dovecot-lda and fetchmail - Operation not permitted (This binary should probably...

H

honk

Hello,

I'm trying to set up fetchmail 6.3.20 to deliver mails via dovecoat-lda into maildirs handled by dovecot. It works when I invoke fetchmail manually as root. In daemon-mode I get the following error:

Code: 
Sep 25 03:44:39 mailsrv dovecot: lda(foo@test.com): Fatal: setgid(2000(vmail) from
 userdb lookup) failed with euid=124(fetchmail), gid=124(fetchmail), egid=124(fetchmail):
 Operation not permitted (This binary should probably be called with process group set to
 2000(vmail) instead of 124(fetchmail))

vmail is the user under which the maildir's are stored. Currently I only have one virtual IMAP-user. I have a combined passdb and userdb file where the uid/gid for this IMAP-user is configured to vmail.

Code: 
# cat /usr/local/etc/dovecot/dovecot.passwd
[email]foo@test.com[/email]:{SSHA512}verysecrethash=:2000:2000::::userdb_mail=maildir:/data/maildir/foo


Code: 
# egrep "fetchmail|vmail" /etc/passwd 
fetchmail:*:124:124:Fetchmail mail-retrieval daemon:/nonexistent:/usr/sbin/nologin
vmail:*:2000:2000:Virtual user for all dovecot maildirs:/data/maildir:/usr/sbin/nologin

Code: 
# egrep "fetchmail|vmail" /etc/group 
fetchmail:*:124:
vmail:*:2000:


Dovecot configuration:
Code: 
dovecot -n
# 2.0.14: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.2-RELEASE-p2 amd64  
auth_failure_delay = 5 secs
first_valid_uid = 100
listen = 172.16.4.2
passdb {
  args = /usr/local/etc/dovecot/dovecot.passwd
  driver = passwd-file
}
protocols = imap
service auth {
  unix_listener auth-userdb {
    group = fetchmail
    mode = 0666
    user = fetchmail
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl = required
ssl_cert = </usr/local/etc/dovecot/dovecot.cert
ssl_key = </usr/local/etc/dovecot/dovecot.cert.key
userdb {
  args = /usr/local/etc/dovecot/dovecot.passwd
  driver = passwd-file
}

Unfortunately I can't figure/google out whats wrong here. I tried different combinations in defining the socket auth-userdb (ownership, permissions) without success.

I tried to run fetchmail as user vmail (by setting fetchmail_user="vmail" in rc.conf) but with this fetchmail only produces an pam error:

Code: 
Sep 25 03:11:21 mailsrv su: pam_acct_mgmt: authentication error

Any help appreciated!
Thanks a lot in advance!
 
Andy, thanks for your reply! I was aware of this part of dovecot's documentation you mentioned. But as it starts with "...If you're using more than one UID for users..." I thought it doesn't fit to my setup. Anyway, as I better understand the problem now, I tend to say that you were absolutely correct. :)

I found out, that my (one and only) user (vmail) which is allowed to access the maildir's was locked out. This led to the PAM error and prevented the startup of fetchmail (as user vmail) in daemon-mode from rc-scripts. With a different user (let's say fetchmail) dovecot-lda complains about the missing permissions...

# grep vmail /etc/master.passwd
Code: 
vmail:*LOCKED**:2000:2000::0:0:Virtual user for all dovecot maildirs:/data/maildir:/usr/sbin/nologin

Now I can run fetchmail without root permission, will go to bed and think about the security implications about this setup. A security bug in fetchmail could now at least read and delete all my mail and has access to the fetchmail.rc where all my passwords for the remote mail accounts are stored... And fetchmail has rw-permissions to the auth-userdb socket of dovecot, where I currently don't understand how bad this could be :\
 
If you only have two users, one for fetchmail and one for your mail data, then going the setuid route might be a pretty reasonable approach. Set the group for dovecot-lda to vmail, set permission to 4750. If vmail user is the only member of the vmail group I don't think this is a terrible security risk,

ta Andy.

PS no sorry, actually you'd want to set the group to fetchmail, as its the fetchmail user executing dovecot-lda.
 
You must log in or register to reply here.
Back
Top