Docker-mailserver: Couldn't drop privileges: User is missing UID (see mail_uid setting)

Created on 16 May 2018  路  10Comments  路  Source: tomav/docker-mailserver

After binding the mailserver with OpenLDAP, users are not able to identify using their username + password.

May 16 17:53:00 mail dovecot: pop3([email protected]): Error: Couldn't drop privileges: User is missing UID (see mail_uid setting)

Docker-compose : 

mail:
    image: tvial/docker-mailserver:latest
    hostname: mail
    domainname: ${SMTP_DOMAIN}
    ports:
      - "$PORT_SMTP:25"
      - "8143:143"
      - "8110:110"
      - "8587:587"
      - "8993:993"
      - "8995:995"

    environment:
    - HOSTNAME=mail
    - DOMAINNAME=${SMTP_DOMAIN}
    - ENABLE_POP3=1
    - ENABLE_LDAP=1
    - LDAP_SERVER_HOST=172.20.0.20
    - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
    - LDAP_BIND_DN=${LDAP_BIND_DN}
    - LDAP_BIND_PW=${LDAP_ADMIN_PASSWORD}
    - LDAP_QUERY_FILTER_USER="(&(mail=%s))"
    - LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s))"
    - LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s))"
    - SASLAUTHD_LDAP_FILTER="(&(uid=%U)(objectClass=posixAccount))"
    - DOVECOT_PASS_FILTER="(&(objectClass=posixAccount)(mail=%u))"
    - DOVECOT_USER_FILTER="(&(objectClass=posixAccount)(mail=%u))"
    - POSTMASTER_ADDRESS="postmaster@${SMTP_DOMAIN}.org"

    cap_add:
    - NET_ADMIN
    - SYS_PTRACE
    restart: always

When looking at the logs of OpenLDAP, the request is correctly processed, a user is returned, but the mailserver seems to handle this response incorrectly.

I also don't see where I could fix this, since I coudln't find the file mail_uid nor any settings related to this.

Any fix or help for that ?
Thanks 馃憤 !

frozen due to age ldap related postfix / dovecot related
Source
picture ArthurAttout
👍7

Most helpful comment

If you are not using the postaccount ldif you will have to set dovecot user attributes. DOVECOT_USER_ATTRS

if you set it so that is using the uid and gid of the ldap user it will try to down grade the user permissions of the folder, This will work until you restart the container and it resets the permissions to 5000:5000

quick fix is
DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000

picture Kramins on 27 May 2020
👍2

All 10 comments

I'm experiencing the same issue, any known fixes?

GaetanLongree picture GaetanLongree on 16 May 2018
👍1

You need a LDAP server with postbook schema.
If you need a docker you can use this one: https://hub.docker.com/r/jsmitsnl/docker-openldap-postfix-book/

johansmitsnl picture johansmitsnl on 16 May 2018

Okay, so this led to a completely different error. Now that the schema is updated, mailserver is complaining that it encounters Permission Denied. 

May 16 22:29:30 mail postfix/smtpd[1439]: disconnect from unknown[172.31.231.5] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8,
May 16 22:33:56 mail postfix/smtpd[1743]: disconnect from unknown[172.31.231.5] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8,
May 16 22:36:27 mail postfix/smtpd[1820]: disconnect from unknown[172.31.231.5] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8,
May 16 22:26:52 mail dovecot: pop3([email protected]): Namespace '': mkdir(/var/mail/newproject.org) failed: Permission denied top=0/0, retr=0/0, del=0/0, size=0,
May 16 22:26:52 mail dovecot: pop3([email protected]): Error: Namespace '': mkdir(/var/mail/newproject.org) failed: Permission denied,
May 16 22:26:52 mail postfix/smtpd[1439]: NOQUEUE: reject: RCPT from unknown[172.31.231.5]: 451 4.3.0 <[email protected]>: Temporary lookup failure; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[172.31.231.5]>,
May 16 22:26:52 mail postfix/smtpd[1439]: disconnect from unknown[172.31.231.5] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8

Is there something I'm missing ? Should I have given any additionnal permissions ?

ArthurAttout picture ArthurAttout on 17 May 2018

The mail dir should have the permission 5000:5000. That is the virtual user id.
Now the permission of /var/mail is not correct.

johansmitsnl picture johansmitsnl on 17 May 2018

You can see these lines that are important (first and last):
https://github.com/tomav/docker-mailserver/blob/60656aec492936d4287132bf523cf1576d07a6ab/test/docker-openldap/bootstrap/ldif/03_user-email-other-primary-domain.ldif#L18-L22

johansmitsnl picture johansmitsnl on 17 May 2018

Thank you very much for your patience.

Now my client successfully connects to the server via POP3 or IMAP but not with SMTP. 

May 17 08:32:53 mail postfix/trivial-rewrite[1819]: warning: dict_ldap_open: /etc/postfix/ldap-domains.cf: Fixed query_filter  is probably useless,
May 17 08:32:53 mail postfix/trivial-rewrite[1819]: warning: dict_ldap_lookup: Search error -7: Bad search filter ,
May 17 08:32:53 mail postfix/trivial-rewrite[1819]: warning: virtual_alias_domains: ldap:/etc/postfix/ldap-aliases.cf: table lookup problem,
May 17 08:32:53 mail postfix/trivial-rewrite[1819]: warning: virtual_alias_domains lookup failure,
May 17 08:32:53 mail postfix/smtpd[1815]: NOQUEUE: reject: RCPT from unknown[172.31.231.5]: 451 4.3.0 <[email protected]>: Temporary lookup failure; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[172.31.231.5]>

I have used the filters in the README

- LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))"
- LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))"
- LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))"
- DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%u))"
- DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%u))"
ArthurAttout picture ArthurAttout on 17 May 2018

You can check the wiki and the make file starting at: https://github.com/tomav/docker-mailserver/blob/60656aec492936d4287132bf523cf1576d07a6ab/Makefile#L140

johansmitsnl picture johansmitsnl on 17 May 2018

If you are not using the postaccount ldif you will have to set dovecot user attributes. DOVECOT_USER_ATTRS

if you set it so that is using the uid and gid of the ldap user it will try to down grade the user permissions of the folder, This will work until you restart the container and it resets the permissions to 5000:5000

quick fix is
DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000

Kramins picture Kramins on 27 May 2020
👍2

This issue was closed due to one or more of the following reasons:

  1. Age
  2. Contributor inactivity
  3. The issue seems to be resolved

If you think this happened by accident, or feel like this issue was not actually resolved, please feel free to re-open it. If there is an issue you could resolve in the meantime, please open a PR based on the current master branch so we can review it.

aendeavor picture aendeavor on 26 Sep 2020

I had this same issue when using ldap. Setting mailGidNumber and mailGidNumber to 5000 fixed it for me.

Screenshot from 2020-12-19 01-15-13

dn: uid=jsmith,ou=people,dc=clayrisser,dc=com
cn: John
mail: [email protected]
mailEnabled: TRUE
mailGidNumber: 5000
mailUidNumber: 5000
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: PostfixBookMailAccount
objectClass: top
sn: Smith
uid: jsmith
userPassword: {CRYPT}<SOME_HASH>
codejamninja picture codejamninja on 19 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

InsOpDe picture InsOpDe  路  4Comments
strarsis picture strarsis  路  5Comments
Hamsterman picture Hamsterman  路  3Comments
Mathieu-R picture Mathieu-R  路  4Comments
Dubbeldrank picture Dubbeldrank  路  4Comments