[Dovecot] Sieve file permission problem

older
[Dovecot] dsync assert failure in...

Zoltan Lippai

19 Jun 2013 19 Jun '13

5:48 p.m.

Hi folks,

I am using dovecot 2.1.7 with the ManageSieve plugin which works great. Recently I set up Afterlogic webmail on my server (the community version) and it has a nice UI to manage the sieve settings. It uses port 2000 to communicate with dovecot via the ManageSieve plugin. Also, dovecot uses Maildirs to store the messages.

The problem is that the permissions on the files that store the sieve rules are to strict. I am talking about the "sieve" directory and the .dovecot.sieve file. The sieve folder has a chmod 700 and the .dovecot.sieve is chmod 600. Both are owned by vmail:mail

If I delete these two items, then the rules can be saved via the web interface. Then these files are created but for some reason the ManageSieve plugin can't modify them.

Here is the output of dovecot -n: http://pastebin.com/4eqyBKCA

Can you help me out on this?

Thanks a lot! Zoltan

Show replies by date

Daniel Parthey

19 Jun 19 Jun

7:40 p.m.

Please provide permission details of the affected directories and files and possibly error messages from dovecot logfile.

Regards Daniel

Zoltan Lippai zoli@lippai.net schrieb:

...

Hi folks,

I am using dovecot 2.1.7 with the ManageSieve plugin which works great. Recently I set up Afterlogic webmail on my server (the community version) and it has a nice UI to manage the sieve settings. It uses port 2000 to communicate with dovecot via the ManageSieve plugin. Also, dovecot uses Maildirs to store the messages.

The problem is that the permissions on the files that store the sieve rules are to strict. I am talking about the "sieve" directory and the .dovecot.sieve file. The sieve folder has a chmod 700 and the .dovecot.sieve is chmod 600. Both are owned by vmail:mail

If I delete these two items, then the rules can be saved via the web interface. Then these files are created but for some reason the ManageSieve plugin can't modify them.

Here is the output of dovecot -n: http://pastebin.com/4eqyBKCA

Can you help me out on this?

Thanks a lot! Zoltan

Zoltan Lippai

20 Jun 20 Jun

11:16 a.m.

Thanks for the answer, I'm not sure what you mean by the additional permission details. Here is a quick example: /var/mail/domainname.hu/zolcsi chmod: 700, owner: vmail:mail After I set the initial sieve filters, the following file and directory gets created: /var/mail/domainname.hu/zolcsi/sieve (directory) chmod: 700, owner: vmail:mail /var/mail/domainname.hu/zolcsi/.dovecot.sieve (symlink to the sieve/sieve.sieve file) chmod: 600, owner: vmail:mail

After these two are created then the webmail can't modify them unless I delete the files manually.

I looked in the mail.log and mail.err files, but couldn't find anything related to this. Perhaps if I set the log level to a higher value?

Or is it possible to connect via telnet to port 2000 and issue some commands to see the actual answers of the ManageSieve server?

Best regards, Zoltan

On 2013. June 19., Wednesday at 18:40, Daniel Parthey wrote:

...

Please provide permission details of the affected directories and files and possibly error messages from dovecot logfile.

Regards Daniel

Zoltan Lippai schrieb:

...
Hi folks,

I am using dovecot 2.1.7 with the ManageSieve plugin which works great. Recently I set up Afterlogic webmail on my server (the community version) and it has a nice UI to manage the sieve settings. It uses port 2000 to communicate with dovecot via the ManageSieve plugin. Also, dovecot uses Maildirs to store the messages.

The problem is that the permissions on the files that store the sieve rules are to strict. I am talking about the "sieve" directory and the .dovecot.sieve file. The sieve folder has a chmod 700 and the .dovecot.sieve is chmod 600. Both are owned by vmail:mail

If I delete these two items, then the rules can be saved via the web interface. Then these files are created but for some reason the ManageSieve plugin can't modify them.

Here is the output of dovecot -n: http://pastebin.com/4eqyBKCA

Can you help me out on this?

Thanks a lot! Zoltan

Steffen Kaiser

4:33 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Thu, 20 Jun 2013, Zoltan Lippai wrote:

...

Thanks for the answer, I'm not sure what you mean by the additional permission details. Here is a quick example: /var/mail/domainname.hu/zolcsi chmod: 700, owner: vmail:mail After I set the initial sieve filters, the following file and directory gets created: /var/mail/domainname.hu/zolcsi/sieve (directory) chmod: 700, owner: vmail:mail /var/mail/domainname.hu/zolcsi/.dovecot.sieve (symlink to the sieve/sieve.sieve file) chmod: 600, owner: vmail:mail

After these two are created then the webmail can't modify them unless I delete the files manually.

Or is it possible to connect via telnet to port 2000 and issue some commands to see the actual answers of the ManageSieve server?

Er, below you've wrote that "It uses port 2000 to communicate with dovecot via the ManageSieve plugin." Now you write "webmail can't modify them" ... . So it seems that the webmail is not using port 2000??

If the UI is using the ManageSieve port, all should work fine, once the files are delete and only Pigeonhole (Dovecot Sieve & ManageSieve) accesses the files directly.

To test via telnet:

perl -e 'use MIME::Base64; print encode_base64(join("\0", @ARGV)), "\n" ' account account 'pwd'

$ gnutls-cli -p 2000 --starttls localhost STARTTLS ^D Authenticate "PLAIN" "<<output from perl>>" CAPABILITY HAVESPACE "myscript" 999999 Putscript "foo" {31+} #comment InvalidSieveCommand

Putscript "mysievescript" {110+} require ["fileinto", "envelope"]; if envelope :contains "to" "tmartin+sent" { fileinto "INBOX.sent"; }

Getscript "mysievescript" Deletescript "mysievescript" setactive "mysievescript"

gnutls allows you to use STARTTLS; the number in PutScript's {#+} specifies the number of bytes following the putscript line, that makes up the script, which must be encoded as UTF8.

If you know Perl, check out http://search.cpan.org/~ska/Net-ManageSieve-0.12/lib/Net/ManageSieve.pm;

or maybe http://search.cpan.org/~mdom/App-Siesh-0.21/bin/siesh "interactive sieve shell"

...

On 2013. June 19., Wednesday at 18:40, Daniel Parthey wrote:

...
Please provide permission details of the affected directories and files and possibly error messages from dovecot logfile.

Regards Daniel

Zoltan Lippai schrieb:

...
Hi folks,

I am using dovecot 2.1.7 with the ManageSieve plugin which works great. Recently I set up Afterlogic webmail on my server (the community version) and it has a nice UI to manage the sieve settings. It uses port 2000 to communicate with dovecot via the ManageSieve plugin. Also, dovecot uses Maildirs to store the messages.

The problem is that the permissions on the files that store the sieve rules are to strict. I am talking about the "sieve" directory and the .dovecot.sieve file. The sieve folder has a chmod 700 and the .dovecot.sieve is chmod 600. Both are owned by vmail:mail

If I delete these two items, then the rules can be saved via the web interface. Then these files are created but for some reason the ManageSieve plugin can't modify them.

Here is the output of dovecot -n: http://pastebin.com/4eqyBKCA

Can you help me out on this?

Thanks a lot! Zoltan

Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUcMEpl3r2wJMiz2NAQKOpgf+I5WOAWs8+ruXJYen/HhUQK4d6biY9psq PjKmLdKXD/MBvOpXqKpB9E3dbWQXoYuZeU6nqLFOgJVGbgmbvq4Dpj4/CQod3dMy wLFECXRDkW8rTVetaC2gLlJN/U/wVlV7nQ3CjtseZZQ+MTBAP+iYcyv0AKYNXafH BWpUYG1eVPIsCV+GFXjKP0+MkCgHyYpnvySNAIYafV/3+9ETFrC3w7Oa7VsEXJtg Pm+JEMtkgCxJDHSLamiirrLdL93IZwfeT+AHJ2eQSu0GskPStjjUv/RAu+F7suCM 1PQ7t790L7BY5SDe7LXWzGP+Gz6TC3ZU/FLxB6kcBCy9aCIWMuozXg== =SLh7 -----END PGP SIGNATURE-----

Lippai Zoltan

24 Jun 24 Jun

5:32 p.m.

...

Er, below you've wrote that "It uses port 2000 to communicate with dovecot via the ManageSieve plugin." Now you write "webmail can't modify them" ... . So it seems that the webmail is not using port 2000??

Sorry, I meant that it can't modify the rules via ManageSieve. I'm pretty sure, that the webmail is using the ManageSieve server and not modifying the files directly, because I only had to set the host and port for the Sieve server. I tried to modify the sieve scripts by telnetting into ManagieSieve server and it succeeded, so at this point I'm really not sure what might be wrong here. I will try to debug the communication between the webmail and the sieve server, I believe that holds the key to the solution.

Lippai Zoltan

25 Jun 25 Jun

11:13 a.m.

Finally I have found out what is causing the problem, it is a known issue with manage sieve: http://dovecot.org/pipermail/dovecot/2012-September/085585.html Unfortunately the Ubuntu repository has the buggy version, I just filed a bug report to upgrade it. Hopefully they will do that, otherwise I might have to install dovecot from source.

Daniel Parthey

21 Jun 21 Jun

11:27 p.m.

Am 20.06.2013 10:16, schrieb Zoltan Lippai:

...

Thanks for the answer, I'm not sure what you mean by the additional permission details. Here is a quick example: /var/mail/domainname.hu/zolcsi chmod: 700, owner: vmail:mail After I set the initial sieve filters, the following file and directory gets created: /var/mail/domainname.hu/zolcsi/sieve (directory) chmod: 700, owner: vmail:mail /var/mail/domainname.hu/zolcsi/.dovecot.sieve (symlink to the sieve/sieve.sieve file) chmod: 600, owner: vmail:mail

After these two are created then the webmail can't modify them unless I delete the files manually.

I looked in the mail.log and mail.err files, but couldn't find anything related to this. Perhaps if I set the log level to a higher value?

Or is it possible to connect via telnet to port 2000 and issue some commands to see the actual answers of the ManageSieve server?

Best regards, Zoltan

Try if you can modify your sieve script when connecting with Thunderbird Sieve Extension to your MANAGESIEVE port 4190 or 2000.

Can Afterlogic webmail be configured to use MANAGESIEVE protocol or does it write directly to the filesystem from the webserver user (which might be different from vmail, e.g. apache)

Regards Daniel

Dipl.-Inf. Daniel Parthey System Engineer Metaways Infosystems GmbH Pickhuben 2, D-20457 Hamburg

E-Mail: d.parthey@metaways.de Web: http://www.metaways.de Tel: +49 (0)40 317031-537 Fax: +49 (0)40 317031-937

Metaways Infosystems GmbH - Sitz: D-22967 Tremsbüttel Handelsregister: Amtsgericht Lübeck HRB 4508 AH Geschäftsführung: Hermann Thaele, Lüder-H.Thaele

Thomas Harold

22 Jun 22 Jun

1:58 a.m.

On 6/20/2013 4:16 AM, Zoltan Lippai wrote:

...

Thanks for the answer, I'm not sure what you mean by the additional permission details.

If you have SELinux in Enforcing mode, you should also look at using "ls -lZ" to get the file context.

You can also use "selart -a /var/log/audit/audit.log" to see whether dovecot or anything else is throwing AVC exceptions that need to be addressed.

4167

Age (days ago)

4173

Last active (days ago)

List overview

7 comments

5 participants

participants (5)

Daniel Parthey
Lippai Zoltan
Steffen Kaiser
Thomas Harold
Zoltan Lippai