dovecot - Oct 2012 - spamc can't seem to call /usr/lib/dovecot/deliver

Hi,

My server uses a system comprised of postfix, dovecot and dspam to filter and
deliver mail.

Postfix used the following flags in calling spamc and dovecot:

flags=DRhu user=dovecot:secmail argv=/usr/bin/spamc -u ${recipient} -e
/usr/lib/dovecot/deliver -d ${recipient}

after an upgrade from Debian lenny to squeeze we were able to get everything
working except spam filtering. Spamassassin is able to judge whether the mail
coming in is spam but everything stops there.

In mail.err I see:

pamc[3608]: exec failed: Permission denied

spamc shows the same thing in syslog:

exec failed: Permission denied

postfix delays the email:

postfix/pipe[3607]: 50DEFF180EE: to=<[mail]>, relay=dovecot, delay=1.7,
delays=0.07/0.01/0/1.6, dsn=4.3.0, status=deferred (system resource problem)

Here are the permissions for deliver:

-rwsr-x--- 1 root dovecot 865084 May 25  2011 /usr/lib/dovecot/deliver

Here are the relevant groups:

s1:~# grep dovecot /etc/group
secmail:x:119:postfix,spamd,dovecot
dovecot:x:111:

here's the dovecot user:
s1:~# grep dovecot /etc/passwd
dovecot:x:108:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false

here's dovecot -n:

# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.26-2-686 i686 Debian 6.0.6 
base_dir: /var/run/dovecot/
protocols: imap imaps pop3s pop3
ssl_cert_file: /etc/ssl/certs/s1.troyvit.com.cert
ssl_key_file: /etc/ssl/private/s1.troyvit.com.key
ssl_cipher_list: ALL:!LOW
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_location: maildir:%h/Maildir/
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_enable_last(default): no
pop3_enable_last(imap): no
pop3_enable_last(pop3): yes
pop3_client_workarounds(default): 
pop3_client_workarounds(imap): 
pop3_client_workarounds(pop3): outlook-no-nuls, oe-ns-eoh
pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_logout_format(pop3): top=%t/%T, retr=%r/%R, del=%d/%m, size=%s
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  postmaster_address: postmaster at sphere.local
  auth_socket_path: /var/run/dovecot/auth-master
  mail_plugin_dir: /usr/lib/dovecot/modules/lda/
  mail_plugins: sieve
auth default:
  mechanisms: plain login
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: pam
    args: dovecot
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  userdb:
    driver: passwd
  userdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 438
      user: dovecot
plugin:
  sieve_global_path: /etc/dovecot/default.sieve
  sieve: /srv/%d/mail/%n/%n.sieve

Many thanks in advance for any advice you can give.

Troy

On 10/23/2012 4:52 PM, Troy Vitullo wrote:
> Hi,
>
> My server uses a system comprised of postfix, dovecot and dspam to filter
and deliver mail.
>
> Postfix used the following flags in calling spamc and dovecot:
>
> flags=DRhu user=dovecot:secmail argv=/usr/bin/spamc -u ${recipient} -e
/usr/lib/dovecot/deliver -d ${recipient}
>
> after an upgrade from Debian lenny to squeeze we were able to get
everything working except spam filtering. Spamassassin is able to judge whether
the mail coming in is spam but everything stops there.
>
> In mail.err I see:
>
> pamc[3608]: exec failed: Permission denied
>
> spamc shows the same thing in syslog:
>
> exec failed: Permission denied
>
> postfix delays the email:
>
> postfix/pipe[3607]: 50DEFF180EE: to=<[mail]>, relay=dovecot,
delay=1.7, delays=0.07/0.01/0/1.6, dsn=4.3.0, status=deferred (system resource
problem)
>
> Here are the permissions for deliver:
>
> -rwsr-x--- 1 root dovecot 865084 May 25  2011 /usr/lib/dovecot/deliver
>
> Here are the relevant groups:
>
> s1:~# grep dovecot /etc/group
> secmail:x:119:postfix,spamd,dovecot
> dovecot:x:111:
>
> here's the dovecot user:
> s1:~# grep dovecot /etc/passwd
> dovecot:x:108:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
>
> here's dovecot -n:
>
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.26-2-686 i686 Debian 6.0.6
> base_dir: /var/run/dovecot/
> protocols: imap imaps pop3s pop3
> ssl_cert_file: /etc/ssl/certs/s1.troyvit.com.cert
> ssl_key_file: /etc/ssl/private/s1.troyvit.com.key
> ssl_cipher_list: ALL:!LOW
> disable_plaintext_auth: no
> verbose_ssl: yes
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/lib/dovecot/imap-login
> login_executable(imap): /usr/lib/dovecot/imap-login
> login_executable(pop3): /usr/lib/dovecot/pop3-login
> mail_location: maildir:%h/Maildir/
> mbox_write_locks: fcntl dotlock
> mail_executable(default): /usr/lib/dovecot/imap
> mail_executable(imap): /usr/lib/dovecot/imap
> mail_executable(pop3): /usr/lib/dovecot/pop3
> mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
> pop3_enable_last(default): no
> pop3_enable_last(imap): no
> pop3_enable_last(pop3): yes
> pop3_client_workarounds(default):
> pop3_client_workarounds(imap):
> pop3_client_workarounds(pop3): outlook-no-nuls, oe-ns-eoh
> pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
> pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
> pop3_logout_format(pop3): top=%t/%T, retr=%r/%R, del=%d/%m, size=%s
> namespace:
>    type: private
>    separator: /
>    inbox: yes
>    list: yes
>    subscriptions: yes
> lda:
>    postmaster_address: postmaster at sphere.local
>    auth_socket_path: /var/run/dovecot/auth-master
>    mail_plugin_dir: /usr/lib/dovecot/modules/lda/
>    mail_plugins: sieve
> auth default:
>    mechanisms: plain login
>    verbose: yes
>    debug: yes
>    debug_passwords: yes
>    passdb:
>      driver: pam
>      args: dovecot
>    passdb:
>      driver: sql
>      args: /etc/dovecot/dovecot-sql.conf
>    userdb:
>      driver: passwd
>    userdb:
>      driver: sql
>      args: /etc/dovecot/dovecot-sql.conf
>    socket:
>      type: listen
>      client:
>        path: /var/spool/postfix/private/auth
>        mode: 432
>        user: postfix
>        group: postfix
>      master:
>        path: /var/run/dovecot/auth-master
>        mode: 438
>        user: dovecot
> plugin:
>    sieve_global_path: /etc/dovecot/default.sieve
>    sieve: /srv/%d/mail/%n/%n.sieve
>
> Many thanks in advance for any advice you can give.
>
> Troy
What is your mailbox_command in main.cf?  I just use:
mailbox_command = /usr/bin/spamc -u "$USER" -e 
/usr/lib64/dovecot/deliver -a "$RECIPIENT" -f "$SENDER" -m
"$EXTENSION"

