• Timo Sirainen <tss@iki.fi> 2015.09.08 12:20:

How does the PublicMailboxAdmins group get set? Looks to me like the problem is that it's not getting set to doveadm. Here's an easy way to check if that's the problem or something else: http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389

If that doesn't help: Show your full doveconf -n, set auth_debug=yes and mail_debug=yes and show the debug logs for IMAP login and doveadm. There's a difference somewhere in there.

$ doveadm mailbox create -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015 doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied

Both debug levels raised, it doesn't log about the problem when using doveadm. I guess the patch is not enough:

Sep 8 13:19:07 nihlus dovecot: auth: Debug: master in: USER#0111#011tlx@leuxner.net#011service=doveadm Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx@leuxner.net): userdb cache miss Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file /var/vmail/auth.d/leuxner.net/passwd: Read 1 users in 0 secs Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx@leuxner.net): lookup: user=tlx@leuxner.net file=/var/vmail/auth.d/leuxner.net/passwd Sep 8 13:19:07 nihlus dovecot: auth: Debug: userdb out: USER#0111#011tlx@leuxner.net#011uid=5000#011gid=5000#011home=/var/vmail/domains/leuxner.net/tlx#011quota_rule=*:storage=5G#011acl_groups=PublicMailboxAdmins

With IMAP it is more talkative:

3 create "Public/Archive/Mailing-Lists/Dovecot/2015"

Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Added userdb setting: plugin/acl_groups=PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Added userdb setting: plugin/quota_rule=*:storage=5G Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Effective uid=5000, gid=5000, home=/var/vmail/domains/leuxner.net/tlx Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota root: name=user backend=dict args=:file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=* bytes=5368709120 messages=0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=Trash bytes=+536870912 (10%) messages=0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota grace: root=user bytes=536870912 (10%) Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: dict quota: user=tlx@leuxner.net, uri=file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota, noenforcing=0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox, index=, indexpvt=, control=, inbox=, alt= Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: owner = 1 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox /public Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: owner = 0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: owner = 1 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl Sep 8 13:07:13 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/domains/leuxner.net/tlx/mdbox/mailboxes/dovecot-acl not found Sep 8 13:07:13 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace : Using permissions from /var/vmail/domains/leuxner.net/tlx/mdbox: mode=0700 gid=default Sep 8 13:07:13 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default

Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015 doesn't exist yet, using default permissions Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/dbox-Mails/dovecot-acl not found Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found

2.2.18 (500e8dd7a389): /etc/dovecot/dovecot.conf

Pigeonhole version 0.4.8

OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.2

auth_cache_size = 16 k auth_debug = yes auth_verbose = yes deliver_log_format = msgid=%m, time=%{delivery_time}ms, status=%$ hostname = host.domain.tld imap_hibernate_timeout = 1 mins imap_id_log = * imap_logout_format = in=%i out=%o hdr=%{fetch_hdr_count} body=%{fetch_body_count} del=%{deleted} exp=%{expunged} trash=%{trashed} mail_debug = yes mail_location = mdbox:~/mdbox mail_plugins = acl quota stats zlib virtual mailbox_list_index = yes namespace { list = yes location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public prefix = Public/ separator = / subscriptions = no type = public } namespace { location = virtual:~/mdbox/virtual prefix = Virtual/ separator = / } namespace inbox { hidden = no inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = username_format=%u /var/vmail/auth.d/%d/passwd driver = passwd-file } plugin { acl = vfile:/var/vmail/conf.d/%d/global-acl:cache_secs=300 mail_log_events = expunge mailbox_delete quota = dict:user::file:%h/mdbox/dovecot-quota quota_grace = 10%% quota_rule = *:storage=1GB quota_rule2 = Trash:storage=+10%% quota_status_nouser = DUNNO quota_status_success = DUNNO sieve = file:~/sieve;active=~/.dovecot.sieve sieve_global_dir = /var/vmail/conf.d/%d/sieve stats_refresh = 30s stats_track_cmds = yes zlib_save = gz zlib_save_level = 6 } protocols = " imap lmtp" quota_full_tempfail = yes service auth-worker { unix_listener auth-worker { user = doveauth } user = doveauth } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = doveauth } service imap-hibernate { unix_listener imap-hibernate { user = vmail } } service imap-login { inet_listener imap { address = 1.2.3.4 port = 143 reuse_port = yes } inet_listener imaps { port = 0 } process_min_avail = 8 } service imap { unix_listener imap-master { user = dovecot } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } } service stats { fifo_listener stats-mail { mode = 0600 user = vmail } } ssl_ca = </etc/ssl/certs/Comodo_RSA_Domain_Validation_SHA-2_Intermediates_CA_Bundle.crt ssl_cert = </etc/ssl/certs/host_domain_tld.crt ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/host_domain_tld.key ssl_protocols = !SSLv2 !SSLv3 syslog_facility = local1 userdb { args = username_format=%u /var/vmail/auth.d/%d/passwd driver = passwd-file } verbose_proctitle = yes protocol lmtp { mail_plugins = acl quota stats zlib virtual sieve } protocol imap { mail_max_userip_connections = 20 mail_plugins = acl quota stats zlib virtual mail_log notify imap_acl imap_quota imap_stats }

• Timo Sirainen <tss@iki.fi> 2015.09.08 14:28:

...

Both debug levels raised, it doesn't log about the problem when using doveadm. I guess the patch is not enough:

With doveadm you need to give -D parameter for it to log debug output.

Comparing this to the previous imap log it does seem to ignore the global ACL pattern:

$ doveadm -D mailbox create -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015 Debug: Loading modules from directory: /usr/lib/dovecot/modules Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib20_virtual_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib90_stats_plugin.so Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message) Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_sieve_plugin.so Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_backend_rescan (this is usually intentional, so just ignore this message) doveadm(tlx@leuxner.net): Debug: auth input: tlx@leuxner.net quota_rule=*:storage=5G acl_groups=PublicMailboxAdmins uid=5000 gid=5000 home=/var/vmail/domains/leuxner.net/tlx doveadm(tlx@leuxner.net): Debug: Added userdb setting: plugin/acl_groups=PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: Added userdb setting: plugin/quota_rule=*:storage=5G doveadm(tlx@leuxner.net): Debug: Effective uid=5000, gid=5000, home=/var/vmail/domains/leuxner.net/tlx doveadm(tlx@leuxner.net): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled doveadm(tlx@leuxner.net): Debug: Quota root: name=user backend=dict args=:file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota doveadm(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=* bytes=5368709120 messages=0 doveadm(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=Trash bytes=+536870912 (10%) messages=0 doveadm(tlx@leuxner.net): Debug: Quota grace: root=user bytes=536870912 (10%) doveadm(tlx@leuxner.net): Debug: dict quota: user=tlx@leuxner.net, uri=file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota, noenforcing=0 doveadm(tlx@leuxner.net): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 0 doveadm(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/dovecot-acl not found doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied