Dovecot LMTP tries to access a directory of a different user, than the one it actually changed to.

Ernest Deak ernest.deak at somi.sk
Fri Jul 3 12:12:40 UTC 2015 

Hello, I encountered a problem when trying to send an email to multiple 
recipients.


=== LOG ===

... cut ...
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: none: root=, index=, 
control=, inbox=
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Connect from local
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: Loading modules from 
directory: /usr/lib64/dovecot
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: Module loaded: 
/usr/lib64/dovecot/lib90_sieve_plugin.so
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: auth input: han.solo 
system_groups_user=han.solo uid=805 gid=800 home=/home/han.solo
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: auth input: tester 
system_groups_user=tester uid=802 gid=800 home=/home/tester
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: auth input: vader 
system_groups_user=vader uid=804 gid=800 home=/home/vader
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: Effective 
uid=805, gid=800, home=/home/han.solo
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: fs: 
root=/home/han.solo/mail, index=, control=, inbox=/var/mail/han.solo
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: user's script path 
/home/han.solo/.dovecot.sieve doesn't exist (using global script path in 
stead)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: user has no valid personal script
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: no scripts to execute: reverting to 
default delivery.
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): 
70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at 
dhcp90.#####>: saved mail to INBOX
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: Effective 
uid=802, gid=800, home=/home/tester
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: fs: 
root=/home/tester/mail, index=, control=, inbox=/var/mail/tester
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: user's script path 
/home/tester/.dovecot.sieve doesn't exist (using global script path in 
stead)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: user has no valid personal script
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: no scripts to execute: reverting to 
default delivery.
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error: 
stat(/home/han.solo/mail/.imap/INBOX/dovecot.index.log) failed: 
Permission denied (euid=802(tester) egid=800(kerber) missing +x perm: 
/home/han.solo, euid is not dir owner)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error: 
open(/home/han.solo/mail/.imap/INBOX/dovecot.index) failed: Permission 
denied (euid=802(tester) egid=800(kerber) missing +x perm: 
/home/han.solo, euid is not dir owner)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): 
70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at 
dhcp90.#####>: save failed to INBOX: BUG: Unknown internal error
Jul  3 12:34:57 dhcp90 sendmail[24121]: t63AYvn5024116: to=<tester at 
dhcp90.#####>, ctladdr=<vader at dhcp90.#####> (804/800), 
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=91062, 
relay=localhost, dsn=4.2.0, stat=Deferred: 451 4.2.0 <tester> BUG: 
Unknown internal error
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: Effective 
uid=804, gid=800, home=/home/vader
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: fs: 
root=/home/vader/mail, index=, control=, inbox=/var/mail/vader
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: user's script path 
/home/vader/.dovecot.sieve doesn't exist (using global script path in stead)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: user has no valid personal script
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: 
70NxN1FlllUqXgAA0vrzwA: sieve: no scripts to execute: reverting to 
default delivery.
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Error: 
stat(/home/han.solo/mail/.imap/INBOX/dovecot.index.log) failed: 
Permission denied (euid=804(vader) egid=800(kerber) missing +x perm: 
/home/han.solo, euid is not dir owner)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Error: 
open(/home/han.solo/mail/.imap/INBOX/dovecot.index) failed: Permission 
denied (euid=804(vader) egid=800(kerber) missing +x perm: 
/home/han.solo, euid is not dir owner)
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): 
70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at 
dhcp90.#####>: save failed to INBOX: BUG: Unknown internal error
Jul  3 12:34:57 dhcp90 sendmail[24121]: t63AYvn5024116: to=<vader at 
dhcp90.#####>, ctladdr=<vader at dhcp90.#####> (804/800), 
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=91062, 
relay=localhost, dsn=4.2.0, stat=Deferred: 451 4.2.0 <vader> BUG: 
Unknown internal error
Jul  3 12:34:57 dhcp90 sendmail[24121]: t63AYvn5024116: to=<han.solo at 
dhcp90.#####>, ctladdr=<vader at dhcp90.#####> (804/800), 
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=91062, 
relay=localhost, dsn=2.0.0, stat=Sent
Jul  3 12:34:57 dhcp90 dovecot: lmtp(24106): Disconnect from local: 
Client quit
===========



The setup is as follows:
All users have /bin/false instead of a shell.
Each user has a unique UID but they all have 1 GID (800)
My MTA is sendmail
I am using dovecot-lmtp for local delivery
Mailbox format is mbox
Configured managesieve plugin to listen on 4190. (not sure if this is 
even related but it might)

The problem I see is that lmtp(user1) tries to access the home directory 
/home/user2 and I cannot figure out the reason why.
This only happens when sending mails to multiple recipients.
I see the that lmtp complains that it doesn't have execute permissions. 
But I don't want to place execute permissions for others on the entire 
/home/* dir structure.
Also, 700 are the default creation permissions. So new users would have 
to be chmod'ed manually. (unless there is a setting in dovecot)

I used "mailx" to send a test email to multiple recipients
`echo "test message" | mailx -s "subject" -r vader at dhcp90.##### 
han.solo at dhcp90.##### vader at dhcp90.##### tester at dhcp90.#####`
The only one who actually receives the message is han.solo at 
dhcp90.##### and

The same happens with aliases in /etc/aliases.
`echo "group test" | mailx -s "subject" -r vader at dhcp90.##### 
grouplist at dhcp90.#####`
"grouplist" is defined in /etc/aliases and contains the same users as in 
the log

Any help with this is greatly appreciated.

Here is my dovecot configuration:

=== `dovecot -n` ===
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-504.12.2.el6.x86_64 x86_64 CentOS release 6.6 (Final)
auth_debug = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_full_filesystem_access = yes
mail_gid = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date
mbox_write_locks = fcntl
passdb {
   driver = pam
}
plugin {
   sieve = ~/.dovecot.sieve
   sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve
service lmtp {
   client_limit = 1
   executable = /usr/libexec/dovecot/lmtp -L
   inet_listener lmtp {
     address = 127.0.0.1 ::1
     port = 24
   }
   process_min_avail = 1
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
   driver = passwd
}
protocol lmtp {
   mail_plugins = " sieve"
   postmaster_address = postmaster
}
===============
`rpm -qa | grep dovecot`
dovecot-pigeonhole-2.0.9-8.el6_6.4.x86_64
dovecot-2.0.9-8.el6_6.4.x86_64

Thanks in advance.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4249 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150703/7ad78227/attachment-0001.p7s>

More information about the dovecot mailing list