dovecot - Apr 2009 - auth-master: Permission denied [sigh]

I've been messing with this for too long, now, and I'm blind to
whatever's
wrong. Or I'm simply being dense. Either way, I need help with a common
issue.

I'm trying to get Postfix+Spamassassin+Dovecot going on Fedora 10. (I'll
get back to the global Sieve thingy soon, but I need to get this going,
first.)

When using the simple:
 mailbox_command = /usr/local/libexec/dovecot/deliver
everything is cool, except there's no Spamassassin involvement, obviously.

The problem shows itself when the Spamassassin user hands off to the
recipient user and Deliver + the recipient user tries to access
/var/run/dovecot/auth-master.

Thank you for any insight you can provide.

/var/run/dovecot: 755 root:dovecot
/var/run/dovecot/login: 750 root:dovecot
/var/run/dovecot/auth-master: 750 root:dovecot
(I think. auth-master is a temporary file? Comes and goes.)
>From /etc/postfix/main.cf
mailbox_transport = spamassassin
>From /etc/postfix/master.cf:
spamassassin unix - n n - - pipe
  user=spam argv=/usr/bin/spamc -f -e /usr/libexec/dovecot/deliver
  -f ${sender} -d ${user} -m ${extension}

Here's my 'socket listen' section from /usr/local/etc/dovecot.conf:

socket listen {
 master {
  path = /var/run/dovecot/auth-master
  mode = 0666
  #user   group = dovecot
 }
 client {
  path = /var/run/dovecot/auth-client
  mode = 0666
  #user   group = dovecot
 }
}
>From /var/log/maillog:
Postfix receives the message:

postfix/smtpd[29447]: connect from \
 IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
postfix/smtpd[29447]: 60990FA01BA: \
 client=IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
postfix/cleanup[29451]: 60990FA01BA: \
 message-id=<49E20BF2.4090408 at example-send.com>
postfix/qmgr[29441]: 60990FA01BA: from=<sender at example-send.com>, \
 size=812, nrcpt=1 (queue active)
postfix/smtpd[29447]: disconnect from \
 IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]

Spamassassin processes the message as user 'spam':

spamd[4121]: spamd: processing message\
 <49E20BF2.4090408 at example-send.com> for spam:653
spamd[4121]: spamd: clean message (3.0/5.0) for spam:653 in 5.2 seconds,\
 793 bytes.
spamd[4121]: spamd: result: . 2 - RDNS_DYNAMIC,TVD_SPACE_RATIO \
 scantime=5.2,size=793,user=spam,uid=653,required_score=5.0, \
 rhost=localhost.localdomain,raddr=127.0.0.1,rport=42493, \
 mid=<49E20BF2.4090408 at example-send.com>,autolearn=no

Spamassassin pipes result to Deliver which runs as recipient user.

Deliver as recipient user doesn't have permission to auth:

deliver(recipient): Can't connect to auth server at \
 /var/run/dovecot/auth-master: Permission denied
postfix/pipe[29452]: 60990FA01BA: to=<recipient at example-receive.com>, \
 relay=spamassassin, delay=6, delays=0.33/0.01/0/5.7, dsn=4.3.0, \
 status=deferred (temporary failure)

1) I must use the 'user=' arg for spamc
2) Can't use 'user=${user}' or $user:
   fatal: get_service_attr: unknown username: ${user}
3) Must use '-d ${user}' Deliver arg, otherwise
   message gets delivered to user 'spam'

AArrgh! TIA.

Hi,

I was having problems with permissions on auth-master too. I solve them
creating manually the folder /var/run/dovecot with correct permissions but i
see you already did that :\

