Ubuntu 8.04LTS
Dovecot 1.2.6
Postfix 2.5.1
I'm using dovecot imap/deliver in an environment where I don't want users with shell access to reach their mail folders (partly to do with IMAP ACLs requiring open group permissions and partly to do with not wanting users to mess their mail folders / sieve configs up).
I specifically don't want to switch to a "single dovecot user" style installation.
Current config:
mail_location = maildir:/home/mail/%d/%n/Maildir
mail_privileged_group = mail
mail_access_groups = maildir
drwxrws--- 3 nobody maildir 21 2009-11-15 10:52 /home/mail
drwxrws--- 4 nobody adomain.com 30 2009-11-15 12:12 /home/mail/adomain.com/
drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52 /home/mail/adomain.com/auser
drwxrws--- 3 auser adomain.com 20 2009-11-15 10:52 /home/mail/adomain.com/auser/Maildir
And so on...
As expected IMAP and Managesieve work perfectly, but deliver fails:
Nov 15 12:48:26 s15364807 dovecot: deliver(auser@adomain.com): sieve: stat(/home/mail/adomain.com/auser/.dovecot.sieve) failed: Permission denied (using global script path in stead)
Nov 15 12:28:06 s15364807 dovecot: deliver(auser@adomain.com): stat(/home/mail/adomain.com/auser/Maildir) failed: Permission denied
Nov 15 12:28:06 s15364807 dovecot: deliver(auser@adomain.com): stat(/home/mail/adomain.com/auser/Maildir/tmp) failed: Permission denied (euid=1002(auser) egid=1001(adomain.com) missing +x perm: /home/mail)
Nov 15 12:28:06 s15364807 dovecot: deliver(auser@adomain.com): msgid=20091115122806.79A0F80034F@servername.com: save failed to INBOX: Internal error occurred. Refer to server log for more information. [2009-11-15 12:28:06]
Opening the permissions on /home/mail (6771) allows deliver to succeed suggesting that mail_access_groups is being ignored by deliver.
As a work-around I can set /home/mail to 6771 but this is not ideal as anyone somehow guessing the directory structure could access mail of another user in the same group regardless of IMAP acl settings. Yes, I can severely obfuscate it but it's not secure.
I've spent about half a day trying to figure this out, I'm assuming at this point that either I'm missing something obvious or something else is wrong. Any ideas?
Peter.