Dovecot submission failing after latest patches install

This was working just fine until the latest patches were installed. Now I get the following error:

Aug 12 20:32:26 phoenix dovecot[69835]: submission-login: Error: Aug 12 20:32:26 service(submission-login): Fatal: execv(/usr/lib/dovecot/submission-login) failed: Permission denied
Aug 12 20:32:26 phoenix dovecot[69832]: master: Error: service(submission-login): command startup failed, throttling for 2.000 secs
Aug 12 20:32:26 phoenix dovecot[69835]: submission-login: Fatal: master: service(submission-login): child 69878 returned error 84 (exec() failed)

Has anybody come across this? Any known way to fix this?

Thanks.

Fixed, it was the apparmor virus… After removing and rebooting all is back to normal.

You really, REALLY should not remove apparmor on an internet facing server especially if it’s acting as an open SMTP/IMAP server.

Instead you should have looked at the apparmor profiles and fixed the issue instead. Although that should have already been taken of by the developer/packager.

I would really, REALLY never expose a linux server to the Internet, not with apparmor not with an hardened linux firewall, or any other security distribution packages or third parties. Never! All my systems are behind a sophos UTM firewall, with SMTP/POP/IMAP proxies, anti-spam/virus filters, and an IPS. I do not need to go crazy in configuring each single server with these kind of cheap solutions when I can do it one-time on a high end firewall. :wink:

I have given up on Apparmor a long time ago (practically from the beginning). If openSuSE cannot be bothered to ensure updates don’t break the configurations, why should I?

Running Linux today without Apparmor or SElinux is inadvisable… They are the standard “security by policy” ways to secure your system’s internal security and not running one or the other leaves your system very, very vulnerable to malware. Other security measures like patching and firewalls contribute to “security in depth” and like good security by policy are essential to keeping your system in good shape.

Security by policy is typically different and protects against different threats than the firewalls you describe, it protects primarily from threats from within instead of from other machines. You never know when malware might install by mistake and not always by attack, it can also happen by software coding mistakes, a corner scenario not seen before, a strange combination of circumstances, etc. Security by policy then would be your last and best defense against many unpredictable scenarios so is essential to a well running machine.

If you have any specific Apparmor problems, it’s not difficult to place your system in complain mode temporarily to identify the problem and then either fix the problem or modify the profile the error violates.

Looks like openSUSE documentation has greatly expanded its Apparmor info… Which is good but don’t let the large amount of information obscure how easy it should be to do what’s necessary for your system.

Keep in mind that if your dovecot setup isn’t handcrafted and is built using openSUSE packages, there’s a reasonable chance you’re simply missing a profile appropriate for your setup.

If you prefer SELinux instead (I feel doubtful when securing a Server Application, but whatever may be your choice) you also have the option to disable Apparmor but enable SElinux instead. That should be an acceptable option but probably used more often to satisfy government requirements than a voluntary choice.

If you run into obstacles either setting up or troubleshooting properly, go ahead and post for others to evaluate.
And, if you are tasked specifically with the security of your machines, I really wouldn’t advise leaving Apparmoer disabled, if a problem happens that would easily be identified in a post mortem.

TSU