[Dovecot] Dovecot Postfix Quota Policy Service

Daniel Luttermann daniel at dlutt.de
Sat May 4 16:06:11 EEST 2013 

On 2013-05-04, Robert Schetterer wrote:

> Am 03.05.2013 23:34, schrieb Daniel Luttermann:
>> Zum Einsatz kommt aktuell Postfix 2.10.0 und Dovecot 2.2.1.
>> 
>> Die Dovecot Quota Konfiguration sieht so aus, wie bei sys4
>> beschrieben:
>> 
>> service quota-status {
>>  executable = quota-status -p postfix
>>  unix_listener /var/spool/postfix/private/quota-status {
>>  group = postfix
>>  mode = 0660
>>  user = postfix
>>  }
>>  client_limit = 1
>> }
>> 
>> Mittlerweile habe ich schon einige Optionen und Berechtigungen
>> ausprobiert, aber der Fehler bleibt leider der gleiche.
>> 
>> Hat vielleicht jemand noch einen Tip?
>> 
>> Danke schon mal.

> besser hier nicht in deutsch....

sorry - I wanted to ask on the german Dovecot mailing list but sent
this mail to the english list.

> du solltest nur Dovecot 2.2.1 verwenden
> der quota code in 2.1 ist "nicht voellig vollstaendig"
> das setup sieht auf den ersten Blick ok aus

Current I'm using Dovecot 2.2.1 and Postfix 2.10.0.

> hast du es schon mal alternativ exakt wie beschrieben in
> http://sys4.de/de/blog/2013/04/05/dovecot-quota-mit-postfix-abfragen/
> vor allem

> quota_grace = 10%%
>     quota_status_success = DUNNO
>     quota_status_nouser = DUNNO
>     quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"

> etc nicht vergessen

> getestet ?

yes, I've tried this (see doveconf/postconf below).

> alternativ versuch mal mode = 0666
> fuer mich sieht es wie ein permission Problem aus, das könnte
> unterschiedlich sein je nach setup, user / group postfix muessen
> existieren usw

When I use

service config {
  unix_listener config {
    group =
    mode = 0666
    user =
  }
}

then the error "permission denied" doesn't occur anymore but the error

  warning: access table unix:private/quota-status entry  has empty value

is the same. The verbose logging shows this:

=====
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=no location=mdbox:%h/sdbox
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: shared: root=/usr/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt=
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls:cache_secs=300
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: acl: acl username = daniel at dlutt.de
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: acl: owner = 0
May  4 14:01:52 mail dovecot: quota-status(daniel at dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
May  4 14:01:52 mail postfix/smtpd[26993]: private/quota-status: wanted attribute: action
May  4 14:01:52 mail postfix/smtpd[26993]: input attribute name: action
May  4 14:01:52 mail postfix/smtpd[26993]: input attribute value: (end)
May  4 14:01:52 mail postfix/smtpd[26993]: private/quota-status: wanted attribute: (list terminator)
May  4 14:01:52 mail postfix/smtpd[26993]: input attribute name: (end)
May  4 14:01:52 mail postfix/smtpd[26993]: check_table_result: unix:private/quota-status  policy query
May  4 14:01:52 mail postfix/smtpd[26993]: warning: access table unix:private/quota-status entry  has empty value
May  4 14:01:52 mail postfix/smtpd[26993]: generic_checks: name=check_policy_service status=1
May  4 14:01:52 mail postfix/smtpd[26993]: >>> END Recipient address RESTRICTIONS <<<
May  4 14:01:52 mail postfix/smtpd[26993]: >>> CHECKING RECIPIENT MAPS <<<
May  4 14:01:52 mail postfix/smtpd[26993]: ctable_locate: move existing entry key daniel at dlutt.de
....
....
May  4 14:01:53 mail dovecot: lmtp(27012): Debug: auth input: daniel at dlutt.de home=/home/vmail/dlutt.de/daniel uid=5000 gid=5000 quota_rule=*:bytes=900000000
May  4 14:01:53 mail dovecot: lmtp(27012): Debug: Added userdb setting: plugin/quota_rule=*:bytes=900000000
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Effective uid=5000, gid=5000, home=/home/vmail/dlutt.de/daniel
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Quota root: name=User quota backend=dict args=:proxy::quota
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Quota rule: root=User quota mailbox=* bytes=900000000 messages=0
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Quota rule: root=User quota mailbox=Trash bytes=+104857600 messages=0
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Quota warning: bytes=855000000 (95%) messages=0 reverse=no command=quota-warning 95 daniel at dlutt.de
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Quota warning: bytes=720000000 (80%) messages=0 reverse=no command=quota-warning 80 daniel at dlutt.de
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Quota grace: root=User quota bytes=90000000 (10%)
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: dict quota: user=daniel at dlutt.de, uri=proxy::quota, noenforcing=0
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: fs: root=/home/vmail/dlutt.de/daniel/mdbox, index=, indexpvt=, control=, inbox=, alt=
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls:cache_secs=300
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl: acl username = daniel at dlutt.de
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl: owner = 1
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=no location=mdbox:%h/sdbox
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: shared: root=/usr/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt=
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls:cache_secs=300
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl: acl username = daniel at dlutt.de
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl: owner = 0
May  4 14:01:53 mail dovecot: lmtp(27012, daniel at dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
=====

