Andreas Ntaflos
2008-Jan-14 23:21 UTC
[Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master
Hello list,
while fiddling around with the configuration so Dovecot's LDA
"deliver" can be
used by multiple users by means of Getmail (you can read about that in [1]) I
always end up running into the error message posted in the subject line:
Jan 15 00:00:02 HOSTNAME deliver(USERID): Can't connect to auth server
at /usr/local/var/run/dovecot/auth-master: Permission denied
Notice how it says "/usr/local/var/run/dovecot"! How and why does
dovecot
^^^^^^^^^^
think that anything of any importance can be found under /usr/local/var/... ?
Please see dovecot -n at the end of this message, but as far as I can tell I
never ever specified that the /var directory (configure --localstatedir)
should end up under the prefix /usr/local.
Now I am quite sure that my configuration for auth-master is not yet quite
correct but I can't go any further without asking what this error message
could mean and how to resolve the problem.
Anybody have any ideas? I am currently running 1.0.10 (previously, until this
afternoon 1.0.5, same problem) with the latest MANAGESIEVE patch (v9) applied
and the dovecot-sieve plugin.
TIA for any hints! I am at a loss here.
Andreas
[1] http://thread.gmane.org/gmane.mail.imap.dovecot/27062
# 1.0.10: /usr/local/etc/dovecot.conf
base_dir: /var/run/dovecot/
protocols: imap imaps pop3 pop3s managesieve
listen(default): *
listen(imap): *
listen(pop3): *
listen(managesieve): *:2000
ssl_cert_file: /etc/ssl/certs/DOMAINNAME.crt
ssl_key_file: /etc/ssl/private/DOMAINNAME.key
login_dir: /var/run/dovecot//login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_executable(managesieve): /usr/local/libexec/dovecot/managesieve-login
mail_extra_groups: mail
mail_location: maildir:~/Maildir
maildir_copy_with_hardlinks: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_executable(managesieve): /usr/local/libexec/dovecot/managesieve
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
mail_plugin_dir(managesieve): /usr/local/lib/dovecot/managesieve
imap_client_workarounds(default): outlook-idle delay-newmail
tb-extra-mailbox-sep
imap_client_workarounds(imap): outlook-idle delay-newmail tb-extra-mailbox-sep
imap_client_workarounds(pop3): outlook-idle
imap_client_workarounds(managesieve): outlook-idle
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %08Xu%08Xv
pop3_uidl_format(managesieve):
namespace:
type: public
separator: /
prefix: Public/
location:
maildir:/var/mail/public:CONTROL=~/Maildir/control/public:INDEX=~/Maildir/index/public
namespace:
type: private
separator: /
inbox: yes
auth default:
mechanisms: login plain
verbose: yes
passdb:
driver: pam
userdb:
driver: passwd
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 432
user: root
group: dovecot
--
Andreas "daff" Ntaflos
Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080115/30e2bafc/attachment-0002.bin>
Charles Marcus
2008-Jan-15 02:00 UTC
[Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master
On 1/14/2008 Andreas Ntaflos wrote:> Notice how it says "/usr/local/var/run/dovecot"! How and why does > dovecot > ^^^^^^^^^^ > think that anything of any importance can be found under > /usr/local/var/... ?I'm confused as to why *you're* confused... Look at the output again... ALL of your binaries paths are set to: /usr/local/var/...
