Hi,
before I start to write a lengthy email about something that isn't
really possible anyway: can I make Postfix use Dovecot's LDA and start
it with different user IDs?
My scenario: Dovecot authenticates users for Postfix and itself using
Postgresql. Mails for two domains should be stored under
/srv/<domain>/<user> (which is the location returned by my user_sql
query and mail_location).
When my clients login (with usernames of the form 'user at domain'),
Dovecot creates/opens the correct mailboxes for them, but I can't get
LDA to deliver to these mailboxes. Whatever I try, I am always running
into some kind of permission problems (either for the mailboxes, or for
auth_socket).
I want to use a unique UID for every virtual domain, so I guess LDA
needs to have permissions for every corresponding mailbox *and*
Dovecot's auth_socket_path. Is there a good solution for this which
doesn't involve severe security implications?
J.
--
If all my friends had Playstations I would buy a Nintendo to prove my
individuality.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070122/7ba57963/attachment.bin>
Hi,
I have a setup, which is the same (currently in testing).
Main problem is that LDA has to switch its privileges to the owner of mail
so it has to be run as root. Marking it suid solves the problem, than you
can change it to be executable only by Postfix.
Timo says that this is the safe way and I personally believe him :-)
L??a
-----Original Message-----
From: dovecot-bounces at dovecot.org [mailto:dovecot-bounces at dovecot.org] On
Behalf Of Jochen Schulz
Sent: Monday, January 22, 2007 6:01 PM
To: Dovecot Mailing List
Subject: [Dovecot] Postfix & Dovecot LDA
Hi,
before I start to write a lengthy email about something that isn't
really possible anyway: can I make Postfix use Dovecot's LDA and start
it with different user IDs?
My scenario: Dovecot authenticates users for Postfix and itself using
Postgresql. Mails for two domains should be stored under
/srv/<domain>/<user> (which is the location returned by my user_sql
query and mail_location).
When my clients login (with usernames of the form 'user at domain'),
Dovecot creates/opens the correct mailboxes for them, but I can't get
LDA to deliver to these mailboxes. Whatever I try, I am always running
into some kind of permission problems (either for the mailboxes, or for
auth_socket).
I want to use a unique UID for every virtual domain, so I guess LDA
needs to have permissions for every corresponding mailbox *and*
Dovecot's auth_socket_path. Is there a good solution for this which
doesn't involve severe security implications?
J.
--
If all my friends had Playstations I would buy a Nintendo to prove my
individuality.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
On Mon, 2007-01-22 at 18:00 +0100, Jochen Schulz wrote:> Hi, > > before I start to write a lengthy email about something that isn't > really possible anyway: can I make Postfix use Dovecot's LDA and start > it with different user IDs?In your master.cf you should have something like this, assuming your postfix setup in correct (main.cf, virtual domains/recipients maps, etc.): dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient} the user= part controls under which uid/gid deliver runs. This way you could run deliver as user vmail for all your virtual domains.> I want to use a unique UID for every virtual domain, so I guess LDA > needs to have permissions for every corresponding mailbox *and* > Dovecot's auth_socket_path. Is there a good solution for this which > doesn't involve severe security implications?You can give vmail access to the auth socket. I haven't tried the one-user-per-virual-domain setup myself. You could use the group rights to give deliver access to all the vitual domains maildirs while having a different uid per each virtual domain. ciao Luca
Hi.
I know, this is a pretty old thread, but since I just ran into similar
problems while setting up my one-user-per-virtual-domain postfix +
multi-instance-dovecot/-lda, I thought I might share my "fix" in this
related (and most useful) thread.
My setup might not be used often - I am running two dovecot instances
(on different IP addresses on the same server, in case you're
wondering), with the first instance exporting the auth-master socket. I
am using different UID/GIDs for my virtual domains/mailboxes. I
couldn't get postfix setgid accordingly when callig deliver, and I
didn't want to use SUID on deliver.
The versions I am using are:
dovecot 1.0.13
postfix 2.3.8
My first dovecot instance is using:
auth default {
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
}
}
}
The other is using:
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
}
And my postfix's master.cf is:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f
${sender} -d ${recipient}
dovecot-other unix - n n - - pipe
flags=DRhu user=vmail-other:vmail-other argv=/usr/lib/dovecot/deliver
-c /etc/dovecot/other/dovecot.conf -f ${sender} -d ${recipient}
My fix is: I use filesystem ACLs and just set the ACLs of the
auth-master socket after starting the first dovecot instance (which
creates the socket).
I.e. I run after starting dovecot (and waiting for a second...):
setfacl -m u:vmail-other:rw /var/run/dovecot/auth-master
This works only for filesystems with ACL support, of course. I use
setfacl with ext2/3; other filesystem ACL tools might differ.
Oh, and thanks for dovecot and this supportive mailinglist btw. (even
though this is my first post: hi everyone :) )
Greetings,
Jens