Displaying 18 results from an estimated 18 matches for "nonewprivileges".
2018 Apr 04
2
issue with sieve forwarding after upgrade to 0.5.1
On 2018-04-04 01:54, B. Reino wrote:
> The new systemd service file has NoNewPrivileges set to true. You need
> to override that to false and then it should work again.
It seems that the NoNewPrivileges option messes with several things.
PAM authentication stopped working as well besides the fact that
CAP_AUDIT_WRITE is also missing in CapabilityBoundingSet.
I've opened a pul...
2018 Apr 05
3
Re: Can’t authenticate any users after upgrade.
...https://github.com/dovecot/core/pull/71
>
> Or, if it's any easier:
>
> 1) Stop dovecot
> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached
> file
I'd recommend to just override the necessary options by creating
/etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the
following content:
-<<--
[Service]
NoNewPrivileges=false
-->>-
This way the fix survives any updates and you don't have to mess with
package-provided files.
> 3) systemctl daemon-reload
> 4) systemctl start dovecot
2018 Jan 07
2
Updated Dovecot 2.3.0 now getting 2 strange log errors
...nhole 0.4.21 and can confirm
>> the reported problem does not exist with "permission denied" and
>> sendmail getting hung up/timing out.
> The issue is that sendmail/maildrop/postdrop uses setgid to change to
> the maildrop group (`stat $(which postdrop)`) and the
> NoNewPrivileges=true setting in the service file explicitly disables
> this (look in man systemd.exec). This settings appears to be new in 2.3[1].
>
> What is somewhat infuriating is that this behaviour change is not
> mentioned in the release notes/upgrade notes and the commit that
> introduces the...
2018 Apr 03
5
issue with sieve forwarding after upgrade to 0.5.1
Hello,
After I upgrade dovecot 2.2.35 to 2.3.1 and pigeonhole 0.4.23 to 0.5.1 when I use sieve to forward a message to other address using "redirect :copy" I get this:
(host server1.myserver.com <http://server1.myserver.com/>[private/dovecot-lmtp] said: 451 4.2.0 <chris at mydomain.com <mailto:chris at mydomain.com>> Execution of Sieve filters was aborted due to
2018 Apr 04
0
issue with sieve forwarding after upgrade to 0.5.1
...riginal message --------From: "Helmut K. C. Tessarek" <tessarek at evermeet.cx> Date: 04/04/2018 09:44 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: issue with sieve forwarding after upgrade to 0.5.1
On 2018-04-04 01:54, B. Reino wrote:
> The new systemd service file has NoNewPrivileges set to true. You need
> to override that to false and then it should work again.
It seems that the NoNewPrivileges option messes with several things.
PAM authentication stopped working as well besides the fact that
CAP_AUDIT_WRITE is also missing in CapabilityBoundingSet.
I've opened a pul...
2018 Jan 03
2
Updated Dovecot 2.3.0 now getting 2 strange log errors
On 2018-01-02 17:21, tony wrote:
> On 2018-01-02 16:37, tony wrote:
>> On 2018-01-01 17:26, Peter wrote:
>>> On 02/01/18 14:07, Stephan Bosch wrote:
>>>>> I can see 21:21:38 is when the below errors showed up with the
>>>>> above
>>>>> 21:21:38 timestamps:
>>>>>
>>>>> Dec 29 21:21:38
>>>>>
2018 Jan 06
0
Updated Dovecot 2.3.0 now getting 2 strange log errors
...to 2.2.33.2 and pigeonhole 0.4.21 and can confirm
> the reported problem does not exist with "permission denied" and
> sendmail getting hung up/timing out.
The issue is that sendmail/maildrop/postdrop uses setgid to change to
the maildrop group (`stat $(which postdrop)`) and the
NoNewPrivileges=true setting in the service file explicitly disables
this (look in man systemd.exec). This settings appears to be new in 2.3[1].
What is somewhat infuriating is that this behaviour change is not
mentioned in the release notes/upgrade notes and the commit that
introduces the change changes multiple...
2018 Apr 06
0
Re: Can’t authenticate any users after upgrade.
...core/pull/71
>>
>> Or, if it's any easier:
>>
>> 1) Stop dovecot
>> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file
>
> I'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content:
>
> -<<--
> [Service]
> NoNewPrivileges=false
> -->>-
>
> This way the fix survives any updates and you don't have to mess with package-provided files.
>
>> 3) systemctl daemon-reload
>> 4) systemct...
2018 Apr 05
4
Can’t authenticate any users after upgrade.
I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email.
