bug report: lmtp fails on root-squashed NFS filesystem

Anne Bennett anne at encs.concordia.ca
Wed Nov 17 00:13:15 UTC 2021 

Hi, all.

I'm trying to set up Postfix with dovecot LTMP delivery
on a host where the user files (/var/spool/mail as well as
home directories) are on NFS filesystems, which are exported
root-squashed to the mail server.  I definitely don't want to
give the mail server root permissions on the user files.

LMTP delivery fails with this logged message (e.g.):

  Nov 16 17:51:36 lust dovecot: lmtp(anne)<16830><mkkzEPg1lGG+QQAAs/mAJw>: msgid=<202111162229.1AGMTfAO024765 at vindemiatrix.encs.concordia.ca>: save failed to INBOX: Read-only mbox

I found this posting where someone else had a similar problem
and traced it in some detail back in 2019:

  https://dovecot.org/list/dovecot/2019-February/114611.html

but apparently no one answered the fellow.

In order to check that this is indeed the same problem,
I temporarily changed the INBOX definition to make it write
into /var/tmp/ (on a local filesystem), and delivery worked.

I then temporarily changed the INBOX definition to make it
write into an NFS filesystem with root NOT squashed, and again
it worked (after I chmodded the directory to 1777 to allow
any user to create a file).

I believe that the person who wrote the above posting is
correct: at some point, file access is (incorrectly) checked
as root instead of as the target user.

This is a bit of a showstopper for me.  Any plans to address this?

I attach the output of "dovecot -n", fwiw, but I don't think
that this is a configuration problem...


Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285
-------------- next part --------------
# 2.3.16 (7e2e900c1a): /local/pkg/dovecot-2.3.16/root/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 ()
# OS: Linux 3.10.0-1160.45.1.el7.x86_64 x86_64 Scientific Linux release 7.9 (Nitrogen) 
# Hostname: lust.encs.concordia.ca
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /local/data/dovecot/this_host.d/imap.keytab
auth_mechanisms = plain login gssapi
auth_username_format = %Ln
auth_verbose = yes
default_login_user = nul-dove
first_valid_uid = 200
listen = *
lmtp_hdr_delivery_address = original
login_access_sockets = tcpwrap
mail_attachment_fs = posix
mail_fsync = always
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%1u/%u:INDEX=/local/data/dovecot/indexes/mail/%1u/%u
mail_plugin_dir = /local/lib/dovecot
mail_server_admin = mailto:servicedesk at encs.concordia.ca
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /local/pkg/dovecot-CURRENT/root/etc/dovecot/encs.d/ldap.EXTRA
  driver = ldap
}
plugin {
  mail_log_events = mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
}
protocols = imap submission lmtp
service imap-postlogin {
  executable = script-login /local/bin/imap-wrapper
  user = $default_internal_user
}
service imap {
  executable = imap imap-postlogin
  process_limit = 8192
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service tcpwrap {
  unix_listener login/tcpwrap {
    group = $default_login_user
    mode = 0600
    user = $default_login_user
  }
}
ssl_cert = </etc/pki/tls/certs/mail.encs.pem
ssl_key = # hidden, use -P to show it
submission_relay_host = smtp.encs.concordia.ca
submission_relay_trusted = yes
userdb {
  driver = prefetch
}
userdb {
  args = /local/pkg/dovecot-CURRENT/root/etc/dovecot/encs.d/ldap.EXTRA
  driver = ldap
}
verbose_proctitle = yes
protocol imap {
  mail_plugins = " mail_log notify"
}

More information about the dovecot mailing list