Jerry Yeager
2008-Jan-15 02:56 UTC
[Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master
> > ------------------------------ > > Message: 7 > Date: Tue, 15 Jan 2008 00:21:02 +0100 > From: Andreas Ntaflos <daff at pseudoterminal.org> > Subject: [Dovecot] deliver can't connect to auth server at > */usr/local*/var/run/dovecot/auth-master > To: dovecot at dovecot.org > Message-ID: <200801150021.02689.daff at pseudoterminal.org> > Content-Type: text/plain; charset="us-ascii" > > Hello list, > > while fiddling around with the configuration so Dovecot's LDA > "deliver" can be > used by multiple users by means of Getmail (you can read about that > in [1]) I > always end up running into the error message posted in the subject > line: > > Jan 15 00:00:02 HOSTNAME deliver(USERID): Can't connect to auth server > at /usr/local/var/run/dovecot/auth-master: Permission denied > > Notice how it says "/usr/local/var/run/dovecot"! How and why does > dovecot > ^^^^^^^^^^ > think that anything of any importance can be found under /usr/local/ > var/... ? > Please see dovecot -n at the end of this message, but as far as I > can tell I > > master: > path: /var/run/dovecot/auth-master > mode: 432 > user: root > group: dovecot > -- > Andreas "daff" Ntaflos > Vienna, Austria >For the quick answer to your immediate problem / question, try: cd /path/to/dovecot's/deliver (probably /usr/local/libexec/dovecot/ ) chmod u+s deliver (enable the setuid bit for the deliver app). Your Getmail app may not be truly running as root and thus does not really have permission to do what you want. you may need to do the same for the group as well Unix permissions are weird sometimes, like a $100 television tube that protects a 50 cent fuse by blowing first. It does look like (from your use of /usr/local/*****) you built dovecot to run out of /usr/local. One last thing, as a security idea, try something like master { path = /usr/local/var/run/dovecot/auth-master mode = 0600 user = dovecot_user group = dovecot_group } and set your postfix line that calls deliver to match: dovecot unix - n n - - pipe flags=DRhu user=dovecot_user:dovecot_group argv=/usr/local/libexec/dovecot/ deliver -f ${sender} -d ${recipient} (try to have dovecot run as an unprivileged user as much as you can) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2447 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20080114/148a124f/attachment-0002.bin>
Timo Sirainen
2008-Jan-15 04:24 UTC
[Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master
On Tue, 2008-01-15 at 00:21 +0100, Andreas Ntaflos wrote:> Notice how it says "/usr/local/var/run/dovecot"! How and why does dovecot..> master: > path: /var/run/dovecot/auth-masterIf you're not using the default built-in path, set: protocol lda { auth_socket_path = /var/run/dovecot/auth-master } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080115/90e1467d/attachment-0002.bin>
Jerry Yeager
2008-Jan-16 02:38 UTC
[Dovecot] deliver can't connect to auth server at */usr/local*/var/run/dovecot/auth-master
>> > Message: 8 > Date: Tue, 15 Jan 2008 15:19:11 +0100 > From: Andreas Ntaflos <daff at dword.org> > Subject: Re: [Dovecot] deliver can't connect to auth server at > */usr/local*/var/run/dovecot/auth-master > To: dovecot at dovecot.org > Message-ID: <200801151519.11951.daff at dword.org> > Content-Type: text/plain; charset="utf-8" > > On Tuesday 15 January 2008 03:56:28 Jerry Yeager wrote: >>> while fiddling around with the configuration so Dovecot's LDA >>> "deliver" can be >>> used by multiple users by means of Getmail (you can read about that >>> in [1]) I >>> always end up running into the error message posted in the subject >>> line:( stuff snipped out )>> One last thing, as a security idea, try something like >> >> master { >> path = /usr/local/var/run/dovecot/auth-master >> mode = 0600 >> user = dovecot_user >> group = dovecot_group >> } >> >> and set your postfix line that calls deliver to match: >> >> dovecot unix - n n - - pipe flags=DRhu >> user=dovecot_user:dovecot_group argv=/usr/local/libexec/dovecot/ >> deliver -f ${sender} -d ${recipient} > > Thanks for this suggestion! But that would imply that I have a > virtual user > setup, wouldn't it? Because I don't, all my users are regular Unix > users with > shell accounts. That's why my Postfix main.cf contains just > > home_mailbox = Maildir/ > mailbox_command = /usr/local/libexec/dovecot/deliver > > which is also what the LDA/Postfix wiki page says on > wiki.dovecot.org. No > Dovecot entry in master.cf at all. >Actually I was responding to what you had listed in your message i.e. socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 432 user: root group: dovecot -- which is a setup type you would use in a virtual style of user (either a "super user" or a group of non-system listed users with different uids / gids) setup . I had not encountered your other postings until later. Jerry> And, as also mentioned elsewhere in this thread, until yesterday I > didn't even > have the master { ... } section uncommented, and no auth-master > socket seems > to have been configured. But then again I only delivered through > Postfix and > didn't need to have deliver called by a regular user. > > Andreas > -- > Andreas "daff" Ntaflos > Vienna, Austria > > GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4 > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: This is a digitally signed message part. > Url : http://dovecot.org/pipermail/dovecot/attachments/20080115/33439c1a/attachment.bin > > ------------------------------ > > _______________________________________________ > dovecot mailing list > dovecot at dovecot.org > http://dovecot.org/cgi-bin/mailman/listinfo/dovecot > > End of dovecot Digest, Vol 57, Issue 46 > ***************************************-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2447 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20080115/554d91f9/attachment-0002.bin>