headers
David Benfell | 1 Mar 2012 01:54
Picon
Gravatar

need simpler directions on user authentication

Hi all,

My situation is this: I have postfix running on a Linode under Arch
Linux. A recent upgrade to dovecot broke the configuration. Now I get
"Couldn't drop privileges: User is missing UID (see mail_uid setting)."

I do not want virtual users. I do not particularly want SQL or LDAP. I
do have multiple domains. I do use Maildir. I already have SSL
certificates for the server which I did manage to get dovecot to quit
complaining about.

The documentation is driving me nuts. It keeps telling me about stuff I
think I don't need. And I can't tell what I actually *do* need. All I
want is for system users, including myself, to be able to get their mail.

How do I do this?

Thank you!
David Benfell
dbenfell <at> gmail.com
Permalink | Reply | 1 comment |
headers
David Benfell | 1 Mar 2012 02:40
Picon
Gravatar

need simpler instructions for user authentication

Hi all,

My situation is this: I have postfix running on a Linode under Arch Linux.
A recent upgrade to dovecot broke the configuration. Now I get
"Couldn't drop privileges: User is missing UID (see mail_uid setting)."

I do not want virtual users. I do not particularly want SQL or LDAP. I
do have multiple domains. I do use Maildir. I already have SSL
certificates for the server which I did manage to get dovecot to quit
complaining about.

The documentation is driving me nuts. It keeps telling me about stuff I
think I don't need. And I can't tell what I actually *do* need. All I
want is for system users, including myself, to be able to get their mail.

How do I do this?

Thank you!
David Benfell
dbenfell <at> gmail.com
Permalink | Reply | 2 comments |
headers
Stan Hoeppner | 1 Mar 2012 03:15

Re: Multiple locations, 2 servers - planning questions...

On 2/27/2012 10:54 AM, Charles Marcus wrote:

> These two locations will be connected via a private Gb ethernet
> connection, and each location will have its own internet connection (I
> think - still waiting on some numbers to present to the owner to see
> what he wants to do in that regard, but that will be my recommendation),
> so bandwidth for replication won't be an issue.

Say you're a boutique mail services provider or some such.  In your own
datacenter you have a Dovecot server w/64 processors, 512GB RAM, and 4
dual port 8Gb fiber channel cards.  It's connected via 8 redundant fiber
channel links to 4 SAN array units, each housing 120 x15k SAS drives,
480 drives total, ~140,000 random IOPs.  This gear eats 36U of a 40U
rack, and about $400,000 USD out of your wallet.  In the remaining 4U at
the top of the rack you have a router, with two GbE links connected to
the server, and an OC-12 SONET fiber link (~$15k-20k USD/month) to a
national ISP backbone.  Not many years ago OC-12s comprised the backbone
links of the net.  OC-48s handle that today.  Today OC-12s are most
often used to link midsized ISPs to national ISPs, act as the internal
backbone of midsized ISPs, and link large ISPs' remote facilities to the
backbone.

Q:  How many concurrent IMAP clients could you serve with this setup
    before hitting a bottleneck at any point in the architecture?  What
    is the first bottleneck you'd run into?

The correct answer to this question, and the subsequent discussion that
will surely take place, may open your eyes a bit, and prompt you to
rethink some of your assumptions that went into the architectural
decisions you've presented here.
(Continue reading)

Permalink | Reply | 8 comments |
headers
David Renstrom | 1 Mar 2012 03:53

Permission problems

Hi,

I've set up a Postfix and Dovecot (only IMAP) combination using MySQL and
Postfixadmin on Fedora. Almost everything works correctly now. The only
thing bugging me right now is that I always have to change the access
privileges of the directories in /var/run/dovecot/ manually to 777 to make
it work. As you understand, I'm not particularly happy about this as it
doesn't feel secure at all. And I also have to do this every time I reboot
since Dovecot resets the old access priviliges (600).

As you see I've got a vmail user who belongs to the mail group. Almost all
directories under /var/run/dovecot belong to user root and group root. They
all have the permissions rw--------.

Below is some output from the log file dovecot.log:

Mar 01 03:31:17 auth: Fatal: net_connect_unix(auth-worker) in directory
/run/dovecot failed: Permission denied (euid=101(vmail) egid=12(mail)
missing +r perm: /run/dovecot/auth-worker, dir owned by 0:97 mode=0755)
Mar 01 03:31:17 master: Error: service(auth): command startup failed,
throttling
Mar 01 03:31:46 imap-login: Info: Disconnected (auth failed, 1 attempts):
method=PLAIN, rip=94.254.99.6, lip=91.123.204.174

What is wrong here and how can I correct it?

Thanks in advance!
/David R.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Stan Hoeppner | 1 Mar 2012 05:16

Re: Permission problems

On 2/29/2012 8:53 PM, David Renstrom wrote:
> Hi,
> 
> I've set up a Postfix and Dovecot (only IMAP) combination using MySQL and
> Postfixadmin on Fedora. Almost everything works correctly now. The only
> thing bugging me right now is that I always have to change the access
> privileges of the directories in /var/run/dovecot/ manually to 777 to make
> it work. As you understand, I'm not particularly happy about this as it
> doesn't feel secure at all. And I also have to do this every time I reboot
> since Dovecot resets the old access priviliges (600).

