/var/run/dovecot permission issues

Matt Simpson dclist at list.jmatt.net
Thu Aug 17 16:19:20 EEST 2017 

I have an issue that surfaced when I tried to start using the new metrics service, but it looks like it may be a more generic issue.

When I enabled stats and started dovecot, I got the following error in the log:

 Error: stats: open(/var/run/dovecot/stats-mail) failed: Permission denied

/var/run/dovecot/stats-mail did not exist.  /var/run/dovecot/ existed, owned by root, which apparently was preventing dovecot from creating stats-mail.  On advice from  another list subscriber, I changed the ownership of /var/run/dovecot to the dovecot user.  This doesn’t help.

Apparently /var/run/dovecot is deleted by dovecot when it shuts down, and recreated, with root ownership, when it restarts.  stats-mail is created, with root ownership. Is there something I need to change to prevent dovecot from creating this directory owned by root?  I was unaware of any problems before trying to  enable stats, but the ownership of files in that directory is a mixed bag

 $ ls -l /var/run/dovecot
total 20
srw-------  1 root     wheel       0 Aug 17 09:05 anvil
srw-------  1 root     wheel       0 Aug 17 09:05 anvil-auth-penalty
srw-------  1 dovecot  wheel       0 Aug 17 09:05 auth-client
srw-------  1 dovecot  wheel       0 Aug 17 09:05 auth-login
srw-rw----  1 alias    qnofiles    0 Aug 17 09:05 auth-master
-rw-------  1 root     wheel      32 Aug 17 09:05 auth-token-secret.dat
srw-rw-rw-  1 dovecot  wheel       0 Aug 17 09:05 auth-userdb
srw-------  1 dovecot  wheel       0 Aug 17 09:05 auth-worker
srw-------  1 root     wheel       0 Aug 17 09:05 config
srw-------  1 root     wheel       0 Aug 17 09:05 dict
srw-------  1 root     wheel       0 Aug 17 09:05 dict-async
srw-------  1 root     wheel       0 Aug 17 09:05 director-admin
srw-rw-rw-  1 root     wheel       0 Aug 17 09:05 dns-client
srw-------  1 root     wheel       0 Aug 17 09:05 doveadm-server
lrwx------  1 root     wheel      35 Aug 17 09:05 dovecot.conf -> /usr/local/etc/dovecot/dovecot.conf
drwxr-xr-x  2 root     wheel     512 Aug 17 09:05 empty
srw-------  1 root     wheel       0 Aug 17 09:05 imap-hibernate
srw-------  1 root     wheel       0 Aug 17 09:05 imap-master
srw-rw-rw-  1 root     wheel       0 Aug 17 09:05 imap-urlauth
srw-------  1 dovecot  wheel       0 Aug 17 09:05 imap-urlauth-worker
srw-rw-rw-  1 root     wheel       0 Aug 17 09:05 indexer
srw-------  1 dovecot  wheel       0 Aug 17 09:05 indexer-worker
srw-------  1 root     wheel       0 Aug 17 09:05 ipc
srw-------  1 root     wheel       0 Aug 17 09:05 log-errors
drwxr-x---  2 root     dovenull  512 Aug 17 09:05 login
srw-------  1 root     wheel       0 Aug 17 09:05 master
-rw-------  1 root     wheel       6 Aug 17 09:05 master.pid
srw-------  1 root     wheel       0 Aug 17 09:05 replication-notify
prw-------  1 root     wheel       0 Aug 17 09:05 replication-notify-fifo
srw-------  1 dovecot  wheel       0 Aug 17 09:05 replicator
srw-rw-rw-  1 root     wheel       0 Aug 17 09:05 ssl-params
srw-------  1 root     wheel       0 Aug 17 09:05 stats
prw-------  1 root     wheel       0 Aug 17 09:05 stats-mail
prw-------  1 root     wheel       0 Aug 17 09:05 stats-user
drwxr-x---  2 root     dovenull  512 Aug 17 09:05 token-login

$ doveconf -n
# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: FreeBSD 11.0-RELEASE-p9 amd64
auth_stats = yes
auth_verbose = yes
default_vsz_limit = 128 M
lock_method = flock
mail_location = maildir:~/Maildir
mail_plugins = " stats"
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vnd.dovecot.pipe vnd.dovecot.execute
namespace inbox {
  inbox = yes
  location =
  prefix =
}
passdb {
  args = imap
  driver = pam
}
plugin {
  recipient_delimiter = -
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve-pipe
  sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve-pipe
  sieve_pipe_exec_timeout = 10s
  sieve_plugins = sieve_extprograms
  stats_refresh = 30s
}
protocols = imap
service auth {
  unix_listener auth-master {
    group = qnofiles
    mode = 0660
    user = alias
  }
  user = root
}
service imap-login {
  process_min_avail = 3
  vsz_limit = 94 M
}
ssl_cert = </usr/local/etc/letsencrypt/live/dummy.redhorse.me/fullchain.pem
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
stats_carbon_name = RedHorseMail
stats_carbon_server = [2a04:3542:1000:910:acc1:5bff:fe5e:8c2]
syslog_facility = local0
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol lda {
  mail_plugins = " stats sieve"
}

More information about the dovecot mailing list