Maildir: ACLs/Unix perms and unable to see content of specific mailbox

Christian Kivalo ml+dovecot at valo.at
Sat Sep 19 17:22:50 UTC 2015 

Hi,

On 2015-09-19 16:17, Olaf Marzocchi wrote:
> Dear Dovecot users, hello.
> I will merge two issues I have into a single email because they may be 
> related.
> 
> I used dovecot on a OmniOS server since 2014 (currently OmniOS
> r151014) with the following configuration (it shows 2.2.18 because I
> recently updated dovecot, skipping only the PostgreSQL plugin):
> 
> # 2.2.18: /etc/dovecot/dovecot.conf
> # OS: SunOS 5.11 i86pc  zfs
> mail_location = maildir:/tank/home/%u/Maildir
> mail_privileged_group = mail
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   driver = pam
> }
> protocols = imap
> ssl = required
> ssl_cert = </etc/dovecot/certs/dovecot.pem
> ssl_key = </etc/dovecot/private/dovecot.pem
> userdb {
>   driver = passwd
> }
> 
> You can see that I set the Maildir folder inside the shared home
> folders of my server (it is only one user, anyway).
> It always worked perfectly, but one-two months ago I changed the
> permissions of my whole home folder, recursively, to add proper ACLs.
> I needed them because the clients started using illumos kernel SMB
> (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms
> only).
> I didn't realise I applied the ACLs also to the Maildir folder.
> 
> Dovecot worked for several weeks fine, I noticed the issue only
> yesterday when a mailbox (see below) appeared in Thunderbird
> completely empty even if the "cur" subfolder on the server still
> contains all the mails.
> 
> Dovecot was throwing some errors like:
> 
> dovecot: [ID 583609 mail.error] imap(olaf): Error:
> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
> Lists.Log/dovecot.index.cache) failed: Permission denied
> (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
> dovecot: [ID 583609 mail.error] imap(olaf): Error:
> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
> Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing
> Lists.Log/dovecot.index) failed: Permission denied
> dovecot: [ID 583609 mail.error] imap(olaf): Error:
> unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission
> denied
> dovecot: [ID 583609 mail.error] imap(olaf): Error:
> rename(/tank/home/olaf/Maildir/subscriptions.lock,
> /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
> 
> I will post here the current permissions of the folder containing
> Maildir, of the Maildir itself, of its contents, and of the folder
> that appears empty when browsed with a client (Thunderbird).
> 
> /tank/home/olaf $ ls -lV ..
> drwx------+ 16 olaf     olaf          17 Sep 19 01:52 olaf
>               user:olaf:rwxpdDaARWcCos:fd-----:allow
>        group:2147483648:rwxpdDaARWcCos:fd-----:allow
>               everyone@:rwxpdDaARWcCos:fd-----:deny
> 
> /tank/home/olaf $ ls -lV
> drwxrwx--- 348 olaf     olaf         359 Sep 19 01:51 Maildir
>                  owner@:rwxp--aARWcCos:-------:allow
>                  group@:rwxp--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> 
> /tank/home/olaf $ ls -lV Maildir/
> drwxrwx---   2 olaf     olaf           2 Jan 30  2014 cur
>                  owner@:rwxp--aARWcCos:-------:allow
>                  group@:rwxp--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> -rwxrwx---   1 olaf     olaf          21 Jan 30  2014 dovecot-keywords
>                  owner@:rwxp--aARWcCos:-------:allow
>                  group@:rwxp--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...)
> -rwxrwx---   1 olaf     olaf       13735 Jan 24  2015 subscriptions
>                  owner@:rwxp--aARWcCos:-------:allow
>                  group@:rwxp--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> -rw-rw----   1 olaf     olaf       13709 Sep 19 01:51 
> subscriptions.lock
>                  owner@:rw-p--aARWcCos:-------:allow
>                  group@:rw-p--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> 
> The folder that appears empty:
> 
> /tank/home/olaf $ ls -lV Maildir/.Generiche/
> total 513
> drwxrwx---   2 olaf     olaf         949 Sep 18 01:42 cur
>                  owner@:rwxp--aARWcCos:-------:allow
>                  group@:rwxp--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> -rwxrwx---   1 olaf     olaf          46 May 18  2014 dovecot-keywords
>                  owner@:rwxp--aARWcCos:-------:allow
>                  group@:rwxp--a-R-c--s:-------:allow
>               everyone@:------a-R-c--s:-------:allow
> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
> 
> 
> I really hope you will have the time to help me because I already
> applied the permissions recursively and I removed the ACLs, almost as
> it was before my mistake.
> I specified "almost" because originally (I checked the backups) the
> Maildir folder had an ACL that gave access permissions also to the
> group "mail":
> 
> drwxrwx---+349 olaf     olaf         359 Feb 16  2014 Maildir
>              group:mail:rwxpdDaARWcCos:fd-----:allow
>                  owner@:rwxpdDaARWcCos:fd----I:allow
>                  group@:rwxpdDaARWcCos:fd----I:allow
>               everyone@:rwxpdDaARWcCos:fd----I:deny
> 
> Yesterday I haven't replicated it because from the documentation I
> understood it was not necessary.

 From my view the permissions seem to be set correctly, i have to admin, 
its been a while since i moved to virtual users so i may be wrong 
here...

The log output also seems to support that permissions are correct.

Have you tried adding the group:mail:.... ACLs back?

Have you set mail_debug=yes or other more verbose logging settings?
http://wiki2.dovecot.org/Logging



> My questions, in short:
> - what are the permissions I need to give to the Maildir folder? I
> understood from the documentation it's 700, with my user/group (the
> one of the user accessing the mail). What about ACLs? and what about
> group "mail"?
> - the (only!) subfolder which appears empty in Thunderbird, may it
> depend on the permissions? maybe due to them the index was not updated
> and UIDs don't match. If after applying the correct permissions I
> still cannot see its contents, is there a way to recover the mails?
> the files are all still there.
> 
> Sorry for the long email, but after several tries yesterday I
> exhausted my ideas.
> 
> Regards,
> Olaf

Regards,
Christian

More information about the dovecot mailing list