I was able to replicate your problem with 2.1.16 rev 0fa68f3a8f6c (from Stephan's auto-built packages).
I have the following configuration in 10-master.conf, and no special configuration for the service in 90-quota.conf.
| service quota-status { | executable = quota-status -p postfix | inet_listener { | port = 12340 | } | client_limit = 1 | user = root | }
When I first query the quota-status service, I get the correct response:
| $ printf "recipient=test@example.org\nsize=1234\n\n" | nc 127.0.0.1 12340 | action=OK |
But on every subsequent try, I always receive a response like this:
| $ printf "recipient=test@example.org\nsize=1234\n\n" | nc 127.0.0.1 12340 | action=DEFER_IF_PERMIT Internal error occurred. Refer to server log for more information. |
Where the server log only says
| May 7 11:59:45 minna dovecot: quota-status(test@example.org): Error: user test@example.org: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied
Looking at the quota-status process, I notice it is not running as root, but rather as $mail_uid. It seems the service drops / changes its privileges at some point, which would explains the permission error on subsequent requests.
Setting service_count=1 for the service is not a viable workaround, as Postfix sends all policy requests for one SMTP session via one TCP connection.