Re: [Dovecot] started with dovecot sieve
Rolf wrote:
Doesn't lda(rolf) mean it is being executed under user "rolf", not root or dovecot?
How exactly do you invoke lda from your /etc/postfix/master.cf?
You might also try to use LMTP via TCP to deliver mails from postfix to dovecot to work around any permission problems.
I have installed dovecot and docecot-sieve by Debians aptitude
You don't seem to be the only one with these problems, see Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626130
Well, the master process often runs as root, but child processes like lda may be configured to run as an unprivileged, or even as the user which owns the mailbox.
root@rolf14:/var/mail# more /etc/group | grep mail: mail:x:8:amavis,dovecot,clamav,postfix
User "rolf" is not a member of group "mail", but I don't think he needs to be, otherwise he would be able to read the mails of all users on the system and this would be a security risk.
The lda should rather switch to the owner of the respective INBOX, e.g. /var/mail/rolf. Log message "lda(rolf)" looks like this happens.
To summarize, I think LMTP will be the easiest way to fix the permission problems. Otherwise you would need to fiddle out how to prevent dovecot lda from switching to group additional group "mail", since unprivileged user "rolf" is not allowed to do that.
Regards, Daniel
Am 2012-06-26 22:10, schrieb Daniel Parthey:
if I switch procmail back on the input gets delivered and I can see them using roundcube as a client for dovecot.
You might also try to use LMTP via TCP to deliver mails from postfix to dovecot to work around any permission problems.
LMTP would be new to me and I fear just other hard-to-understand configuration topics. What I did as a workaround is to have a last rule in each .dovecot.sieve: fileinto "rest". It works and this way the INBOX is no longer needed.
Do not understand how they have solved the problem. Changing 0660 to 0600 for the /var/mail/user mboxes (with user:mail for user:group) seems not to be a logical solution - have not tried that.
Rolf wrote:
LMTP would be new to me and I fear just other hard-to-understand configuration topics.
LMTP (Lightweight Message Transfer Protocol) is really simple, similar to SMTP, but immediately returns a status code which tells whether the delivery has been successful or not.
I encourage you to read this HOWTO: http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
Dovecot listens and accepts mails on the LMTP service port, postfix delivers mails directly into this LMTP service port.
Since it is an additional service, you should be able to try it first, without interfering with your deliver functionality.
Here you can read, how the LMTP communication looks like: http://de.wikipedia.org/wiki/LMTP
Regards Daniel
Am 2012-06-27 20:47, schrieb Daniel Parthey:
That is - if I introduce LMTP - postfix will talk to dovecot by a different protocol. Correct? Will dovecot change its behavior? As I am not an SMTP insider (never did SMTP using telnet) I hardly understand what this change could do to my problem. Wouldn't dovecot LDA "deliver" still try to change the INBOX and will have access problems that I do not understand?
Do you have a link for me, explaining what "deliver" does with a mail that is not subject to any of the "fileinto" of a sieve filter? What user accounts are involved in that function? Why does it not work with the Debian default that a user is not a member of the group "mail" that is assigned to their INBOX? (If this is part of the problem what I do not know for sure, yet.)
Rolf wrote:
Delivery via lda: SMTP -> postfix:25 -> EXEC -> lda executed by postfix -> filesystem -> dovecot imap
Delivery via lmtp: SMTP -> postfix:25 -> TCP -> dovecot:24 -> filesystem -> dovecot imap
The difference is that postfix communicates to dovecot lmtp port 24 and the actual delivery to the filesystem will be done by dovecot itself. Therefore you only need to ensure read/write access for dovecot to the mail filesystem.
That is - if I introduce LMTP - postfix will talk to dovecot by a different protocol. Correct?
Yes, postfix will talk LMTP dovecot, either via a UNIX socket in the filesystem, or via local TCP network communication to a TCP Socket in dovecot.
Will dovecot change its behavior?
No. The imap/pop3 service of dovecot will work as usual.
The delivery is a bit different, before being delivered to the filesystem, the message will pass the LMTP service with quota enforcement, sieve filtering, depending on which mail modules you have enabled in dovecot.
As I am not an SMTP insider (never did SMTP using telnet) I hardly understand what this change could do to my problem.
By using LMTP via TCP, you will avoid permission problems where postfix cannot access sockets/files/mails from dovecot, since postfix will communicate via network with dovecot and dovecot will handle the delivery itself.
Wouldn't dovecot LDA "deliver" still try to change the INBOX and will have access problems that I do not understand?
Delivery will be done by the dovecot lmtp service http://wiki2.dovecot.org/Services#lmtp it will not be executed by postfix.
Do you have a link for me, explaining what "deliver" does with a mail that is not subject to any of the "fileinto" of a sieve filter?
I assume it writes the message to INBOX (e.g. /var/mail/rolf), which is often at a different location and possibly has other permissions than your mailboxes in your home directory where SIEVE sorts your mail into.
What user accounts are involved in that function?
Currently, dovecot lda/deliver is executed by postfix, which I see as a possible reason for the permission problems.
After switching to LMTP via TCP, only dovecot should be involved with delivery, and drop privileges to the mailbox owner after userdb lookup according to http://wiki2.dovecot.org/Services#lmtp
Regards, Daniel
participants (2)
-
Daniel Parthey
-
mailinglist