I recently upgraded to 'Courier-IMAP' v4 from v3, and after solving the already known problems about manually migrating 'authdaemond' to 'courier-authlib', I ran into another problem when trying to get my old postfix to work with the new authdaemond socket (I have my postfix's SASL2 use authdaemond instead of saslauthd). Outbound mail was being rejected by Postfix because of authentication failure. The error given in the postfix logs: "cannot connect to Courier authdaemond: Permission denied". I figured out that the new socket created by courier-authlib can't be accessed by Postfix because a higher-up directory has permissions preventing access by users not in the 'mail' group. This directory was '/var/lib/courier/authdaemon'. I worked around this problem by 'chmod 755' this directory, but I imagine a better solution would be for the courier-authlib ebuild to warn the users that they need to add any services using authdaemond to the 'mail' group. Reproducible: Always Steps to Reproduce: 1. emerge & configure courier-authlib 2. configure postfix/sasl2 to use authdaemond instead of saslauthd Actual Results: Outbound mail was being rejected by Postfix because of authentication failure. The error given in the postfix logs: "cannot connect to Courier authdaemond: Permission denied"
This directory absolutely must not be world-readable as that permits the world to query the list of users on the system and in the databases, as well as their passwords, which is a very, VERY bad thing. Yes we should see about getting the mailservers like postfix to all be in a matching group. You've opted for a big information disclosure vulnerability to any local user on your system with that set of permissions though.
I personally would like to know what user authdeamon is being run as and what postfix is being run as .. most common problem I have seen is two different users are running the service instead of same user for both.
(In reply to comment #0) > I worked around this problem by 'chmod 755' this directory, as comment #1 stated, it's a bad thing. > they need to add any services using authdaemond to the 'mail' group. agree. `gpasswd -a postfix mail` should work for postfix. Similar for other services. And no, we are not going to change postfix to smtpd run as "mail" instead of "postfix". You just have to add postfix to mail group by yourself. We'll change cyrus-sasl ebuild to warn the users if USE=authdaemon. It's up to Scott to add the warning to courier-authlib or WONTFIX.
Ummm ... where can I find information on "the already known problems about manually migrating 'authdaemond' to 'courier-authlib'" ? I was forced to update qmail to relay-ctrl which broke courier etc etc. help *beg*
Mass re-assign, seems like mail-mta/courier needs a maintainer.
(In reply to comment #4) > Ummm ... where can I find information on "the already known problems about > manually migrating 'authdaemond' to 'courier-authlib'" ? > > I was forced to update qmail to relay-ctrl which broke courier etc etc. > > help *beg* maybe #98745?
*** Bug 103602 has been marked as a duplicate of this bug. ***
Why is bug 103602 a duplicate? It's not clear to me. Could be me, but I guess the pidof bug results from an initscript error, while bug 82316 is about permissions (and postfix, and sasl2).
There's no bug here, the permissions are correct. See comment #1 and comment #3. cyrus-sasl now warns about this, closing.
*** Bug 829411 has been marked as a duplicate of this bug. ***
