dovecot - Aug 2011 - Dovecot rejecting Vpopmail User 89

I'm working to get Dovecot 2.0.13 working along with qmail, Vpopmail and
Squirrelmail on a Debian 6.0.2 system, Dovecot compiled, not from a
package.

Vpopmail has a widely known assigned user/group ID of 89 and is the owner
of all the mail folders.

Regardless of value of first_valid_uid (1, 89, other), Dovecot denies
Squirrelmail connection, saying it can't allow access to UID 89.
"Couldn't
drop privileges", it says. I'd be grateful for fixes, suggestions, or a
pointer to an existing answer to this problem.  Thanks ahead. :)

Presently dovecot -n shows:

# 2.0.13: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.2 ext3
auth_debug = yes
disable_plaintext_auth = no
mail_debug = yes
mail_location = maildir:/home/vpopmail/domains/%d/%n/Maildir
maildir_very_dirty_syncs = yes
passdb {
  driver = vpopmail
}
protocols = imap pop3
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}
userdb {
  args = quota_template=quota_rule=*:backend=%q
  driver = vpopmail
}

--hobie

Quoting hobie at rumormillnews.com:
> I'm working to get Dovecot 2.0.13 working along with qmail, Vpopmail
and
> Squirrelmail on a Debian 6.0.2 system, Dovecot compiled, not from a
> package.
>
> Vpopmail has a widely known assigned user/group ID of 89 and is the owner
> of all the mail folders.
>
> Regardless of value of first_valid_uid (1, 89, other), Dovecot denies
> Squirrelmail connection, saying it can't allow access to UID 89.
"Couldn't
> drop privileges", it says. I'd be grateful for fixes, suggestions,
or a
> pointer to an existing answer to this problem.  Thanks ahead. :)
>
Here's mine - I set first and last uid AND gid.
Can you telnet to port 110 and test?

USER username
PASS password
LIST


# 2.0.13: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.2-RELEASE amd64
auth_mechanisms = plain login digest-md5 cram-md5
auth_username_translation = %@
auth_verbose = yes
base_dir = /var/run/dovecot/
default_login_user = vpopmail
disable_plaintext_auth = no
first_valid_gid = 89
first_valid_uid = 89
last_valid_gid = 89
last_valid_uid = 89
# run under tcpserver
log_path = /dev/stderr
login_greeting = Ready.
mail_fsync = never
mail_plugins = " quota zlib"
mail_privileged_group = mail
namespace {
   inbox = yes
   location    prefix    separator = .
}
namespace {
   hidden = yes
   inbox = no
   list = no
   location    prefix = INBOX.
   separator = .
}
passdb {
   driver = vpopmail
}
plugin {
   quota = maildir
}
protocols = imap pop3
service anvil {
   client_limit = 2000
}
service auth {
   unix_listener auth-master {
     mode = 0600
   }
}
service imap-login {
   client_limit = 384
   process_limit = 512
   process_min_avail = 25
   service_count = 0
}
service imap-postlogin {
   executable = script-login rawlog /usr/local/etc/dovecot/lastauth-imap.sh
   user = vpopmail
}
service imap {
   executable = /usr/local/libexec/dovecot/imap
}
service pop-postlogin {
   executable = script-login /usr/local/etc/dovecot/lastauth-pop.sh
   user = vpopmail
}
service pop3-login {
   client_limit = 384
   process_limit = 512
   process_min_avail = 25
   service_count = 0
}
service pop3 {
   executable = /usr/local/libexec/dovecot/pop3
}
shutdown_clients = no
ssl_cert = </etc/ssl/mail.pem
ssl_key = </etc/ssl/mail.key
ssl_key_password = password
userdb {
   driver = vpopmail
}
verbose_proctitle = yes
protocol imap {
   auth_socket_path = /var/run/dovecot/auth-master
   imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
   mail_max_userip_connections = 10
   mail_plugins = " quota zlib imap_zlib quota imap_quota"
}
protocol pop3 {
   auth_socket_path = /var/run/dovecot/auth-master
   mail_max_userip_connections = 10
   mail_plugins = quota
   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
   pop3_uidl_format = %08Xu%08Xv

Enable auth_verbose and check the logs.

But I'm pretty sure that means Dovecot can't change to the Maildir  
folder.   I assume the user's folder is owned by vpopmail:vchkpw?  Is  
the Maildir NFS mounted or local?