On Sun, Apr 12, 2009 at 5:27 PM, James Butler <jbutler at
thebestdefense.com>wrote:
> I've been messing with this for too long, now, and I'm blind to
whatever's
> wrong. Or I'm simply being dense. Either way, I need help with a common
> issue.
>
> I'm trying to get Postfix+Spamassassin+Dovecot going on Fedora 10.
(I'll
> get back to the global Sieve thingy soon, but I need to get this going,
> first.)
>
> When using the simple:
>  mailbox_command = /usr/local/libexec/dovecot/deliver
> everything is cool, except there's no Spamassassin involvement,
obviously.
>
> The problem shows itself when the Spamassassin user hands off to the
> recipient user and Deliver + the recipient user tries to access
> /var/run/dovecot/auth-master.
>
> Thank you for any insight you can provide.
>
> /var/run/dovecot: 755 root:dovecot
> /var/run/dovecot/login: 750 root:dovecot
> /var/run/dovecot/auth-master: 750 root:dovecot
> (I think. auth-master is a temporary file? Comes and goes.)
>
> >From /etc/postfix/main.cf
>
> mailbox_transport = spamassassin
>
> >From /etc/postfix/master.cf:
>
> spamassassin unix - n n - - pipe
>  user=spam argv=/usr/bin/spamc -f -e /usr/libexec/dovecot/deliver
>  -f ${sender} -d ${user} -m ${extension}
>
> Here's my 'socket listen' section from
/usr/local/etc/dovecot.conf:
>
> socket listen {
>  master {
>  path = /var/run/dovecot/auth-master
>  mode = 0666
>  #user >  group = dovecot
>  }
>  client {
>  path = /var/run/dovecot/auth-client
>  mode = 0666
>  #user >  group = dovecot
>  }
> }
>
> >From /var/log/maillog:
>
> Postfix receives the message:
>
> postfix/smtpd[29447]: connect from \
>  IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
> postfix/smtpd[29447]: 60990FA01BA: \
>  client=IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
> postfix/cleanup[29451]: 60990FA01BA: \
>  message-id=<49E20BF2.4090408 at example-send.com>
> postfix/qmgr[29441]: 60990FA01BA: from=<sender at example-send.com>,
\
>  size=812, nrcpt=1 (queue active)
> postfix/smtpd[29447]: disconnect from \
>  IP-ADD-RE-SS.ptr.example-send.com[IP.ADD.RE.SS]
>
> Spamassassin processes the message as user 'spam':
>
> spamd[4121]: spamd: processing message\
>  <49E20BF2.4090408 at example-send.com> for spam:653
> spamd[4121]: spamd: clean message (3.0/5.0) for spam:653 in 5.2 seconds,\
>  793 bytes.
> spamd[4121]: spamd: result: . 2 - RDNS_DYNAMIC,TVD_SPACE_RATIO \
>  scantime=5.2,size=793,user=spam,uid=653,required_score=5.0, \
>  rhost=localhost.localdomain,raddr=127.0.0.1,rport=42493, \
>  mid=<49E20BF2.4090408 at example-send.com>,autolearn=no
>
> Spamassassin pipes result to Deliver which runs as recipient user.
>
> Deliver as recipient user doesn't have permission to auth:
>
> deliver(recipient): Can't connect to auth server at \
>  /var/run/dovecot/auth-master: Permission denied
> postfix/pipe[29452]: 60990FA01BA: to=<recipient at
example-receive.com>, \
>  relay=spamassassin, delay=6, delays=0.33/0.01/0/5.7, dsn=4.3.0, \
>  status=deferred (temporary failure)
>
> 1) I must use the 'user=' arg for spamc
> 2) Can't use 'user=${user}' or $user:
>   fatal: get_service_attr: unknown username: ${user}
> 3) Must use '-d ${user}' Deliver arg, otherwise
>   message gets delivered to user 'spam'
>
> AArrgh! TIA.
>
>

-- 
telem?vel: 963446125
mail: rui.arc at gmail.com
mail: ei04073 at fe.up.pt
website: http://paginas.fe.up.pt/~ei04073

Here is everything I could think of that might pertain to this, as
currently configured on my dedicated server. It's all fresh! :)

## SYSTEM ##

Fedora 10
Postfix 2.55
Dovecot 1.2.rc2
Spamassassin 3.2.5

SELinux (no SELinux restrictions. Testing done with SELinux=permissive.)
SASLAuthd (not required for local delivery)

## dovecot -n ##

# 1.2.rc2: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.27.15-170.2.24.fc10.i686 i686 Fedora rel 10 (Cambridge)
protocols: imaps
listen: *:993
ssl_cert_file: /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file: /etc/pki/dovecot/private/dovecot.pem
login_dir: /usr/local/var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
first_valid_gid: 0
mail_location: maildir:~/Maildir
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd


## /usr/local/etc/dovecot.conf ##

socket listen {
 master {
  path = /var/run/dovecot/auth-master
  mode = 0666
  # user   group = dovecot
 }
 client {
  path = /var/run/dovecot/auth-client
  mode = 0666
  # user   group = dovecot
 }
}


## POSTFIX CONFIG ##

/etc/postfix/main.cf:

mailbox_transport = spamassassin

/etc/postfix/master.cf:

spamassassin unix - n n - - pipe
  user=spam:dovecot argv=/usr/bin/spamc -f -e
  /usr/libexec/dovecot/deliver  -f ${sender} -d ${user} -m ${extension}


## PERMISSIONS / OWNERSHIP ##

/usr/local/libexec/dovecot:

-rwxr-xr-x 1 root root     197513 2009-04-03 13:52 checkpassword-reply
-rwxr-xr-x 1 root dovecot 4044835 2009-04-14 13:52 deliver
-rwxr-xr-x 1 root root    1044608 2009-04-03 13:52 dovecot-auth

/var/run:

drwxrwxrwx 3 root dovecot    4096 2009-04-14 12:07 dovecot

/var/run/dovecot:

drwxr-x--- 2 root dovecot    4096 2009-04-09 06:56 login

/usr/bin/spamassassin:

-rwxr-xr-x 1 root root      27023 2008-09-04 14:51 spamassassin

/home/user:

drwx------ 4 user dovecot    4096 2009-04-14 12:00 user


## 'ps aux' OUTPUT (trimmed) ##

root Ss 11:14 0:02 /usr/local/sbin/dovecot
root S  12:07 0:00 dovecot-auth
root S  12:07 0:00 dovecot-auth -w
root Ss 11:14 0:31 /usr/bin/spamd -d -c -m5 -H --username spam -r \
 /var/run/spamd.pid
spam S  11:14 0:27 spamd child
spam S  11:14 0:08 spamd child

