lazy_expunge mangles dovecot-acl-list
Hi,
I think I found a bug in Dovecot 2.1.17 and 2.2.13.
In our setup, sometimes ACLs stop working because "dovecot-acl-list" is replaced by an empty file. We found that lazy_expunge is connected to this.
To reproduce, create ACLs for "user1" in a folder. Put a mail in that folder and expunge it, so that the folder will be created in the "expunged" namespace.
For instance,
# cat user1/mail/mailboxes/folder/dbox-Mails/dovecot-acl user=user2 keilrwts
# cat user1/mail/dovecot-acl-list 1350914868 folder
# doveadm -f flow fetch -u "user1" 'guid' mailbox _EXPUNGED.\*
# ls -l user1/mail/dovecot-acl-list -rw------- 1 vmail vmail 0 2014-06-12 11:40 user1/mail/dovecot-acl-list
You see that we have used doveadm to list the expunged namespace, which has emptied the "dovecot-acl-list" file.
Cheers, Christoph
# 2.2.13: /usr/local/dovecot/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-57-server x86_64 Ubuntu 10.04.4 LTS disable_plaintext_auth = no mail_gid = vmail mail_location = mdbox:~/mail mail_plugins = acl mail_uid = vmail namespace { inbox = no list = children location = mdbox:%%h/mail prefix = INBOX.shared.%%u. separator = . subscriptions = no type = shared } namespace default { inbox = yes location = prefix = INBOX. separator = . type = private } namespace expunged { hidden = yes list = no location = mdbox:~/mail:MAILBOXDIR=expunged:SUBSCRIPTIONS=expunged-subscriptions prefix = _EXPUNGED. separator = . subscriptions = yes } passdb { args = scheme=CRYPT username_format=%u /usr/local/dovecot/etc/dovecot/users driver = passwd-file } plugin { acl = vfile acl_shared_dict = file:/mail/shared-mailboxes lazy_expunge = _EXPUNGED. } protocols = imap pop3 service auth { unix_listener auth-userdb { group = vmail mode = 0660 } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /usr/local/dovecot/etc/dovecot/users driver = passwd-file } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_max_userip_connections = 20 mail_plugins = acl imap_acl acl }
-- Christoph Bußenius Rechnerbetriebsgruppe Informatik und Mathematik Technische Universität München
Am Donnerstag, 12. Juni 2014, 11:53:26 schrieb Christoph Bußenius:
Hi,
I think I found a bug in Dovecot 2.1.17 and 2.2.13.
In our setup, sometimes ACLs stop working because "dovecot-acl-list" is replaced by an empty file. We found that lazy_expunge is connected to this.
To reproduce, create ACLs for "user1" in a folder. Put a mail in that folder and expunge it, so that the folder will be created in the "expunged" namespace.
For instance,
# cat user1/mail/mailboxes/folder/dbox-Mails/dovecot-acl user=user2 keilrwts
# cat user1/mail/dovecot-acl-list 1350914868 folder
# doveadm -f user1w fetch -u "user1" 'guid' mailbox _EXPUNGED.\*
# ls -l user1/mail/dovecot-acl-list -rw------- 1 vmail vmail 0 2014-06-12 11:40 user1/mail/dovecot-acl-list
You see that we have used doveadm to list the expunged namespace, which has emptied the "dovecot-acl-list" file.
Hi,
tried it with dovecot-ee-2.1.17.7-1.el6 and can confirm exactly the behaviour!
Interestingly a doveadm acl debug recreates dovecot-acl-list: doveadm acl debug -u user2 user/user1/Folder ... doveadm(user2): Info: User user2 has rights: ... doveadm(user2): Error: Mailbox not found from dovecot-acl-list, rebuilding doveadm(user2): Info: User user1 found from ACL shared dict doveadm(user2): Info: Retrying after rebuilds: ...
A question because you mention 2.2.13, is acl + lazy_expunge working for you with 2.2.13???