When I use the Dovecot default for the service "config" which is
root:root, then I get this error (permission denied):

May  4 14:46:51 mail postfix/postscreen[29225]: CONNECT from [2607:f8b0:4001:c02::229]:41474 to [2a00:1828:2000:206::2]:25
May  4 14:46:57 mail postfix/postscreen[29225]: PASS NEW [2607:f8b0:4001:c02::229]:41474
May  4 14:46:57 mail postfix/smtpd[29240]: connect from mail-ia0-x229.google.com[2607:f8b0:4001:c02::229]
May  4 14:46:58 mail postfix/smtpd[29240]: NOQUEUE: reject: RCPT from mail-ia0-x229.google.com[2607:f8b0:4001:c02::229]: 450 4.7.1 <daniel at dlutt.de>: Recipient address rejected: Internal error occurred. Refer to server log for more information.; from=<free4cd at googlemail.com> to=<daniel at dlutt.de> proto=ESMTP helo=<mail-ia0-x229.google.com>
May  4 14:46:58 mail dovecot: quota-status(daniel at dlutt.de): Error: user daniel at dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
May  4 14:46:58 mail postfix/smtpd[29240]: disconnect from mail-ia0-x229.google.com[2607:f8b0:4001:c02::229]


My Dovecot and Postfix config:

doveconf -n
===========

# 2.2.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.7 
dict {
  acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
hostname = mail.dlutt.de
listen = 217.11.53.7
mail_debug = yes
mail_location = mdbox:~/mdbox
mail_plugins = acl quota expire
mail_privileged_group = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = mdbox:%%h/sdbox
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
  subscriptions = yes
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
  acl_shared_dict = proxy::acl
  expire = Trash
  expire2 = Junk
  expire_dict = proxy::expire
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
  quota = dict:User quota::proxy::quota
  quota_grace = 10%%
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Recipient mailbox is is full
  quota_status_success = DUNNO
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at dlutt.de
protocols = imap lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0600
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 0
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    address = 127.0.0.1
    port = 4190
  }
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  unix_listener /var/spool/postfix/private/quota-status {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
  user = vmail
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.key
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lmtp {
  mail_plugins = acl quota expire sieve
}
protocol imap {
  mail_plugins = acl quota expire imap_acl imap_quota
}


postconf -n
===========

address_verify_map = memcache:/etc/postfix/verify-memcache.cf
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
alias_maps = hash:/etc/aliases
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
html_directory = no
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 1d
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = dlutt.de
myhostname = mail.dlutt.de
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen.cf
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org, ix.dnsbl.manitu.net
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps proxy:btree:/var/lib/postfix/postscreen_cache_map proxy:btree:/var/lib/postfix/verify_cache_map
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map proxy:btree:/var/lib/postfix/postscreen_cache_map proxy:btree:/var/lib/postfix/verify_cache_map
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_bind_address = 217.11.53.6
smtp_bind_address6 = 2a00:1828:2000:206::2
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport_maps
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps

master.cf
=========

217.11.53.6:25  pass    -       -       n       -       -       smtpd
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_mynetworks,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unverified_recipient,check_policy_service,unix:private/quota-status
 -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
 -o content_filter=klms_postfix-afterqueue:127.0.0.1:10025
 -o receive_override_options=no_address_mappings

[2a00:1828:2000:206::2]:25      pass    -       -       n       -       -       smtpd
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_mynetworks,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unverified_recipient,check_policy_service,unix:private/quota-status
 -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
 -o content_filter=klms_postfix-afterqueue:127.0.0.1:10025
 -o receive_override_options=no_address_mappings


--
Daniel

More information about the dovecot mailing list