[Dovecot] deliver is ignoring mail_access_groups
Peter
dovecot at peter-b.org
Sun Nov 15 14:59:38 EET 2009
Ubuntu 8.04LTS
Dovecot 1.2.6
Postfix 2.5.1
I'm using dovecot imap/deliver in an environment where I don't want users
with shell access to reach their mail folders (partly to do with IMAP ACLs
requiring open group permissions and partly to do with not wanting users to
mess their mail folders / sieve configs up).
I specifically don't want to switch to a "single dovecot user" style
installation.
Current config:
mail_location = maildir:/home/mail/%d/%n/Maildir
mail_privileged_group = mail
mail_access_groups = maildir
drwxrws--- 3 nobody maildir 21 2009-11-15 10:52 /home/mail
drwxrws--- 4 nobody adomain.com 30 2009-11-15 12:12 /home/mail/adomain.com/
drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52
/home/mail/adomain.com/auser
drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52
/home/mail/adomain.com/auser/Maildir
And so on...
As expected IMAP and Managesieve work perfectly, but deliver fails:
Nov 15 12:48:26 s15364807 dovecot: deliver(auser at adomain.com): sieve:
stat(/home/mail/adomain.com/auser/.dovecot.sieve) failed: Permission denied
(using global script path in stead)
Nov 15 12:28:06 s15364807 dovecot: deliver(auser at adomain.com):
stat(/home/mail/adomain.com/auser/Maildir) failed: Permission denied
Nov 15 12:28:06 s15364807 dovecot: deliver(auser at adomain.com):
stat(/home/mail/adomain.com/auser/Maildir/tmp) failed: Permission denied
(euid=1002(auser) egid=1001(adomain.com) missing +x perm: /home/mail)
Nov 15 12:28:06 s15364807 dovecot: deliver(auser at adomain.com):
msgid=<20091115122806.79A0F80034F at servername.com>: save failed to INBOX:
Internal error occurred. Refer to server log for more information.
[2009-11-15 12:28:06]
Opening the permissions on /home/mail (6771) allows deliver to succeed
suggesting that mail_access_groups is being ignored by deliver.
As a work-around I can set /home/mail to 6771 but this is not ideal as
anyone somehow guessing the directory structure could access mail of another
user in the same group regardless of IMAP acl settings. Yes, I can severely
obfuscate it but it's not secure.
I've spent about half a day trying to figure this out, I'm assuming at this
point that either I'm missing something obvious or something else is wrong.
Any ideas?
Peter.
More information about the dovecot
mailing list