Re: [exim] New install EXIM + Dovecot - auth permission erro…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] New install EXIM + Dovecot - auth permission error
Hi,

I may be totally wrong, but…

Gary Stainburn via Exim-users <exim-users@???> (Mi 01 Feb 2023 14:02:06 CET):
>   driver = dovecot
>   public_name = LOGIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>
> dovecot_plain:
>   driver = dovecot
>   public_name = PLAIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1


Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver?

> 2023-02-01 12:50:11 dovecot_login authenticator failed for hub.********
> ([10.1.1.103]) [**.**.**.**]: 435 Unable to authenticate at present: unable
> to connect to UNIX socket (/var/run/dovecot/auth-client): Permission denied


Yes, Exim connects to the socket as the Exim runtime user, but the
permissions on the socket are a way to tight.

I think, either set the socket to 666, or make 660 and assign it to a
group, Exim belongs to (though I'm not sure, if Exim "joins" its
supplementary groups (aka initgroups(3)) for auth purpose.)

I'm not sure about the security impact of widening the permissions on
this socket. In theory it can be used to do mass-checking of auth
credentials.

The permissions and ownership of the socket can be set in the dovecot
config file.

--
Heiko