On 2022-12-28 00:27, Aki Tuomi wrote:

The log service runs by default as root, not as dovecot.

Then I do not understand why there is a permissions problem at all. It is root!

If data01 is a NFS mount, then root may become squashed.

Not an NFS mount. It is local.

If you want to run log as dovecot, you can do so with

service log { user = dovecot }

Permission is still denied. Where do I find information about "status=80/n/a"?

I did not include all two of the syslog entries in the previous message: 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file /data01/var/log/dovecot.log: Permission denied 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main process exited, code=exited, status=80/n/a

-- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.

On Thursday, December 29, 2022 10:17:08 PM AKST Aki Tuomi wrote:

...

On 30/12/2022 05:25 EET James Moe <moe.james@sma-inc.us> wrote: Permission is still denied. Where do I find information about "status=80/n/a"?

I did not include all two of the syslog entries in the previous message: 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file /data01/var/log/dovecot.log: Permission denied 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main process exited, code=exited, status=80/n/a

Maybe you have selinux or apparmor involved? On rhel based systems, selinux logs into /var/log/audit/audit.log, dmesg -T is another good thing to check.

Status=80 I assume is the exit code dovecot threw when it couldn't open the log file. Whatever "int main()" is programmed to return.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:

Dovecot fails to start with the error: Can't open log file /data01/var/log/dovecot.log: Permission denied That error message is typical of a simple unix permission issue, nothing to do with selinux etc.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:

Permissions: drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/ drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/ drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/ drwxrwxr-x 1 dovecot users 22 Dec 27 15:47 /data01/var/log/dovecot/

"dovecot" is a member of "users".

What "permission" am I missing?

If the process isn't running with an effective group id of "users", then it cannot access that directory simply by virtue of being a member of that group. The main program has to call setegid() with the proper group id before attempting to access those files.

On Tuesday, December 27, 2022 10:27:31 PM AKST Aki Tuomi wrote:

If you want to run log as dovecot, you can do so with

service log { user = dovecot }

Maybe try something like this:

service log { user = dovecot group = users }

Otherwise you might not have the process running with the right effective group id to access the log file location by unix group permissions.

https://justina.abeja.colmena.biz/

On 30 December 2022 22:25:09 CET, James Moe <moe.james@sma-inc.us> wrote:

On 2022-12-27 16:19, James Moe wrote:

...

I changed logging to use a path rather than syslog. Doing so makes it easier to work with fail2ban. Dovecot fails to start with the error: Can't open log file /data01/var/log/dovecot.log: Permission denied

Yes, it was apparmor. It has been enabled for a couple of months. Dovecot is the first app that I've added that has a apparmor profile. After adding the necessary entry to the profile, logging proceeded as expected.

In </etc/apparmor.d/usr.sbin.dovecot> I added: owner /data01/var/log/dovecot/* a,

Hi,

When an application is denied access by AppArmor, you can see the logs in syslog.

Anyway, if that helps, have s look here:

https://github.com/progmaticltd/homebox/tree/main/roles/dovecot/templates/ap...

André.