> As you see I've got a vmail user who belongs to the mail group. Almost all
> directories under /var/run/dovecot belong to user root and group root. They
> all have the permissions rw--------.

Is this a Fedora Dovecot RPM, or did you use source?  Do you have
selinux/apparmor enabled?  Do you like shellfish?

--

-- 
Stan
Permalink | Reply | 0 comments |
headers
Timo Sirainen | 1 Mar 2012 05:30
Picon
Picon
Favicon

Re: need simpler instructions for user authentication

On 1.3.2012, at 3.40, David Benfell wrote:

> My situation is this: I have postfix running on a Linode under Arch Linux.
> A recent upgrade to dovecot broke the configuration. Now I get
> "Couldn't drop privileges: User is missing UID (see mail_uid setting)."

You're missing userdb.

> The documentation is driving me nuts. It keeps telling me about stuff I
> think I don't need. And I can't tell what I actually *do* need. All I
> want is for system users, including myself, to be able to get their mail.
> 
> How do I do this?

You didn't say what Dovecot version, and dovecot -n output would have been useful, but here's my guess: Add
to dovecot.conf:

userdb {
  driver = passwd
}
Permalink | Reply | 1 comment |
headers
Timo Sirainen | 1 Mar 2012 05:34
Picon
Picon
Favicon

Re: Permission problems

On 1.3.2012, at 4.53, David Renstrom wrote:

> As you see I've got a vmail user who belongs to the mail group. Almost all
> directories under /var/run/dovecot belong to user root and group root. They
> all have the permissions rw--------.

That's how they should be mostly.

> Below is some output from the log file dovecot.log:
> 
> Mar 01 03:31:17 auth: Fatal: net_connect_unix(auth-worker) in directory
> /run/dovecot failed: Permission denied (euid=101(vmail) egid=12(mail)
> missing +r perm: /run/dovecot/auth-worker, dir owned by 0:97 mode=0755)

Why is your auth process running as vmail? Show your dovecot -n output
Permalink | Reply | 0 comments |
headers
David Benfell | 1 Mar 2012 06:53
Picon
Gravatar

SOLVED - Re: need simpler instructions for user authentication

On Thu, Mar 01, 2012 at 06:30:19AM +0200, Timo Sirainen wrote:
> 
> You didn't say what Dovecot version, and dovecot -n output would have been useful, but here's my guess: Add
to dovecot.conf:

Sorry. The Arch Linux package is dovecot-2.1.1-3.
> 
> userdb {
>   driver = passwd
> }

It *looks* like this worked. Thank you *very* much!

David Benfell
benfell <at> parts-unknown.org
Permalink | Reply | 0 comments |
headers
Jacek Osiecki | 1 Mar 2012 09:21
Picon

Concurrent dovecot instances on same spool?

Hi all,

While reading the "Multiple locations, 2 servers - planning questions..." 
thread, it just hit me that I was planning to do something that seems to 
be a bit hazardous...

I am setting up an high-availability server set, which consists of two (or 
more) servers with common disk space, all set behind redundant hardware 
load balancers. At first, there will be two servers and disk space will be 
kept on NFS server or on both servers using DRBD+OCFS2 filesystem (what
creates kind of networked RAID1 storage space). This will be done mostly 
to keep WWW service available in case when one of servers fails.

However, if we have everything redundant, why not have the same with SMTP 
and POP3/IMAP? But - won't anything fail if two (or more) dovecots are 
accessing the same disk space, both for IMAP/POP3 and LDA/LMTP?

If it is possible, that would be a good solution for the mentioned thread.
If not - where are possible dangers, and are there any plans to make it 
possible in the future?

Greetings,
--

-- 
Jacek Osiecki joshua <at> ceti.pl GG:3828944
I don't want something I need. I want something I want.
Permalink | Reply | 4 comments |
headers
Joseph Tam | 1 Mar 2012 09:44
Picon

doveadm -A stops processing at first uid<first_valid_uid


I would like to run various doveadm commands that involves all (mail) users like

 	doveadm expunge -A mailbox Trash savedbefore 30d

but any doveadm command that uses "-A" to iterate through all users will
stop processing at the first account with UID<first_valid_uid.

 	doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop
 		privileges: Mail access for users with GID 5551 not permitted
 		(see first_valid_gid in config file, gid from userdb lookup).
 	doveadm(sysdaemon): Error: User init failed
 	doveadm: Error: Failed to iterate through some users

However, these accounts are system accounts (locked password, no shell)
and are in userdb to provide UID<->name mapping for utilities like ls,
chown, etc.

There are various workaround like iterating manually, or setting
first_valid_uid to zero, or even reordering users to put all system
accounts at the end, but is there a better way to do this?

Joseph Tam <jtam.home <at> gmail.com>
Permalink | Reply | 3 comments |

Gmane