a.smith at ukgrid.net
2011-Aug-22 11:22 UTC
[Dovecot] LDA and auth-userdb socket permissions
Hi,
just wanted to check this as the wiki seems to have contradictory
information. With respect to running the LDA as multiple UIDs the wiki
says:
[QUOTE]If you're using more than one UID for users, you're going to
have problems running dovecot-lda, as most MTAs won't let you run
dovecot-lda as root[/QUOTE]
But in the example for the config file the text reads:
[QUOTE]
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail # User running dovecot-lda
#group = vmail # Or alternatively mode 0660 + dovecot-lda user in
this group
}
}
[/QUOTE]
So it says you can stick the LDA user just in the (vmail or whatever)
group and that is enough. So you aren't restricted to a single UID for
access anymore...
I tested this and the later did not work, that is if I put my LDA user
in the group for the auth-userdb socket with permissions 0660 I got an
error back from dovecot saying that the owner was incorrect.
So, as it stands I guess the bit about setting group should be removed
from the wiki?
Secondly, why doesn't this currently work? Why is the owner all important?
thanks Andy.
On 22.8.2011, at 14.22, a.smith at ukgrid.net wrote:> just wanted to check this as the wiki seems to have contradictory information. With respect to running the LDA as multiple UIDs the wiki says: > > [QUOTE]If you're using more than one UID for users, you're going to have problems running dovecot-lda, as most MTAs won't let you run dovecot-lda as root[/QUOTE]Yep, that's a problem.> But in the example for the config file the text reads: > > [QUOTE] > service auth { > unix_listener auth-userdb { > mode = 0600 > user = vmail # User running dovecot-lda > #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group > } > } > [/QUOTE]Now you've gone outside the "Multiple UIDs" section in the wiki. There are the 3 different sections of how to run dovecot-lda a different way: * with a lookup * without a lookup * multiple UIDs None of their documentation is compatible with each others.