Dovecot sync stopped working since 2.3.18-r1 when .maildir has 700 permissions
Hello,
Since upgrading to dovecot 2.3.18-r1 my sync setup using replicator plugin stopped working. It seems there is a problem accessing a .maildir with 700 permissions, only accessible by the owner. Everything worked fine prior to this version and I made no configuration changes.
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 5.10.74-gentoo x86_64 Gentoo Base System release 2.8 # Hostname: www.example.com auth_mechanisms = plain login auth_username_format = %Ln doveadm_password = # hidden, use -P to show it hostname = www.example.xom listen = * login_greeting = Dovecot ready. mail_location = maildir:~/.maildir mail_plugins = notify replication managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify vnd.dovecot.pipe namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = * driver = pam } plugin { mail_replica = tcps:www.example.com:8000 sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe sieve_plugins = sieve_extprograms } postmaster_address = postmaster@example.com protocols = imap lmtp sieve service aggregator { fifo_listener replication-notify-fifo { mode = 0666 } unix_listener replication-notify { mode = 0666 } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service doveadm { inet_listener { port = 8000 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } protocol lmtp { mail_plugins = notify replication sieve postmaster_address = postmaster@example.com } protocol lda { mail_plugins = notify replication sieve } local_name mail.example.com { ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = # hidden, use -P to show it } local_name example.com { ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = # hidden, use -P to show it }
-- roughgrain.com - Mastering Mentoring +447780565902
Hello,
Please accept my apologies for not giving all the details in the original bug report. After further testing, I need to add that it is not the permissions of .mailder that cause doveadm to fail. It fails because the .maildir is a FUSE mount with access to all other users, including potentially untrusted root, restricted. This configuration worked fine until 2.3.18-r1. Has the context under which doveadm runs changed? Is there a way to make it run as the user?
roughgrain.com - Mastering Mentoring +447780565902
On 17/07/2022 11:20, Martin Kuchta wrote:
Hello,
Since upgrading to dovecot 2.3.18-r1 my sync setup using replicator plugin stopped working. It seems there is a problem accessing a .maildir with 700 permissions, only accessible by the owner. Everything worked fine prior to this version and I made no configuration changes.
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 5.10.74-gentoo x86_64 Gentoo Base System release 2.8 # Hostname: www.example.com auth_mechanisms = plain login auth_username_format = %Ln doveadm_password = # hidden, use -P to show it hostname = www.example.xom listen = * login_greeting = Dovecot ready. mail_location = maildir:~/.maildir mail_plugins = notify replication managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify vnd.dovecot.pipe namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = * driver = pam } plugin { mail_replica = tcps:www.example.com:8000 sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe sieve_plugins = sieve_extprograms } postmaster_address = postmaster@example.com protocols = imap lmtp sieve service aggregator { fifo_listener replication-notify-fifo { mode = 0666 } unix_listener replication-notify { mode = 0666 } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service doveadm { inet_listener { port = 8000 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } protocol lmtp { mail_plugins = notify replication sieve postmaster_address = postmaster@example.com } protocol lda { mail_plugins = notify replication sieve } local_name mail.example.com { ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = # hidden, use -P to show it } local_name example.com { ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = # hidden, use -P to show it }
-- roughgrain.com - Mastering Mentoring +447780565902
participants (1)
-
Martin Kuchta