Rick


Quoting hobie at rumormillnews.com:
> Thanks, Rick. :)  Changed first/last uid/gid so all show 89 and restarted
> Dovecot, no change.  Telnetting from remote or from localhost, Dovecot
> closes the connection immediately after password is sent. (?)
>
> --hobie
>
>> Quoting hobie at rumormillnews.com:
>>
>>> I'm working to get Dovecot 2.0.13 working along with qmail,
Vpopmail and
>>> Squirrelmail on a Debian 6.0.2 system, Dovecot compiled, not from a
>>> package.
>>>
>>> Vpopmail has a widely known assigned user/group ID of 89 and is the
>>> owner
>>> of all the mail folders.
>>>
>>> Regardless of value of first_valid_uid (1, 89, other), Dovecot
denies
>>> Squirrelmail connection, saying it can't allow access to UID
89.
>>> "Couldn't
>>> drop privileges", it says. I'd be grateful for fixes,
suggestions, or a
>>> pointer to an existing answer to this problem.  Thanks ahead. :)
>>>
>>
>> Here's mine - I set first and last uid AND gid.
>> Can you telnet to port 110 and test?
>>
>> USER username
>> PASS password
>> LIST
>>
>>
>> # 2.0.13: /usr/local/etc/dovecot/dovecot.conf
>> # OS: FreeBSD 8.2-RELEASE amd64
>> auth_mechanisms = plain login digest-md5 cram-md5
>> auth_username_translation = %@
>> auth_verbose = yes
>> base_dir = /var/run/dovecot/
>> default_login_user = vpopmail
>> disable_plaintext_auth = no
>> first_valid_gid = 89
>> first_valid_uid = 89
>> last_valid_gid = 89
>> last_valid_uid = 89
>> # run under tcpserver
>> log_path = /dev/stderr
>> login_greeting = Ready.
>> mail_fsync = never
>> mail_plugins = " quota zlib"
>> mail_privileged_group = mail
>> namespace {
>>    inbox = yes
>>    location >>    prefix >>    separator = .
>> }
>> namespace {
>>    hidden = yes
>>    inbox = no
>>    list = no
>>    location >>    prefix = INBOX.
>>    separator = .
>> }
>> passdb {
>>    driver = vpopmail
>> }
>> plugin {
>>    quota = maildir
>> }
>> protocols = imap pop3
>> service anvil {
>>    client_limit = 2000
>> }
>> service auth {
>>    unix_listener auth-master {
>>      mode = 0600
>>    }
>> }
>> service imap-login {
>>    client_limit = 384
>>    process_limit = 512
>>    process_min_avail = 25
>>    service_count = 0
>> }
>> service imap-postlogin {
>>    executable = script-login rawlog
>> /usr/local/etc/dovecot/lastauth-imap.sh
>>    user = vpopmail
>> }
>> service imap {
>>    executable = /usr/local/libexec/dovecot/imap
>> }
>> service pop-postlogin {
>>    executable = script-login /usr/local/etc/dovecot/lastauth-pop.sh
>>    user = vpopmail
>> }
>> service pop3-login {
>>    client_limit = 384
>>    process_limit = 512
>>    process_min_avail = 25
>>    service_count = 0
>> }
>> service pop3 {
>>    executable = /usr/local/libexec/dovecot/pop3
>> }
>> shutdown_clients = no
>> ssl_cert = </etc/ssl/mail.pem
>> ssl_key = </etc/ssl/mail.key
>> ssl_key_password = password
>> userdb {
>>    driver = vpopmail
>> }
>> verbose_proctitle = yes
>> protocol imap {
>>    auth_socket_path = /var/run/dovecot/auth-master
>>    imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
>>    mail_max_userip_connections = 10
>>    mail_plugins = " quota zlib imap_zlib quota imap_quota"
>> }
>> protocol pop3 {
>>    auth_socket_path = /var/run/dovecot/auth-master
>>    mail_max_userip_connections = 10
>>    mail_plugins = quota
>>    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>>    pop3_uidl_format = %08Xu%08Xv
>>
>>
>>

On Wed, 2011-08-24 at 15:22 -0400, hobie at rumormillnews.com wrote:
> Regardless of value of first_valid_uid (1, 89, other), Dovecot denies
> Squirrelmail connection, saying it can't allow access to UID 89.
"Couldn't
> drop privileges", it says. I'd be grateful for fixes, suggestions,
or a
> pointer to an existing answer to this problem.  Thanks ahead. :)
Show the EXACT full error message.