Rich Winkel
2007-Sep-26 00:19 UTC
[Dovecot] deliver net_connect auth-master failed: Permission denied
Ok, I've ALMOST got this working ... I can run deliver as a user, but when I try using it as the default delivery agent from sendmail, I get deliver(userid): net_connect(/var/run/dovecot/auth-master) failed: Permission denied Does deliver run as root, as the recipient's ID, sendmail's ID or sendmail's GID? (I'm running freebsd) Or am I totally clueless ?? Here is dovecot -n: # 1.0.3: /usr/local/etc/dovecot.conf base_dir: /var/run/dovecot/ listen: localhost:996 ssl_disable: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes first_valid_uid: 100 mail_extra_groups: mail mail_location: mbox:~/mail:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot_indexes/%u lock_method: flock mbox_read_locks: flock mbox_write_locks: flock auth default: passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 432 Thanks!!!!! Rich
Bill Cole
2007-Sep-26 01:07 UTC
[Dovecot] deliver net_connect auth-master failed: Permission denied
At 7:19 PM -0500 9/25/07, Rich Winkel imposed structure on a stream of electrons, yielding:>Ok, I've ALMOST got this working ... I can run deliver as a user, but when >I try using it as the default delivery agent from sendmail, I get >deliver(userid): net_connect(/var/run/dovecot/auth-master) failed: >Permission denied > >Does deliver run as root, as the recipient's ID, sendmail's ID or >sendmail's GID? (I'm running freebsd)Ideally, it should run SUID+SGID to a user and group that exist to make mail delivery permissions work. See http://wiki.dovecot.org/LDA/Sendmail and http://wiki.dovecot.org/LDA The key bit is on the main LDA page where it describes the master socket config and on the Sendmail page where it discusses 'non-root' sendmail setups, which is really applicable to all common setups of modern Sendmail.>Or am I totally clueless ??Well, the Mizzou address argues one way, but I'll give you the benefit of the doubt and say maybe not... :) The bottom line: make up a user and group to own the master socket, structure your inbox permissions so that deliver can run that way and write to them, and make deliver SUID/SGID. Structuring inbox permissions so that can work is a potentially complex problem.>Here is dovecot -n: > ># 1.0.3: /usr/local/etc/dovecot.conf >base_dir: /var/run/dovecot/ >listen: localhost:996 >ssl_disable: yes >login_dir: /var/run/dovecot/login >login_executable: /usr/local/libexec/dovecot/imap-login >login_greeting_capability: yes >first_valid_uid: 100 >mail_extra_groups: mail >mail_location: >mbox:~/mail:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot_indexes/%u >lock_method: flock >mbox_read_locks: flock >mbox_write_locks: flock >auth default: > passdb: > driver: pam > userdb: > driver: passwd > socket: > type: listen > client: > path: /var/run/dovecot/auth-client > mode: 432 > master: > path: /var/run/dovecot/auth-master > mode: 432 > >Thanks!!!!! >Rich-- Bill Cole bill at scconsult.com