-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 3 Jun 2014, Bruce wrote:
Jun 3 11:38:51 brio dovecot: Dovecot postlogin.sh running as hamish@XXXXX (/mnt/spool/keepers/h/XXXXX/hamish) userid = 7053 (7053) - uidlist = 26624 Jun 3 11:38:51 brio dovecot: Dovecot for hamish@XXXXX finished, uidlist now = 26624
who is user 26624? Is the uid valid at all? If it is invalid, are there other files owned by this uid? Maybe only one of your NFS server has this uid in its /etc/passwd? Is user "hamish" shared to another user somehow, either via symlinks, ACLs, ...?
The stat also says the change happened at 11:18:33, and there is nothing in
Well, it's the last inode change time. It does not neccessarily mean that the ownership was changed then.
the logs for that time which is abnormal (a whole bunch of other logins from other customers but nothing from those two users and no errors)
What about cron jobs, message delivery, backups, ... anything that possibly can alter that file. I don't think, it's a Dovecot issue, unless the uid 26624 is valid and hamish is shared with that user.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU416XHz1H7kL/d9rAQL5HwgAlsI9PkWvcVJVQOj4P2SMsDBRoUGmt+Wy mvpnbRYWoApn4RdDHhm6UNE61OuqxFeZclKBzX7Qx6liK/4Hrq2dafsGHmFh7fSx o8qlEmOhUXwvoZ7sWtvepOPnxYJr8oTULlMoxoZHD2EUHWyG4D24QSU07Knnbasi wqXXS19Yuv6anBjfDMg7MsXYBw+M9yCxJd7h+IcapYC18DV3uSsEwyXC77QM+vjS tEvyqwRG04XM0tUBGwApkoUMmQxGggmaFSdSQTBjegfk5IwjwxbIpXIjmOP0GURA bkPHHGxuM2uMpDb7QBx5mUA8yZdFj5RzgAlkBuRFa2QVENBhE3qeVQ== =br8I -----END PGP SIGNATURE-----