PAM audit_log_acct_message() failed: Operation not permitted
imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
# 2.3.1 (8e2f634):
2018 Apr 04
0
issue with sieve forwarding after upgrade to 0.5.1
Hello,
The new systemd service file has NoNewPrivileges set to true. You need to override that to false and then it should work again.
(if you need help with that ask again.. I'm on the train now so I can't write much comfortably..)
Cheers.
On April 3, 2018 10:25:22 PM GMT+02:00, Christos Chatzaras <chris at cretaforce.gr> wrote:
>He...
2018 Apr 05
0
Re: Can’t authenticate any users after upgrade.
.../usr/sbin/dovecot -F
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
PrivateTmp=true
NonBlocking=yes
# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
PrivateDevices=true
# disable this if you want to use apparmor plugin
#NoNewPrivileges=true
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE
# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'
# If you have trouble with `Too many open fil...
2018 Apr 05
0
issue with sieve forwarding after upgrade to 0.5.1
...ther users to send e-mails from system accounts. Only allow users to send e-mails from virtual accounts and after smtp authentication. Username filter is used for bogofilter and needs access to sendmail)
And in dovecot.conf:
submission_host = 138.201.248.xxx
The same workaround maybe works for NoNewPrivileges too as the authorized_submit_users setting in postfix has similar result.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180405/39b6b0ae/attachment.html>
2018 Apr 05
1
Re: Can’t authenticate any users after upgrade.
On 05.04.2018 07:33, Helmut K. C. Tessarek wrote:
> On 2018-04-04 23:10, Kevin Cummings wrote:
>> PAM audit_log_acct_message() failed: Operation not permitted
>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
>> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
>> session=<sessionid>
> Please look at my pull request at:
2018 Apr 04
2
issue with sieve forwarding after upgrade to 0.5.1
Thank you for your reply. I use FreeBSD so no changes on the OS before and after the dovecot/pigeonhole updates.
> On 4 Apr 2018, at 08:54, B. Reino <reinob at bbmk.org> wrote:
>
> Hello,
>
> The new systemd service file has NoNewPrivileges set to true. You need to override that to false and then it should work again.
>
> (if you need help with that ask again.. I'm on the train now so I can't write much comfortably..)
>
> Cheers.
>
> On April 3, 2018 10:25:22 PM GMT+02:00, Christos Chatzaras <chris at c...
2018 Apr 17
2
Postfix sendmail cannot be called from Sieve redirect
Sending (in my case: forwarding) messages from Sieve via sendmail does not
work with version 2.3.1.
I have narrowed it down to this simple test case:
# dovecot -n
# 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf
# OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS
# Hostname: tuxi.topfen.net
first_valid_gid = 200
first_valid_uid = 200
mail_location = mbox:~/mail
passdb {
args =
2019 Nov 02
0
Sieve redirect does not collect the sendmail child process correctly (Dovecot 2.3.4.1, Pigeonhole 0.5.4)
...It
apparently happens because qmail masks the SIGCHLD signal while Dovecot
doesn't unmask it before waiting for children.
Regards,
Stephan.
>
> A google search lead me to:
>
> https://bugs.archlinux.org/task/56933
>
> which blames systemd service changes:
>
> NoNewPrivileges=true
>
> , however I'm not running dovecot via systemd but use DJB's daemontools for
> service supervision .
>
> The page above suggested to change from:
>
> sendmail_path = /usr/sbin/sendmail
>
> to
>
> submission_host = localhost
>
> in "c...
2019 Nov 02
2
Sieve redirect does not collect the sendmail child process correctly (Dovecot 2.3.4.1, Pigeonhole 0.5.4)
...ed log at Nov 01 22:55:50.
error: msgid=<4221584.AlbrL4BjWX at home>: failed to redirect message to <krustev at krustev.net>: Failed to execute sendmail (temporary failure).
A google search lead me to:
https://bugs.archlinux.org/task/56933
which blames systemd service changes:
NoNewPrivileges=true
, however I'm not running dovecot via systemd but use DJB's daemontools for
service supervision .
The page above suggested to change from:
sendmail_path = /usr/sbin/sendmail
to
submission_host = localhost
in "conf.d/15-lda.conf", which worked fine.
But since I don...
2018 Jan 03
4
Bug in dovecot 2.3 virtual plugin
Hi there!
I compiled dovecot 2.3 from git. Because there is already a bug in
virtual-plugin, and i hoped, it get fixed... but it doesn't. So this
is the error-message from the log
J?n 03 16:27:08 aldebaran dovecot[26460]:
indexer-worker(jakob)<26476><qQ6g1+BhIJvAqAAO:sjYhMTH2TFpsZwAAk1Mx3g>:
Panic: file unichar.c: line 160 (uni_ucs4_to_utf8_c): assertion
failed: