Ubuntu 8.04LTS Dovecot 1.2.6 Postfix 2.5.1 I'm using dovecot imap/deliver in an environment where I don't want users with shell access to reach their mail folders (partly to do with IMAP ACLs requiring open group permissions and partly to do with not wanting users to mess their mail folders / sieve configs up). I specifically don't want to switch to a "single dovecot user" style installation. Current config: mail_location = maildir:/home/mail/%d/%n/Maildir mail_privileged_group = mail mail_access_groups = maildir drwxrws--- 3 nobody maildir 21 2009-11-15 10:52 /home/mail drwxrws--- 4 nobody adomain.com 30 2009-11-15 12:12 /home/mail/adomain.com/ drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52 /home/mail/adomain.com/auser drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52 /home/mail/adomain.com/auser/Maildir And so on... As expected IMAP and Managesieve work perfectly, but deliver fails: Nov 15 12:48:26 s15364807 dovecot: deliver(auser at adomain.com): sieve: stat(/home/mail/adomain.com/auser/.dovecot.sieve) failed: Permission denied (using global script path in stead) Nov 15 12:28:06 s15364807 dovecot: deliver(auser at adomain.com): stat(/home/mail/adomain.com/auser/Maildir) failed: Permission denied Nov 15 12:28:06 s15364807 dovecot: deliver(auser at adomain.com): stat(/home/mail/adomain.com/auser/Maildir/tmp) failed: Permission denied (euid=1002(auser) egid=1001(adomain.com) missing +x perm: /home/mail) Nov 15 12:28:06 s15364807 dovecot: deliver(auser at adomain.com): msgid=<20091115122806.79A0F80034F at servername.com>: save failed to INBOX: Internal error occurred. Refer to server log for more information. [2009-11-15 12:28:06] Opening the permissions on /home/mail (6771) allows deliver to succeed suggesting that mail_access_groups is being ignored by deliver. As a work-around I can set /home/mail to 6771 but this is not ideal as anyone somehow guessing the directory structure could access mail of another user in the same group regardless of IMAP acl settings. Yes, I can severely obfuscate it but it's not secure. I've spent about half a day trying to figure this out, I'm assuming at this point that either I'm missing something obvious or something else is wrong. Any ideas? Peter.
On Sun, 2009-11-15 at 12:59 +0000, Peter wrote:> Opening the permissions on /home/mail (6771) allows deliver to succeed > suggesting that mail_access_groups is being ignored by deliver.How are you calling deliver? Either it needs to be started up as root, or you need to make it setuid-root (and call it with -d parameter). Otherwise it can't use mail_access_groups. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20091116/cf3df333/attachment-0002.bin>
Doh. Of course.... knew it would be something obvious. What threw me is that it had correct permissions aside from this. It's being called by postfix with -d through mailbox_command - I'm digging through postfix config now, if there's a way I can do this without making deliver setuid I'd be much happier.... Thanks, Timo, Peter. -----Original Message----- From: dovecot-bounces+dovecot=peter-b.org at dovecot.org [mailto:dovecot-bounces+dovecot=peter-b.org at dovecot.org] On Behalf Of Timo Sirainen Sent: 16 November 2009 18:07 To: Peter Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] deliver is ignoring mail_access_groups On Sun, 2009-11-15 at 12:59 +0000, Peter wrote:> Opening the permissions on /home/mail (6771) allows deliver to succeed > suggesting that mail_access_groups is being ignored by deliver.How are you calling deliver? Either it needs to be started up as root, or you need to make it setuid-root (and call it with -d parameter). Otherwise it can't use mail_access_groups.
Peter Borg (General)
2009-Nov-16 23:01 UTC
[Dovecot] deliver is ignoring mail_access_groups
> bounces+dovecot=peter-b.org at dovecot.org] On Behalf Of Timo Sirainen > > > It's being called by postfix with -d through mailbox_command - I'm > digging through postfix config now, if there's a way I can do this > without making deliver setuid I'd be much happier.... > > I don't think Postfix allows running it as root. But since you're using > mailbox_command, Postfix already looks up the user's groups from > somewhere. Perhaps there's something you can do to make Postfix add > access to the wanted extra group? > > I suppose the long term solution for this will be to use Dovecot's LMTP > server.Postfix does do group lookup, but not group set. Regardless I wouldn't want the user's group set to include maildir under normal circumstances. This is where Dovecot works well for me because I can get the dovecot process to add the specified group to the user's authentication which means that they can only get at their mail through dovecot and not through the file system. Postfix doesn't have the ability to add groups to the user's context so no joy there. LMTP will be great once it's done, I'm sure, but for now I'm stuck with whatever MTA I can get going... looks like setuid root deliver is going to be the only solution. Peter.