I don't need anything in master.cf.  But you should be using -u ${user} 
for spamc.

Bill

There seems to be much confusion in this thread. I might be able to 
help clear up some of it, but probably not all, because I agree with 
Robert about using amavisd-new for filtering and LMTP for delivery.

On Tue, Oct 23, 2012 at 02:52:45PM -0600, Troy Vitullo
wrote:
> My server uses a system comprised of postfix, dovecot and dspam to 
> filter and deliver mail.
> 
> Postfix used the following flags in calling spamc and dovecot:
> 
> flags=DRhu user=dovecot:secmail argv=/usr/bin/spamc -u ${recipient} 
> -e /usr/lib/dovecot/deliver -d ${recipient}
This looks like you might be using pipe(8). If so, refer to the 
manual, and note that you are invoking this command as user "dovecot" 
and group "secmail".

That is wrong use of the "dovecot" user. You probably should have 
made and used a dedicated "vmail" user. And according to your own 
post, q.v., the group "secmail" is definitely wrong.
> after an upgrade from Debian lenny to squeeze we were able to get 
> everything working except spam filtering. Spamassassin is able to 
> judge whether the mail coming in is spam but everything stops 
> there.
Automated or semi-automated upgrades are often a source of pain.
> In mail.err I see:
> 
> pamc[3608]: exec failed: Permission denied
I guess that is spamc, and yes, of course.
> spamc shows the same thing in syslog:
> 
> exec failed: Permission denied
> 
> postfix delays the email:
> 
> postfix/pipe[3607]: 50DEFF180EE: to=<[mail]>, relay=dovecot, 
> delay=1.7, delays=0.07/0.01/0/1.6, dsn=4.3.0, status=deferred 
> (system resource problem)
> 
> Here are the permissions for deliver:
> 
> -rwsr-x--- 1 root dovecot 865084 May 25  2011 /usr/lib/dovecot/deliver
The pipe command is not executed as root. Nor is it invoked with the 
GID "dovecot". You specified group "secmail". Therefore the
"other"
permissions are what apply. "---" is no read, no write, no execute.
> Here are the relevant groups:
> 
> s1:~# grep dovecot /etc/group
> secmail:x:119:postfix,spamd,dovecot
This is not relevant. The process has EGID secmail, and the fact that 
dovecot is a member of secmail does not matter. Bottom line here: it 
seems that you misunderstood what the group permissions meant.
> dovecot:x:111:
> 
> here's the dovecot user:
> s1:~# grep dovecot /etc/passwd
> dovecot:x:108:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
> 
> here's dovecot -n:
> 
> # 1.2.15: /etc/dovecot/dovecot.conf
You upgraded -- to 1.2.15? Why?

snip
> Many thanks in advance for any advice you can give.
Again, you should check on the wiki about the appropriate use of the 
"dovecot" user, and also read the wiki about virtual mailboxes. Fix 
that. Even if you make it work with permissions, you are breaking 
Dovecot's security model of privilege separation. The "dovecot"
user
is for Dovecot's internal use only, not for delivering mail and 
ownership of mailboxes.

The poster who was talking about postconf(5) mailbox_command was 
bringing in a red herring. That is for local(8) delivery, and you 
evidently are using pipe(8).
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: