[Dovecot] Where did the message end up?
Hi all!
Just migrated out UW-IMAP installation to Dovecot and so far so good.
Had small teething problems though which left me with one question.
The scenario was that I have a set of public folders that are only needed by the main company group (gid = company). Then there are some external users as well, not directly in the company group.
I set up the public mailbox with permissions 660, owner me and group "company". That is the externals didn't have access to the mail folder.
At this point all looked fine, but later there was an email to an external person and this was passed on to deliver by procmail. Procmail logs says all was OK, but there is an entry about the public folder not accessible in the Dovecot log. The email is nowhere to be found.
My question:
Where is the delivered email?
Best Dag
On 21.2.2012, at 14.56, Dag Nygren wrote:
Just migrated out UW-IMAP installation to Dovecot and so far so good.
Had small teething problems though which left me with one question.
The scenario was that I have a set of public folders that are only needed by the main company group (gid = company). Then there are some external users as well, not directly in the company group.
So this is in a public namespace?
I set up the public mailbox with permissions 660, owner me and group "company". That is the externals didn't have access to the mail folder.
At this point all looked fine, but later there was an email to an external person and this was passed on to deliver by procmail. Procmail logs says all was OK, but there is an entry about the public folder not accessible in the Dovecot log. The email is nowhere to be found.
Exact error message would be helpful. Was the error from deliver, or imap/pop3? If it was from deliver, it probably returned temporary failure.
Where is the delivered email?
Have you checked what happens if deliver tempfails (e.g. make procmail call tempfail.sh script that just exits with 75), does procmail also correctly tempfail and tell MTA to retry the delivery later?
onsdag 22 februari 2012 01:32:56 skrev Timo Sirainen:
On 21.2.2012, at 14.56, Dag Nygren wrote:
Just migrated out UW-IMAP installation to Dovecot and so far so good.
Had small teething problems though which left me with one question.
The scenario was that I have a set of public folders that are only needed by the main company group (gid = company). Then there are some external users as well, not directly in the company group.
So this is in a public namespace?
Yep, it was. The definition:
namespace { type = public separator = / prefix = MailingLists/ location = mdbox:/usr/local/var/mail/MailingLists inbox = no subscriptions = no # v1.1+ }
I set up the public mailbox with permissions 660, owner me and group "company". That is the externals didn't have access to the mail folder.
At this point all looked fine, but later there was an email to an external person and this was passed on to deliver by procmail. Procmail logs says all was OK, but there is an entry about the public folder not accessible in the Dovecot log. The email is nowhere to be found.
Exact error message would be helpful. Was the error from deliver, or imap/pop3? If it was from deliver, it probably returned temporary failure.
The log parts with final names and groups changed..
Deliver error:
Feb 21 10:02:24 dag dovecot: lda(extuser): Error: user extuser: Initialization failed: Namespace 'MailingLists/': stat(/usr/local/var/mail/MailingLists/mailboxes) failed: Permission denied (euid=2002(extuser) egid=2002(extgroup) missing +x perm: /usr/local/var/mail/MailingLists, euid is not dir owner) Feb 21 10:02:24 dag dovecot: lda(extuser): Fatal: Invalid user settings. Refer to server log for more information.
Procmail log:
From mailing-1341698764359@mailpv.net Tue Feb 21 10:02:24 2012 Subject: =?CP1250?Q?P=E4=E4si=E4issuunnitelmat?= Folder: deliver -d extuser -m inbox 56979
Where is the delivered email?
Have you checked what happens if deliver tempfails (e.g. make procmail call tempfail.sh script that just exits with 75), does procmail also correctly tempfail and tell MTA to retry the delivery later?
No, haven't done that. yet. And I don't think it will pass on the failure code. Procmail settings are all from the HOWTO:s though.
The .forward file looks like this:
"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #extuser"
And the applicable rule in .procmailrc: :0 w { :0 | $DELIVERYAGENT -d $LOGNAME -m inbox }
Have to point out that this case wasn't important, but I wouldn't like the system to loose an important mail later.