## 'ps aux | grep deliver' numerous times until I caught one: ##

postfix S  12:47 0:00 pipe -n spamassassin -t unix user=spam:dovecot \
 argv=/usr/bin/spamc -f -e /usr/libexec/dovecot/deliver -f ${sender} \
 -d ${user} -m ${extension}
spam    Ss 12:47 0:00 /usr/bin/spamc -f -e /usr/libexec/dovecot/deliver \
 -f sender at example.com -d user -m


## /var/log/maillog OUTPUT ##

Apr 14 14:53:15 ltfs450 postfix/smtpd[23173]: connect from \
 IP-ADD-RES-SS.dedicatedprovider.com[IP.ADD.RES.SS]
Apr 14 14:53:15 ltfs450 postfix/smtpd[23173]: C7FB9FA00FA: \
 client=IP-ADD-RES-SS.dedicatedprovider.com[IP.ADD.RES.SS]
Apr 14 14:53:15 ltfs450 postfix/cleanup[23177]: C7FB9FA00FA: \
 message-id=<49E4EA41.6020908 at example-send.com>
Apr 14 14:53:15 ltfs450 postfix/qmgr[23171]: C7FB9FA00FA: \
 from=<sender at example-send.com>, size=2215, nrcpt=1 (queue active)
Apr 14 14:53:15 ltfs450 postfix/smtpd[23173]: disconnect from \
 IP-ADD-RES-SS.dedicatedprovider.com[IP.ADD.RES.SS]
Apr 14 14:53:16 ltfs450 spamd[4121]: spamd: connection from \
 localhost.localdomain [127.0.0.1] at port 50035
Apr 14 14:53:16 ltfs450 spamd[4121]: spamd: processing message \
 <49E4EA41.6020908 at example-send.com> for spam:653
Apr 14 14:53:20 ltfs450 spamd[4121]: spamd: clean message (2.2/5.0) \
 for spam:653 in 4.7 seconds, 2167 bytes.
Apr 14 14:53:21 ltfs450 spamd[4121]: spamd: result: . 2 - \
 AWL,RDNS_DYNAMIC,TVD_SPACE_RATIO scantime=4.7,size=2167,user=spam,\
 uid=653,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,\
 rport=50035,mid=<49E4EA41.6020908 at example-send.com>,autolearn=no
Apr 14 14:53:21 ltfs450 deliver(user): Can't connect to auth server \
 at /var/run/dovecot/auth-master: Permission denied
Apr 14 14:53:21 ltfs450 postfix/pipe[23179]: C7FB9FA00FA: \
 to=<user at example-receive.com>, relay=spamassassin, delay=5.2, \
 delays=0.01/0.01/0/5.2, dsn=4.3.0, status=deferred (temporary failure)
Apr 14 14:53:21 ltfs450 spamd[4119]: prefork: child states: II

I have changed /usr/local/libexec/dovecot/deliver permissions as follows:

-rwsr-s--- 1 root dovecot 4044835 2009-04-03 13:52 deliver

Because of message returned to 'sender at example-send.com':

"local configuration error. Command output:
/usr/local/libexec/dovecot/deliver must not be both world-executable and
setuid-root. This allows root exploits. See [LDA#multipleuids wiki page]."

Same auth-master "Permission denied" error.

Thanks again.

James

Oh, that was fun.

Making the change below resulted in mail getting deferred with "Fatal:
destination user parameter (-d user) not given" ... which apparently is
caused by running deliver as 'root'!
(http://archive.netbsd.se/?ml=dovecot-general&a=2008-02&t=6558196)

So I am back to:

-rwxr-xr-x 1 root dovecot 4044835 2009-04-03 13:52 deliver

which doesn't produce the error and delivers the mail. Still no joy with
Postfix+Spamassassin+Dovecot.

This is unbelievably hard to get going. I started with the default
installations of everything on a brand new system. I only made minimal
changes as indicated by the docs. Then I made small changes as indicated
by this and other mailing lists. I always reverted back to the original
defaults between each effort. Now I'm just stumped.

I'm not a newbie ... I've been administrating public servers for over 10
years, and using and working on the Internet since 1968! This is just the
first time I've tried to use Postfix+Spamassassin+Dovecot. Previous
installations have all used Sendmail+Spamassassin+Dovecot with zero
issues. I want the benefits of using the Maildir storage system, but the
past two weeks of trying to get this going are making me question whether
that benefit is worth it.

Can anyone please post their successful Postfix+Spamassassin+Dovecot setup
for me to learn from? I would really appreciate it.

James
> I have changed /usr/local/libexec/dovecot/deliver permissions as follows:
>
> -rwsr-s--- 1 root dovecot 4044835 2009-04-03 13:52 deliver
>
> Because of message returned to 'sender at example-send.com':
>
> "local configuration error. Command output:
> /usr/local/libexec/dovecot/deliver must not be both world-executable and
> setuid-root. This allows root exploits. See [LDA#multipleuids wiki
page]."
>
> Same auth-master "Permission denied" error.
>
> Thanks again.
>
> James