I have replaced Postfix LDA with maildrop. The maildroprc script I am using also creates the mailbox folders if they do not exist.
In my /etc/postfix/master.cf I have defined the maildrop service
maildrop unix - n n - - pipe
flags=ODRhu user=vmail:daemon argv=/usr/bin/maildrop -w 90 -d ${user}@${nexthop}
${extension} ${recipient} ${user} ${nexthop}
When this script creates a folder for an account, the folder and files inside of it belong to the group "daemon" and Courier IMAP does not want to read the content of the folder because it expects username:group to be vmail:vmail.
If I change the service definition for maildrop in master.cf to be "vmail:vmail" I get an error from maildrop
ERR: authdaemon: s_connect() failed: Permission denied Invalid user specified.
and the mail can not be delivered. I guess this is due to the maildrop needing access to the /var/run/courier/authdaemon which is owned by the group "daemon". But I really do not understand why would maildrop need access to the authdaemon folder.
The part of the maildrop script that creates the folder:
`test -e $HOME_DIR/$HOST/$USER`
#log "Testing for $HOME_DIR/$HOST subdirectory: result=$RETURNCODE"
# Only continue if directory does NOT exist
if ($RETURNCODE != 0)
{
log "MailDir $HOME_DIR/$HOST/$USER does NOT exist"
`test -e $HOME_DIR/$HOST`
if ( $RETURNCODE != 0 )
{
log "Creating $HOME_DIR/$HOST"
`mkdir $HOME_DIR/$HOST`
`chmod -R 0700 $HOME_DIR/$HOST`
}
# Create users MailDir
`maildirmake $HOME_DIR/$HOST/$USER`
}
I have even tried adding chown vmail:vmail $HOME_DIR/$HOST/$USER
to the script to be run after creating the maildir but the folder still belongs to the group "daemon".
EDIT:
I am using maildrop 2.0.4 package from the Debian Lenny (5.0) repository and judging by the package informatio it is compiled aganist courier authlib
Version: 2.0.4-3
Replaces: courier-base (<= 0.58.0-1)
Depends: courier-authlib, exim4 | mail-transport-agent, libc6 (>= 2.7-1), libgcc 1 (>= 1:4.1.1-21), libgdbm3, libpcre3 (>= 7.4), libstdc++6 (>= 4.2.1-4)
Best Answer
This is what I have found:
A changed the group ownership on the /var/run/courier/authdaemon folder from "daemon" to "vmail" and everything works fine now. I have restarted the courier-authdaemon and I can still login to my IMAP account (I guess this library is also used when Courier id looking up user accounts and password).
Is there a security implication of doing this that I should be aware of?
I guess not. User vmail does not have a local account on the box, and someone in the vmail group would be able to access all the emails on the box. Protecting the passwords doesn't seem like that big of a deal if my system has already been compromised like that :)