2.2.13 fails for me completely with unknown namespace .EXPUNGED as soon as a user shares a folder. (as long as nothing is shared everything is file) Reproducible with: doveadm acl set -u user1 Folder user=user2 rights... 2.1.17: doveadm acl debug -u user2 user/user1/Folder everything is fine. 2.2.13: unknown namespace .EXPUNGED, user2 cannot login anymore.
Unfortunately I never got any feedback to this issue and therefore stick with 2.1.17 :-(
Florian
Cheers, Christoph
# 2.2.13: /usr/local/dovecot/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-57-server x86_64 Ubuntu 10.04.4 LTS disable_plaintext_auth = no mail_gid = vmail mail_location = mdbox:~/mail mail_plugins = acl mail_uid = vmail namespace { inbox = no list = children location = mdbox:%%h/mail prefix = INBOX.shared.%%u. separator = . subscriptions = no type = shared } namespace default { inbox = yes location = prefix = INBOX. separator = . type = private } namespace expunged { hidden = yes list = no location = mdbox:~/mail:MAILBOXDIR=expunged:SUBSCRIPTIONS=expunged-subscriptions prefix = _EXPUNGED. separator = . subscriptions = yes } passdb { args = scheme=CRYPT username_format=%u /usr/local/dovecot/etc/dovecot/users driver = passwd-file } plugin { acl = vfile acl_shared_dict = file:/mail/shared-mailboxes lazy_expunge = _EXPUNGED. } protocols = imap pop3 service auth { unix_listener auth-userdb { group = vmail mode = 0660 } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /usr/local/dovecot/etc/dovecot/users driver = passwd-file } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_max_userip_connections = 20 mail_plugins = acl imap_acl acl }
Florian Tischler System Administrator *Johann Radon Institute for Computational and Applied Mathematics (RICAM) http://www.ricam.oeaw.ac.at/ florian.tischler@oeaw.ac.at *Industrial Mathematics Institute http://www.indmath.uni-linz.ac.at/ tischler@indmath.uni-linz.ac.at http://www.ricam.oeaw.ac.at/people/page.cgi?firstn=Florian;lastn=Tischler GPG-Key: http://www.ricam.oeaw.ac.at/gpg/florian_tischler.asc tel: +43 732 2468 5250 fax: +43 732 2468 5212
On 06/12/2014 03:06 PM, Florian Tischler wrote:
Am Donnerstag, 12. Juni 2014, 11:53:26 schrieb Christoph Bußenius: Interestingly a doveadm acl debug recreates dovecot-acl-list: doveadm acl debug -u user2 user/user1/Folder
A quick fix is to just delete all empty "dovecot-acl-list" files in a cron job. They will get recreated as soon as they are needed.
A question because you mention 2.2.13, is acl + lazy_expunge working for you with 2.2.13???
Actually we are not using 2.2 on our main mail servers. Before I reported this bug, I reproduced it with the current 2.1 and 2.2 dovecots, but I did not do much testing in these setups.
2.2.13 fails for me completely with unknown namespace .EXPUNGED as soon as a user shares a folder. (as long as nothing is shared everything is file) Reproducible with: doveadm acl set -u user1 Folder user=user2 rights... 2.1.17: doveadm acl debug -u user2 user/user1/Folder everything is fine. 2.2.13: unknown namespace .EXPUNGED, user2 cannot login anymore.
I just checked. I get the same error. As soon as user2 issues the "LIST" imap command, the imap connection is dropped and the log shows
dovecot: imap(user2): Fatal: lazy_expunge: Unknown namespace: '_EXPUNGED.'
Thanks for the warning.. At some point we would like to upgrade to 2.2 too, but we are going to need ACLs and lazy_expunge.
protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_max_userip_connections = 20 mail_plugins = acl imap_acl acl }
Btw, to reproduce your bug, I had to add "lazy_expunge" to the imap section.
Cheers, Christoph
-- Christoph Bußenius Rechnerbetriebsgruppe Informatik und Mathematik Technische Universität München
participants (2)
-
Christoph Bußenius
-
Florian Tischler