I use IMAP preauth; I connect with Alpine over SSH which is very useful. The last few upgrades this has become more difficult to to. Last time (moving 2.2 -> 2.3, I think) I had to put in a workaround: stats_writer_socket_path It prevented /usr/local/libexec/dovecot/imap attempting to connect to a central stats service. As of an upgrade today (2.3.2.1_1 -> 2.3.4_3 on FreeBSD) it looks like that 'fix' stopped working, and I get: imap(mark,)Error: net_connect_unix() failed: Permission denied It goes to stderr, which breaks Alpine. "()" is actually the filename. It seems that the empty string is no longer an indication to disable it. Here it is with the default configuration: imap(mark,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied I do also have a dovecot running as a system daemon, and, interestingly, disable this and it's 'fixed'; no attempt to connect. However, disabling the service is not an option (needed for smartphone) The best I've come up with so far is when using preauth to hack it to send stderr to /dev/null. And yes, probably Alpine is at fault for interpreting stderr content (separate issue) * Is there a way to cleanly disable reporting to the stats service? Previously, running as preauth was all very clean. * Just wanted to highlight that IMAP preauth is really useful. Even though it might not be mainstream, it seems healthy to be able to easily install dovecot as an unprivilidged user in a "unixy" way. I'm on FreeBSD 11.2, with dovecot from ports. dovecot.conf below. -- Mark # # Dovecot configuration # mail_location = maildir:~/Maildir postmaster_address = postmaster namespace { inbox = yes } ssl = required ssl_cert = </etc/ssl/lets.crt ssl_key = </etc/ssl/local.key ssl_dh = </etc/ssl/dh.pem # # No writing of statistics to a priviledged service; # this is troublesome for a user to run the IMAP client # #stats_writer_socket_path # # Authentication: only allow passwords sent over TLS, and # check against the system password database # passdb { driver = pam } userdb { driver = passwd } # # Disable all except standard IMAP with TLS logins # service imap-login { inet_listener imaps { port = 0 } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 0 } } # # An authentication service to allow Exim to use the # same credentials as Dovecot # service auth { unix_listener auth-client { mode = 0600 user = mailnull } } protocol imap { mail_max_userip_connections = 40 } # END
On 05/01/2019 15:49, Mark Hills wrote:> I use IMAP preauth; I connect with Alpine over SSH which is very useful. > > The last few upgrades this has become more difficult to to. Last time > (moving 2.2 -> 2.3, I think) I had to put in a workaround: > > stats_writer_socket_path > > It prevented /usr/local/libexec/dovecot/imap attempting to > connect to a central stats service. > > As of an upgrade today (2.3.2.1_1 -> 2.3.4_3 on FreeBSD) it looks like > that 'fix' stopped working, and I get: > > imap(mark,)Error: net_connect_unix() failed: Permission denied > > It goes to stderr, which breaks Alpine. > > "()" is actually the filename. It seems that the empty string is no longer > an indication to disable it. Here it is with the default configuration: > > imap(mark,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied > > I do also have a dovecot running as a system daemon, and, interestingly, > disable this and it's 'fixed'; no attempt to connect. However, disabling > the service is not an option (needed for smartphone) > > The best I've come up with so far is when using preauth to hack it to send > stderr to /dev/null. And yes, probably Alpine is at fault for interpreting > stderr content (separate issue) > > * Is there a way to cleanly disable reporting to the stats service? > Previously, running as preauth was all very clean. > > * Just wanted to highlight that IMAP preauth is really useful. Even > though it might not be mainstream, it seems healthy to be able to easily > install dovecot as an unprivilidged user in a "unixy" way. > > I'm on FreeBSD 11.2, with dovecot from ports. dovecot.conf below. >Can't see anything in the Dovecot 2.3.4 code that would give this problem, setting stats_writer_socket_path will overwrite the default value and dovecot does not attempt to open a socket in that case. Using your configuration (though not FreeBSD) I don't get the net_connect_unix error whether I use a blank setting or leave the default. In the case of leaving the default I do get an additional process (dovecot/stats). No errors on connecting to the imap service or by running preauth (with the dovecot daemon already running). The net_connect_unix() error with a zero length socket name is inexplicable to me, unless it's got a non printing character in it or there is something different happening on FreeBSD. One suggestion is to run with the default setting, but look at resolving the permission problem for the default socket creation at /var/run/dovecot/stats-writer rather than working round it. John
On 06/01/2019 02:26, John Fawcett wrote:> On 05/01/2019 15:49, Mark Hills wrote: >> I use IMAP preauth; I connect with Alpine over SSH which is very useful. >> >> The last few upgrades this has become more difficult to to. Last time >> (moving 2.2 -> 2.3, I think) I had to put in a workaround: >> >> stats_writer_socket_path >> >> It prevented /usr/local/libexec/dovecot/imap attempting to >> connect to a central stats service. >> >> As of an upgrade today (2.3.2.1_1 -> 2.3.4_3 on FreeBSD) it looks like >> that 'fix' stopped working, and I get: >> >> imap(mark,)Error: net_connect_unix() failed: Permission denied >> >> It goes to stderr, which breaks Alpine. >> >> "()" is actually the filename. It seems that the empty string is no longer >> an indication to disable it. Here it is with the default configuration: >> >> imap(mark,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied >> >> I do also have a dovecot running as a system daemon, and, interestingly, >> disable this and it's 'fixed'; no attempt to connect. However, disabling >> the service is not an option (needed for smartphone) >> >> The best I've come up with so far is when using preauth to hack it to send >> stderr to /dev/null. And yes, probably Alpine is at fault for interpreting >> stderr content (separate issue) >> >> * Is there a way to cleanly disable reporting to the stats service? >> Previously, running as preauth was all very clean. >> >> * Just wanted to highlight that IMAP preauth is really useful. Even >> though it might not be mainstream, it seems healthy to be able to easily >> install dovecot as an unprivilidged user in a "unixy" way. >> >> I'm on FreeBSD 11.2, with dovecot from ports. dovecot.conf below. >> > Can't see anything in the Dovecot 2.3.4 code that would give this > problem, setting > > stats_writer_socket_path > > will overwrite the default value and dovecot does not attempt to open a socket in that case. > > Using your configuration (though not FreeBSD) I don't get the net_connect_unix error whether I use a blank setting or leave the default. In the case of leaving the default I do get an additional process (dovecot/stats). No errors on connecting to the imap service or by running preauth (with the dovecot daemon already running). > > The net_connect_unix() error with a zero length socket name is inexplicable to me, unless it's got a non printing character in it or there is something different happening on FreeBSD. > > One suggestion is to run with the default setting, but look at resolving the permission problem for the default socket creation at > /var/run/dovecot/stats-writer rather than working round it. > > John >Just following up, I don't get the error when I run preauth as root with -u parameter. I do get something similar when I run as the user (this wil the socket path set to blank) Centos 7: Error: net_connect_unix() failed: Connection refused FreeBSD 11.2: Error: net_connect_unix() failed: No such file or directory So it's close. If I get time I'll see if I can track it down. John