Appears to be an SELinux issue. I checked it out with audit2allow and discovered several items that needed tweaking. Here is the result of my te file:
# cat DovecotDelivery.te
module DovecotDelivery 1.0;
require { type sysadm_passwd_t; type postfix_spool_t; type user_home_dir_t; type dovecot_auth_t; type user_home_t; type var_spool_t; type dovecot_t; type mysqld_etc_t; type dovecot_var_run_t; type mysqld_port_t; type system_mail_t; class process setcap; class tcp_socket name_connect; class dir { search setattr }; class file { rename execute read lock write getattr unlink }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t mysqld_etc_t:file { read getattr }; allow dovecot_auth_t mysqld_port_t:tcp_socket name_connect;
#============= dovecot_t ============== allow dovecot_t dovecot_var_run_t:dir setattr; allow dovecot_t self:process setcap; allow dovecot_t user_home_dir_t:file { rename write getattr read lock unlink };
#============= sysadm_passwd_t ============== allow sysadm_passwd_t postfix_spool_t:dir search; allow sysadm_passwd_t var_spool_t:dir search;
#============= system_mail_t ============== allow system_mail_t user_home_t:file execute;
Some of that is left over from a previous attempt to get this working. It all seems to be fine once I load that module.
-Geoff
From: Timo Sirainen [tss@iki.fi] Sent: Wednesday, December 23, 2009 1:26 PM To: Geoff Sweet Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Permissions errors while reading messages via IMAP
On Wed, 2009-12-23 at 13:13 -0800, Geoff Sweet wrote:
and as you can see, the files in the delivery location have the correct permissions for being delivered by user "vmail": # ls -la total 64 -rw------- 1 vmail vmail 572 Dec 23 11:51 dovecot.index.log
What about this:
Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
Is that file also owned by vmail:vmail? The error message shows that vmail user doesn't have read access to the file. If that file is also owned by vmail, I have only two ideas:
a) You have multiple vmail users. See that ls -ln shows the uids to be actually 5000 and not something else.
b) SELinux or something similar is preventing the access to the files.