From bf588d19a4296c5b1f3af9f438a0cf77f8fb1561 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 27 Nov 2022 10:49:31 +0100 Subject: [PATCH 1/2] Fix RECIPIENT_DELIMITER --- core/dovecot/conf/dovecot.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index 7a987582..29fbb9a2 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -116,9 +116,9 @@ service imap-login { ############### # Delivery ############### +recipient_delimiter = {{ RECIPIENT_DELIMITER }} protocol lmtp { mail_plugins = $mail_plugins sieve - recipient_delimiter = {{ RECIPIENT_DELIMITER }} } service lmtp { From 5da2ab8fd1494f19315522c3b739b328f0c32613 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 27 Nov 2022 10:59:18 +0100 Subject: [PATCH 2/2] drop privs --- core/dovecot/conf/dovecot.conf | 9 ++++----- core/dovecot/start.py | 8 ++++++-- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index 29fbb9a2..d9b85172 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -7,6 +7,10 @@ postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }} hostname = {{ HOSTNAMES.split(",")[0] }} submission_host = {{ FRONT_ADDRESS }} +default_internal_user = dovecot +default_login_user = mail +default_internal_group = dovecot + ############### # Mailboxes ############### @@ -80,18 +84,13 @@ userdb { } service auth { - user = dovecot unix_listener auth-userdb { } } service auth-worker { unix_listener auth-worker { - user = dovecot - group = mail - mode = 0660 } - user = mail } ############### diff --git a/core/dovecot/start.py b/core/dovecot/start.py index a8c85ebf..cfa477bc 100755 --- a/core/dovecot/start.py +++ b/core/dovecot/start.py @@ -5,6 +5,7 @@ import glob import multiprocessing import logging as log import sys +from pwd import getpwnam from podop import run_server from socrate import system, conf @@ -12,7 +13,9 @@ from socrate import system, conf log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) def start_podop(): - os.setuid(8) + id_mail = getpwnam('mail') + os.setgid(id_mail.pw_gid) + os.setuid(id_mail.pw_uid) url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/dovecot/ยง" run_server(0, "dovecot", "/tmp/podop.socket", [ ("quota", "url", url ), @@ -35,7 +38,8 @@ for script_file in glob.glob("/conf/*.script"): os.chmod(out_file, 0o555) # Run Podop, then postfix -multiprocessing.Process(target=start_podop).start() os.system("chown mail:mail /mail") os.system("chown -R mail:mail /var/lib/dovecot /conf") + +multiprocessing.Process(target=start_podop).start() os.execv("/usr/sbin/dovecot", ["dovecot", "-c", "/etc/dovecot/dovecot.conf", "-F"])