Maildir: ACLs/Unix perms: unlink(...) failed: Permission denied

Olaf Marzocchi lists at marzocchi.net
Sun Sep 27 22:05:39 UTC 2015 

Hi,
I tried again with some other options.

After finding
http://www.dovecot.org/list/dovecot/2013-November/093793.html
I deleted every ACL from the directory Maildir and I also assigned the 
group "mail" to it, recursively:

OmniOS-Xeon:/tank/home/olaf/Maildir/.Generiche $ ls -lV
total 903
drwxrwxrwx   2 olaf     mail           2 Sep 27 23:47 cur
                  owner@:rwxp--aARWcCos:-------:allow
                  group@:rwxp--a-R-c--s:-------:allow
               everyone@:rwxp--a-R-c--s:-------:allow
(and so on)

I tried also
mail_full_filesystem_access = yes
hoping that it would solve the issue, but nothing. Even with
mail_debug = yes
the log does not give any info besides
dovecot: [ID 583609 mail.error] imap(olaf): Error: 
unlink(/tank/home/olaf/Maildir/.Generiche/dovecot-uidlist.tmp) failed: 
Permission denied

(it shows also "rename" instead of "unlink")

With these additional info, has anyone any idea about the cause of the 
problem?

My doveconf -n:

# 2.2.18: /etc/dovecot/dovecot.conf
# OS: SunOS 5.11 i86pc  zfs
mail_debug = yes
mail_full_filesystem_access = yes
mail_location = maildir:/tank/home/%u/Maildir
mail_privileged_group = mail
namespace inbox {
   inbox = yes
   location =
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   driver = pam
}
protocols = imap
ssl = required
ssl_cert = </etc/dovecot/certs/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
   driver = passwd
}


Any help will be appreciated.

Regards,
Olaf Marzocchi




On 19/09/2015 19:22, Christian Kivalo wrote:
> Hi,
>
> On 2015-09-19 16:17, Olaf Marzocchi wrote:
>> Dear Dovecot users, hello.
>> I will merge two issues I have into a single email because they may be
>> related.
>>
>> I used dovecot on a OmniOS server since 2014 (currently OmniOS
>> r151014) with the following configuration (it shows 2.2.18 because I
>> recently updated dovecot, skipping only the PostgreSQL plugin):
>>
>> # 2.2.18: /etc/dovecot/dovecot.conf
>> # OS: SunOS 5.11 i86pc  zfs
>> mail_location = maildir:/tank/home/%u/Maildir
>> mail_privileged_group = mail
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   mailbox Drafts {
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     special_use = \Trash
>>   }
>>   prefix =
>> }
>> passdb {
>>   driver = pam
>> }
>> protocols = imap
>> ssl = required
>> ssl_cert = </etc/dovecot/certs/dovecot.pem
>> ssl_key = </etc/dovecot/private/dovecot.pem
>> userdb {
>>   driver = passwd
>> }
>>
>> You can see that I set the Maildir folder inside the shared home
>> folders of my server (it is only one user, anyway).
>> It always worked perfectly, but one-two months ago I changed the
>> permissions of my whole home folder, recursively, to add proper ACLs.
>> I needed them because the clients started using illumos kernel SMB
>> (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms
>> only).
>> I didn't realise I applied the ACLs also to the Maildir folder.
>>
>> Dovecot worked for several weeks fine, I noticed the issue only
>> yesterday when a mailbox (see below) appeared in Thunderbird
>> completely empty even if the "cur" subfolder on the server still
>> contains all the mails.
>>
>> Dovecot was throwing some errors like:
>>
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index.cache) failed: Permission denied
>> (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index) failed: Permission denied
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission
>> denied
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/subscriptions.lock,
>> /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
>>
>> I will post here the current permissions of the folder containing
>> Maildir, of the Maildir itself, of its contents, and of the folder
>> that appears empty when browsed with a client (Thunderbird).
>>
>> /tank/home/olaf $ ls -lV ..
>> drwx------+ 16 olaf     olaf          17 Sep 19 01:52 olaf
>>               user:olaf:rwxpdDaARWcCos:fd-----:allow
>>        group:2147483648:rwxpdDaARWcCos:fd-----:allow
>>               everyone@:rwxpdDaARWcCos:fd-----:deny
>>
>> /tank/home/olaf $ ls -lV
>> drwxrwx--- 348 olaf     olaf         359 Sep 19 01:51 Maildir
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>>
>> /tank/home/olaf $ ls -lV Maildir/
>> drwxrwx---   2 olaf     olaf           2 Jan 30  2014 cur
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> -rwxrwx---   1 olaf     olaf          21 Jan 30  2014 dovecot-keywords
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...)
>> -rwxrwx---   1 olaf     olaf       13735 Jan 24  2015 subscriptions
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> -rw-rw----   1 olaf     olaf       13709 Sep 19 01:51 subscriptions.lock
>>                  owner@:rw-p--aARWcCos:-------:allow
>>                  group@:rw-p--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>>
>> The folder that appears empty:
>>
>> /tank/home/olaf $ ls -lV Maildir/.Generiche/
>> total 513
>> drwxrwx---   2 olaf     olaf         949 Sep 18 01:42 cur
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> -rwxrwx---   1 olaf     olaf          46 May 18  2014 dovecot-keywords
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
>>
>>
>> I really hope you will have the time to help me because I already
>> applied the permissions recursively and I removed the ACLs, almost as
>> it was before my mistake.
>> I specified "almost" because originally (I checked the backups) the
>> Maildir folder had an ACL that gave access permissions also to the
>> group "mail":
>>
>> drwxrwx---+349 olaf     olaf         359 Feb 16  2014 Maildir
>>              group:mail:rwxpdDaARWcCos:fd-----:allow
>>                  owner@:rwxpdDaARWcCos:fd----I:allow
>>                  group@:rwxpdDaARWcCos:fd----I:allow
>>               everyone@:rwxpdDaARWcCos:fd----I:deny
>>
>> Yesterday I haven't replicated it because from the documentation I
>> understood it was not necessary.
>
>  From my view the permissions seem to be set correctly, i have to admin,
> its been a while since i moved to virtual users so i may be wrong here...
>
> The log output also seems to support that permissions are correct.
>
> Have you tried adding the group:mail:.... ACLs back?
>
> Have you set mail_debug=yes or other more verbose logging settings?
> http://wiki2.dovecot.org/Logging

More information about the dovecot mailing list