There are a number of issues that can appear to be ACL issues when in fact its something else.

As other's have mentioned, AppArmor profiles and SELinux contexts can be checked and are the most common. There are ACL permissions as well if you enabled ACL (they are not enabled by default on Ubuntu server).
I've occasionally (rarely) seen some weird interactions with sockets between MDA and MTA if the permissions on the directory were not set correctly.

Additionally, if a mount permission mask is being used, that can occasionally cause similar issues as well, as is often the case with using an NTFS backing filesystem for maildir that's been mounted with unix perms.
There can also be some edge-cases with permissions in Ubuntu's flavored snap containers as well as docker containers and custom sieves.

Its difficult to say with any accuracy what is causing your issue with the information provided.

Have you increased the verbosity of the logging?

If all of the normal culprits do not stand out, maybe some others will have an idea.

As a final fallback you can always set a breakpoint and use a reverse debugger. Its not going to be performant but it will at least narrow down where the issue is coming from, and what the intermediate states were that led to the error so you can save/replicate them moving forward for resolution. Non-determinism can creep into code in a lot of different ways.

Best Regards,
N


On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer <austin96@emypeople.net> wrote:
Here is the output of dovecot -n

austin@mail:~$ doveconf -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS 
# Hostname: mail
auth_mechanisms = plain login
listen = *
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve
  sieve_before = /var/lib/dovecot/sieve/
  sieve_global_dir = /var/lib/dovecot/sieve/
  sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log
}
protocols = imap lmtp pop3 imap lmtp sieve pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  service_count = 1
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  driver = passwd
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol lmtp {
  hostname = mail.mydomain.com
  mail_plugins = " sieve"
  postmaster_address = postmaster@mydomain.com
}
protocol lda {
  mail_plugins = " sieve"
}


Austin Witmer


On Aug 20, 2022, at 12:09 PM, Austin Witmer <austin96@emypeople.net> wrote:

And no, I don’t think I am using ACL’s.

getfacl austin /mnt/volume1/mailserver/plain/maildir/
getfacl: austin: No such file or directory
getfacl: Removing leading '/' from absolute path names
# file: mnt/volume1/mailserver/plain/maildir/
# owner: austin
# group: austin
user::rwx
group::rwx
other::r--

Austin Witmer

On Aug 20, 2022, at 11:15 AM, spi <spi@nurfuerspam.de> wrote:


Am 20.08.22 um 16:52 schrieb Austin Witmer:
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since
then I am periodically getting some dovecot errors like the below in
my mail log. As far as I can tell, my unix perms are just fine. What
is ACL/MAC?

Aug 20 14:41:58 mail dovecot:
imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX:
stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
<http://domain.com/user/dovecot.index.log>) failed: Permission denied
(euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC
wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la
/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
<http://domain.com/user/dovecot.index.log>
-rwxrwxr-- 1 austin austin 15796 Aug 20 14:41
*/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
<http://domain.com/user/dovecot.index.log>*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer


Do you use any ACLs? Is this just a block device mounted or do you use
any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

--
Cheers
spi