"
> }
> protocol imap {
>   mail_max_userip_connections = 50
>   mail_plugins = " fts fts_solr imap_sieve"
> }
> protocol lmtp {
>   lmtp_save_to_detail_mailbox = yes
>   mail_fsync = optimized
>   mail_plugins = " fts fts_solr quota sieve"
>   postmaster_address = webmaster at example.com
> }
>
> In /usr/local/etc/dovecot/dovecot-ldap.conf.ext:
> hosts = localhost
> dn = cn=reader,ou=Roles,dc=example,dc=com
> dnpass = secretpassword
> auth_bind = yes
> base = ou=People,dc=example,dc=com
> deref = never
> scope = subtree
> user_attrs = uid=uid,homeDirectory=home,uidNumber=uid,gidNumber=gid
> user_filter = (&(objectClass=posixAccount)(uid=%n))
> pass_attrs = uid=user,userPassword=password
> pass_filter = (&(objectClass=posixAccount)(uid=%u))
> default_pass_scheme = SSHA
>
> dovecot-ldap-user.conf.ext is the same as dovecot-ldap.conf.ext
>
> # freebsd-version
> 11.2-RELEASE-p3
>
> Everything is installed from ports.

On 16.10.2018 21.32, J. de Meijer wrote:
> I'm still trying to fix this problem. Hopefully someone can help.
>
> I've upgraded dovecot to 2.3.3
> # dovecot --version
> 2.3.3 (dcead646b)
>
> That didn't help.
>
> Next I switched 10-auth.conf to use a local password file (instead of LDAP)
Can you provide doveconf -n please?

Aki