On 22.2.2012, at 9.34, Dag Nygren wrote:
Feb 21 10:02:24 dag dovecot: lda(extuser): Error: user extuser: Initialization failed: Namespace 'MailingLists/': stat(/usr/local/var/mail/MailingLists/mailboxes) failed: Permission denied (euid=2002(extuser) egid=2002(extgroup) missing +x perm: /usr/local/var/mail/MailingLists, euid is not dir owner) Feb 21 10:02:24 dag dovecot: lda(extuser): Fatal: Invalid user settings. Refer to server log for more information.
Right, the mail wasn't delivered, LDA simply exited with tempfail. Actually v2.1.0 is the first release where you can easily configure Dovecot to simply skip the namespace when it doesn't have permission to access it:
+ Added ignore_on_failure setting for namespaces. If namespace
initialization fails with this enabled (e.g. permission denied),
the namespace is silently skipped for the user.Where is the delivered email?
Have you checked what happens if deliver tempfails (e.g. make procmail call tempfail.sh script that just exits with 75), does procmail also correctly tempfail and tell MTA to retry the delivery later?
No, haven't done that. yet. And I don't think it will pass on the failure code. Procmail settings are all from the HOWTO:s though.
The .forward file looks like this:
"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #extuser"
And the applicable rule in .procmailrc: :0 w { :0 | $DELIVERYAGENT -d $LOGNAME -m inbox }
Have to point out that this case wasn't important, but I wouldn't like the system to loose an important mail later.
You should definitely make sure that procmail won't lose any mails if Dovecot LDA returns tempfailure, since they do sometimes happen. You could also get rid of procmail completely by moving to sieve.
On 22.2.2012, at 9.34, Dag Nygren wrote:
Feb 21 10:02:24 dag dovecot: lda(extuser): Error: user extuser: Initialization failed: Namespace 'MailingLists/': stat(/usr/local/var/mail/MailingLists/mailboxes) failed: Permission denied (euid=2002(extuser) egid=2002(extgroup) missing +x perm: /usr/local/var/mail/MailingLists, euid is not dir owner) Feb 21 10:02:24 dag dovecot: lda(extuser): Fatal: Invalid user settings. Refer to server log for more information.
Right, the mail wasn't delivered, LDA simply exited with tempfail. Actually v2.1.0 is the first release where you can easily configure Dovecot to simply skip the namespace when it doesn't have permission to access it:
+ Added ignore_on_failure setting for namespaces. If namespace initialization fails with this enabled (e.g. permission denied), the namespace is silently skipped for the user.
Ok. Many thanks for answering this. I am using FC14 and dovecot 2.0.4 at the moment so I don't have that option yet. It would be nice BTW if dovecot added the exit status it used in the log if it fails?
Where is the delivered email?
Have you checked what happens if deliver tempfails (e.g. make procmail call tempfail.sh script that just exits with 75), does procmail also correctly tempfail and tell MTA to retry the delivery later?
No, haven't done that. yet. And I don't think it will pass on the failure code. Procmail settings are all from the HOWTO:s though.
The .forward file looks like this:
"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #extuser"
And the applicable rule in .procmailrc: :0 w
{
:0 : | $DELIVERYAGENT -d $LOGNAME -m inbox}
Have to point out that this case wasn't important, but I wouldn't like the system to loose an important mail later.
You should definitely make sure that procmail won't lose any mails if Dovecot LDA returns tempfailure, since they do sometimes happen. You could also get rid of procmail completely by moving to sieve.
Will check the path out. Any way of forcing dovecot to return tempfail for the tests? Preferrably only for one user :-)
Not familiar with sieve yet, but will for sure look into it.
Thanks again Dag
On 22.2.2012, at 10.03, Dag Nygren wrote:
It would be nice BTW if dovecot added the exit status it used in the log if it fails?
This wouldn't be very useful normally. If you see "Fatal" prefixed error from dovecot-lda, it's nearly always tempfail (75). If it crashes, the error is different, but then it wouldn't be able to log the error anyway.
Will check the path out. Any way of forcing dovecot to return tempfail for the tests? Preferrably only for one user :-)
Run a script instead, something like:
#!/bin/sh
if [ $USER = "foo" ]; then exit 75 else exec .../dovecot-lda $@ fi
participants (2)
-
Dag Nygren
-
Timo Sirainen