# dovecot-lda and fetchmail - Operation not permitted (This binary should probably...



## honk (Sep 25, 2011)

Hello,

I'm trying to set up fetchmail 6.3.20 to deliver mails via dovecoat-lda into maildirs handled by dovecot. It works when I invoke fetchmail manually as root. In daemon-mode I get the following error:


```
Sep 25 03:44:39 mailsrv dovecot: lda(foo@test.com): Fatal: setgid(2000(vmail) from
 userdb lookup) failed with euid=124(fetchmail), gid=124(fetchmail), egid=124(fetchmail):
 Operation not permitted (This binary should probably be called with process group set to
 2000(vmail) instead of 124(fetchmail))
```

vmail is the user under which the maildir's are stored. Currently I only have one virtual IMAP-user. I have a combined passdb and userdb file where the uid/gid for this IMAP-user is configured to vmail.


```
# cat /usr/local/etc/dovecot/dovecot.passwd
[email]foo@test.com[/email]:{SSHA512}verysecrethash=:2000:2000::::userdb_mail=maildir:/data/maildir/foo
```



```
# egrep "fetchmail|vmail" /etc/passwd 
fetchmail:*:124:124:Fetchmail mail-retrieval daemon:/nonexistent:/usr/sbin/nologin
vmail:*:2000:2000:Virtual user for all dovecot maildirs:/data/maildir:/usr/sbin/nologin
```


```
# egrep "fetchmail|vmail" /etc/group 
fetchmail:*:124:
vmail:*:2000:
```


Dovecot configuration:

```
dovecot -n
# 2.0.14: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.2-RELEASE-p2 amd64  
auth_failure_delay = 5 secs
first_valid_uid = 100
listen = 172.16.4.2
passdb {
  args = /usr/local/etc/dovecot/dovecot.passwd
  driver = passwd-file
}
protocols = imap
service auth {
  unix_listener auth-userdb {
    group = fetchmail
    mode = 0666
    user = fetchmail
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl = required
ssl_cert = </usr/local/etc/dovecot/dovecot.cert
ssl_key = </usr/local/etc/dovecot/dovecot.cert.key
userdb {
  args = /usr/local/etc/dovecot/dovecot.passwd
  driver = passwd-file
}
```

Unfortunately I can't figure/google out whats wrong here. I tried different combinations in defining the socket auth-userdb (ownership, permissions) without success.

I tried to run fetchmail as user vmail (by setting fetchmail_user="vmail" in rc.conf) but with this fetchmail only produces an pam error:


```
Sep 25 03:11:21 mailsrv su: pam_acct_mgmt: authentication error
```

Any help appreciated!
Thanks a lot in advance!


----------



## AndyUKG (Sep 26, 2011)

Hi,


  I think the "Multiple UIDs" section of the wiki probably applies to you:

http://wiki2.dovecot.org/LDA

Simply because you are running fetchmail as a non-root account and then wanting it to su to another user (vmail) to deliver the mail.

ta Andy.


----------



## honk (Sep 27, 2011)

Andy, thanks for your reply! I was aware of this part of dovecot's documentation you mentioned. But as it starts with "_...If you're using more than one UID for users..._" I thought it doesn't fit to my setup. Anyway, as I better understand the problem now, I tend to say that you were absolutely correct. 

I found out, that my (one and only) user (vmail) which is allowed to access the maildir's was locked out. This led to the PAM error and prevented the startup of fetchmail (as user vmail) in daemon-mode from rc-scripts. With a different user (let's say fetchmail) dovecot-lda complains about the missing permissions...

`# grep vmail /etc/master.passwd`

```
vmail:*LOCKED**:2000:2000::0:0:Virtual user for all dovecot maildirs:/data/maildir:/usr/sbin/nologin
```

Now I can run fetchmail without root permission, will go to bed and think about the security implications about this setup. A security bug in fetchmail could now at least read and delete all my mail and has access to the fetchmail.rc where all my passwords for the remote mail accounts are stored... And fetchmail has rw-permissions to the auth-userdb socket of dovecot, where I currently don't understand how bad this could be :\


----------



## AndyUKG (Sep 27, 2011)

If you only have two users, one for fetchmail and one for your mail data, then going the setuid route might be a pretty reasonable approach. Set the group for dovecot-lda to vmail, set permission to 4750. If vmail user is the only member of the vmail group I don't think this is a terrible security risk,

ta Andy.

PS no sorry, actually you'd want to set the group to fetchmail, as its the fetchmail user executing dovecot-lda.


----------

