Hi,
I try to migrate an old fashioned mailsystem to Debian 9.7 / dovecot 2.2.7. I "have" to cope with mbox for now. I try to get rid of Sun OS 5.9 sendmail before mbox to mdbox migration (I'm fine if you laugh loudly ^^). Intended setup : 2 VM with exim (smtp in, smtp out roughly), 3 VM with dovecot (mbox, maildir, testbed), 1 VM with IMAP proxy and LMTP proxy.
doveconf -n is at end of this mail. My test case is :
root@wagram:~# swaks --to tstifi04 --server imap --protocol lmtp --header-X-Spam-Status yes root@wagram:~# (imap VM LMTP proxies to telegraphe5 VM in this test)
mbox folders are in users homedir, no generic "vmail" unix account. Real posixAccounts in LDAP, NFS root_squashed.
sieve "fileinto "Junk" call goes wrong :
Feb 6 17:56:03 telegraphe5 dovecot: lmtp(tstifi04): Error: PytSHqIRW1x2dgAA+Fldtw: sieve: msgid=unspecified: failed to store into mailbox 'Junk': Read-only mboxstraced : https://pastebin.com/A53hDYnS
I may miss some configuration options... but I get stuck. I get
to IRC and it seems that there is no simple things to circumvent.
I tried to read some code path too.
https://wiki.dovecot.org/LMTP states :
lmtp run as root, drop temporarily privileges. The point, IHMO, is lmtp calls sieve code paths, that call some mbox saving function, that calls libc/syscall access(). And this explicitly not consider effective uid/gid.Security
Unfortunately LMTP process currently needs to run as root, and only temporarily drop privileges to users. Otherwise it couldn't handle mail deliveries to more than a single user with different UID. If you're using only a single global UID/GID, you can improve security by running lmtp processes as that user:
service lmtp { user = vmail }
From strace (more in pastebin) :
[pid 30326] geteuid() = 0
[pid 30326] setresuid(-1, 20609, -1) = 0
[pid 30326] geteuid() = 20609
[pid 30326] access("/home/tstifi04/mail-imap/Junk", R_OK|W_OK) = -1 EACCES (Permission denied)
From man access
The check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actuallyI think that the process has effectively sufficient permissions to write into the root_squashed file, and infortunately access() check another thing.
attempting an operation (e.g., open(2)) on the file. Similarly, for the root user, the check uses the set of permitted
capabilities rather than the set of effective capabilities; and for non-root users, the check uses an empty set of capa-
bilities.
In dovecot sources, src/lib/eacces-error.c is aware of those "problems" with access(), but I think that mbox and maybe other storage backends don't use this for main codepath (like save a mail), but "only" for smart log messages in some cases.
I may gone wrong while seeking about it. Do you see a configuration that can use root squashed mboxes and LMTP ?
Should test_access() variant could be used as access()
replacement ?
There is eaccess() and euidaccess() too but may be not portable
enough (_GNU_SOURCE only).
Regards,
Ludovic
telegraphe5:/dev/shm# mount | grep tstifi04 cifs1:/homeeleves/tstifi/tstifi04 on /home/tstifi04 type nfs (rw,nosuid,nodev,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.29,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.29) telegraphe5:/dev/shm# dovecot -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.9.0-8-amd64 x86_64 Debian 9.7 auth_debug = yes auth_verbose = yes default_client_limit = 10240 default_process_limit = 2048 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_debug = yes mail_fsync = always mail_location = mbox:~/mail-imap:INBOX=/var/mail/mailbox/%u:INDEX=/var/dovecot-indexes/%u mail_nfs_storage = yes mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext mbox_write_locks = fcntl mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = count:Quota mail global quota_rule = *:storage=100M quota_rule2 = Trash:storage=+100M quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = file:/var/mail/mailconf/%1u/%u/sieve;active=/var/mail/mailconf/%1u/%u/.dovecot.sieve sieve_after = /var/mail/mailconf/global/sieve/after.d/ sieve_before = /var/mail/mailconf/global/sieve/before.d/ sieve_global = /var/mail/mailconf/global/sieve sieve_vacation_dont_check_recipient = yes } protocols = " imap lmtp sieve sieve" service anvil { unix_listener anvil-auth-penalty { mode = 00 } } service imap-login { inet_listener imap { port = 0 } } service lmtp { inet_listener lmtp { port = 24 } } service managesieve { process_limit = 16 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { mode = 0666 } user = root } ssl = required ssl_cert = </etc/ssl/local_certs/telegraphe5_cert.pem ssl_key = # hidden, use -P to show it syslog_facility = local0 userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_proctitle = yes protocol lmtp { mail_plugins = quota sieve } protocol imap { mail_max_userip_connections = 20 mail_plugins = quota imap_quota } telegraphe5:/dev/shm# grep -vE '^(#|$)' /etc/dovecot/dovecot-ldap.conf.ext uris = ldaps://ldap-test.mines-albi.fr tls_require_cert = hard auth_bind = yes base = ou=People,dc=enstimac,dc=fr user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,\ dcMailQuota=quota_rule=*:bytes=%{ldap:dcMailQuota}M user_filter = (&(objectClass=posixAccount)(|(uid=%n)(mail=%n@mines-albi.fr))) iterate_attrs = uid=user iterate_filter = (objectClass=posixAccount) telegraphe5:/dev/shm# ls -l /var/mail/mailconf/global/sieve/before.d/ total 0 telegraphe5:/dev/shm# ls -al /var/mail/mailconf/t/tstifi04/ total 44 drwx------ 3 tstifi04 ifie2012 4096 févr. 5 10:46 . drwxrwxrwt 169 root root 16384 janv. 5 18:48 .. lrwxrwxrwx 1 tstifi04 ifie2012 25 janv. 31 17:50 .dovecot.sieve -> sieve/rainloop.user.sieve -rw------- 1 tstifi04 ifie2012 1520 févr. 5 13:22 .dovecot.sieve.log -rw------- 1 tstifi04 ifie2012 10336 févr. 5 10:46 .dovecot.sieve.log.0 -rw------- 1 tstifi04 ifie2012 172 janv. 31 17:56 .dovecot.svbin drwx------ 3 tstifi04 ifie2012 4096 janv. 31 17:50 sieve telegraphe5:/dev/shm# ls -al /var/mail/mailconf/t/tstifi04/sieve/rainloop.user.sieve -rw------- 1 tstifi04 ifie2012 102 janv. 31 17:50 /var/mail/mailconf/t/tstifi04/sieve/rainloop.user.sieve telegraphe5:/dev/shm# cat /var/mail/mailconf/t/tstifi04/sieve/rainloop.user.sieve # This is RainLoop Webmail sieve script. # Please don't change anything here. # RAINLOOP:SIEVE telegraphe5:/dev/shm# telegraphe5:/dev/shm# cat /var/mail/mailconf/global/sieve/after.d/spam-into-junk.sieve require ["fileinto"]; if header :is "X-Spam-Status" "Yes" { fileinto "Junk"; stop; }