search for: nonewprivileges

On 2018-04-04 01:54, B. Reino wrote: > The new systemd service file has NoNewPrivileges set to true. You need > to override that to false and then it should work again. It seems that the NoNewPrivileges option messes with several things. PAM authentication stopped working as well besides the fact that CAP_AUDIT_WRITE is also missing in CapabilityBoundingSet. I've opened a pul...

...https://github.com/dovecot/core/pull/71 > > Or, if it's any easier: > > 1) Stop dovecot > 2) Replace /usr/lib/systemd/system/dovecot.service with the attached > file I'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content: -<<-- [Service] NoNewPrivileges=false -->>- This way the fix survives any updates and you don't have to mess with package-provided files. > 3) systemctl daemon-reload > 4) systemctl start dovecot

...nhole 0.4.21 and can confirm >> the reported problem does not exist with "permission denied" and >> sendmail getting hung up/timing out. > The issue is that sendmail/maildrop/postdrop uses setgid to change to > the maildrop group (`stat $(which postdrop)`) and the > NoNewPrivileges=true setting in the service file explicitly disables > this (look in man systemd.exec). This settings appears to be new in 2.3[1]. > > What is somewhat infuriating is that this behaviour change is not > mentioned in the release notes/upgrade notes and the commit that > introduces the...

Hello, After I upgrade dovecot 2.2.35 to 2.3.1 and pigeonhole 0.4.23 to 0.5.1 when I use sieve to forward a message to other address using "redirect :copy" I get this: (host server1.myserver.com <http://server1.myserver.com/>[private/dovecot-lmtp] said: 451 4.2.0 <chris at mydomain.com <mailto:chris at mydomain.com>> Execution of Sieve filters was aborted due to

...riginal message --------From: "Helmut K. C. Tessarek" <tessarek at evermeet.cx> Date: 04/04/2018 09:44 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: issue with sieve forwarding after upgrade to 0.5.1 On 2018-04-04 01:54, B. Reino wrote: > The new systemd service file has NoNewPrivileges set to true. You need > to override that to false and then it should work again. It seems that the NoNewPrivileges option messes with several things. PAM authentication stopped working as well besides the fact that CAP_AUDIT_WRITE is also missing in CapabilityBoundingSet. I've opened a pul...

On 2018-01-02 17:21, tony wrote: > On 2018-01-02 16:37, tony wrote: >> On 2018-01-01 17:26, Peter wrote: >>> On 02/01/18 14:07, Stephan Bosch wrote: >>>>> I can see 21:21:38 is when the below errors showed up with the >>>>> above >>>>> 21:21:38 timestamps: >>>>> >>>>> Dec 29 21:21:38 >>>>>

...to 2.2.33.2 and pigeonhole 0.4.21 and can confirm > the reported problem does not exist with "permission denied" and > sendmail getting hung up/timing out. The issue is that sendmail/maildrop/postdrop uses setgid to change to the maildrop group (`stat $(which postdrop)`) and the NoNewPrivileges=true setting in the service file explicitly disables this (look in man systemd.exec). This settings appears to be new in 2.3[1]. What is somewhat infuriating is that this behaviour change is not mentioned in the release notes/upgrade notes and the commit that introduces the change changes multiple...

...core/pull/71 >> >> Or, if it's any easier: >> >> 1) Stop dovecot >> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file > > I'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content: > > -<<-- > [Service] > NoNewPrivileges=false > -->>- > > This way the fix survives any updates and you don't have to mess with package-provided files. > >> 3) systemctl daemon-reload >> 4) systemct...

I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email. PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> # 2.3.1 (8e2f634):

Hello, The new systemd service file has NoNewPrivileges set to true. You need to override that to false and then it should work again. (if you need help with that ask again.. I'm on the train now so I can't write much comfortably..) Cheers. On April 3, 2018 10:25:22 PM GMT+02:00, Christos Chatzaras <chris at cretaforce.gr> wrote: >He...

.../usr/sbin/dovecot -F PIDFile=/var/run/dovecot/master.pid ExecReload=/usr/bin/doveadm reload ExecStop=/usr/bin/doveadm stop PrivateTmp=true NonBlocking=yes # this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin #NoNewPrivileges=true CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE # You can add environment variables with e.g.: #Environment='CORE_OUTOFMEM=1' # If you have trouble with `Too many open fil...

...ther users to send e-mails from system accounts. Only allow users to send e-mails from virtual accounts and after smtp authentication. Username filter is used for bogofilter and needs access to sendmail) And in dovecot.conf: submission_host = 138.201.248.xxx The same workaround maybe works for NoNewPrivileges too as the authorized_submit_users setting in postfix has similar result. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180405/39b6b0ae/attachment.html>

On 05.04.2018 07:33, Helmut K. C. Tessarek wrote: > On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > Please look at my pull request at:

Thank you for your reply. I use FreeBSD so no changes on the OS before and after the dovecot/pigeonhole updates. > On 4 Apr 2018, at 08:54, B. Reino <reinob at bbmk.org> wrote: > > Hello, > > The new systemd service file has NoNewPrivileges set to true. You need to override that to false and then it should work again. > > (if you need help with that ask again.. I'm on the train now so I can't write much comfortably..) > > Cheers. > > On April 3, 2018 10:25:22 PM GMT+02:00, Christos Chatzaras <chris at c...

Sending (in my case: forwarding) messages from Sieve via sendmail does not work with version 2.3.1. I have narrowed it down to this simple test case: # dovecot -n # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS # Hostname: tuxi.topfen.net first_valid_gid = 200 first_valid_uid = 200 mail_location = mbox:~/mail passdb { args =

...It apparently happens because qmail masks the SIGCHLD signal while Dovecot doesn't unmask it before waiting for children. Regards, Stephan. > > A google search lead me to: > > https://bugs.archlinux.org/task/56933 > > which blames systemd service changes: > > NoNewPrivileges=true > > , however I'm not running dovecot via systemd but use DJB's daemontools for > service supervision . > > The page above suggested to change from: > > sendmail_path = /usr/sbin/sendmail > > to > > submission_host = localhost > > in "c...

...ed log at Nov 01 22:55:50. error: msgid=<4221584.AlbrL4BjWX at home>: failed to redirect message to <krustev at krustev.net>: Failed to execute sendmail (temporary failure). A google search lead me to: https://bugs.archlinux.org/task/56933 which blames systemd service changes: NoNewPrivileges=true , however I'm not running dovecot via systemd but use DJB's daemontools for service supervision . The page above suggested to change from: sendmail_path = /usr/sbin/sendmail to submission_host = localhost in "conf.d/15-lda.conf", which worked fine. But since I don...

Hi there! I compiled dovecot 2.3 from git. Because there is already a bug in virtual-plugin, and i hoped, it get fixed... but it doesn't. So this is the error-message from the log J?n 03 16:27:08 aldebaran dovecot[26460]: indexer-worker(jakob)<26476><qQ6g1+BhIJvAqAAO:sjYhMTH2TFpsZwAAk1Mx3g>: Panic: file unichar.c: line 160 (uni_ucs4_to_utf8_c): assertion failed: