Hi Stephan,

Normally, Dovecot permission errors are more helpful than that. So, this error message in itself is a bit of a bug:

I'm glad to h've been able to help with this beta-test ;-)

About the cause of this error: keep in mind that the whole directory path needs read/execute permission, not only the leaf directory.

Have checked. They are...

You could try a command other than LISTSCRIPTS in your manual debugging efforts. That should take a different code path that provides a more detailed error.

I tried:

PUTSCRIPT "hutsefluts" {6+} keep;

Gives the same result:

Feb 10 15:43:26 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file storage: save: open(/home/rogier/sieve/tmp/hutsefluts_1486737806.M728733P6414.p150.sieve) failed: Permission denied

I have put a script named "std.sieve" in the sieve directory manually. Then the GETSCRIPT command gives some more information:

Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Debug: sieve: file script: Opened script std' from /home/rogier/sieve/std.sieve' Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file script: Failed to open sieve script: open(/home/rogier/sieve/std.sieve) failed: Permission denied (euid=1000(rogier) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?))

So the UNIX permissions seem not to be the problem. The mentioning of ACL made me look into the audit.log. There I found this:

type=AVC msg=audit(1486738207.203:354): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/managesieve" name="/home/rogier/sieve/std.sieve" pid=6414 comm="managesieve" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1486738207.203:354): arch=c000003e syscall=2 success=no exit=-13 a0=55e8920917d8 a1=0 a2=7fff73b41a14 a3=65766569732f7265 items=0 ppid=1861 pid=6414 auid=429 4967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="managesieve" exe="/usr/lib/dovecot/managesieve" key=(null) type=UNKNOWN[1327] msg=audit(1486738207.203:354): proctitle="dovecot/managesieve"

Looks like AppArmor says NO... Does the apparmor profile for managesieve account for this or any other script store location? Or is the user expected to tweak apparmor profiles in such cases? Then I have to figure out how...

Regards, Rogier

Op 2/11/2017 om 3:24 PM schreef dovelist:

OK, I've figured it out:

In the dovecot profile for apparmor the sieve directory is not confgured. I solved it this way:

To configure only one directory in the apparmor profile, I placed the active-script link inside the .sieve directory. Keeping the scripts separate in a store subdirectory, like this: In /etc/dovecot/conf.d/90-sieve.conf :

sieve = file:~/.sieve/store;active=~/.sieve/active.sieve

Then dovecot is granted access by adding the .sieve directory in the apparmor profile. The dovecot file in the tunables directory seems to be a neat way to that: In /etc/apparmor.d/tunables/dovecot :

@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ /var/spool/mail/ @{HOME}/.sieve/

Ofcourse the .sieve directory is not really a MAILSTORE. But this way, the configuration stays close to the defaults. I didn't find something like DOVECOT_SIEVESTORE, which would be more appropriate.

After restart of apparmor and dovecot, it works!

@Stephan: thanks for the advice - it did help to pinpoint the problem!

I have no experience with AppArmor. I assume these profile configuration files are created by the packagers for your distribution. You could talk to them to get this fixed in general.

Regards,

Stephan.

On 01/11/2018 11:49 AM, Aki Tuomi wrote:

On 11.01.2018 11:45, CP wrote:

...

Hello list,

I'm trying to setup sieve on a Debian 9 install with virtual users. Perhaps I'm getting old, but I can't figure out why managesieve is not working for virtual users. I have about 20 v users on this machine and only one has also a real unix account. The sieve rules work for this single unix account  but not for any other account. I have read tried various HOWTO's found on the net like this :

https://forum.vestacp.com/viewtopic.php?t=11363

but nothing is working for my case, so something is wrong in my setup and I hope you guys might shed some light . The setup is rather simple it's 20 v users with one public folder , I have tried both dovecot lda and lmtp .

doveconf -n  included

Thanks in advance for any help Hi!

Can you enable mail_debug=yes in dovecot config and see what Sieve says for those rules. Also can you provide sieve rules. The sieve rules in your config file are per-user rules, managesieved does not actually do sieve processing, but provides ability to manage sieve rules remotely.

Aki

I have already done it but I can't really tell what I 'm supposed to see in the log

this is a line for a message without matching rule :

Jan 09 23:07:48 lda(xxxx@xxxxxx.xxx): Info: sieve: msgid=849d7f91-fdd3-4c07-8039-9e00acfefd2e_2961dc3c-f238-4f72-ad8e-02b1c779e6b5@SYSTEM5.de.local: stored mail into mailbox 'INBOX'

and this with a working rule:

Jan 10 01:00:04 lda(xxxx@xxxxxx.xxx): Info: sieve: msgid=20180109230004.1BC1344773@xxx.xxxxx.xxx: stored mail into mailbox 'INBOX/Postfix'

both are with lda delivery

and with lmtp :

Jan 11 01:00:04 lmtp(xxxx@xxxxxx.xxx): Info: QVkQD/SaVloKFQAAyyBr5g: sieve: msgid=20180110230003.D577A42C77@xxx.xxxxxx.xxx: stored mail into mailbox 'INBOX/Postfix' Jan 11 01:00:04 lmtp(5386): Info: Disconnect from local: Successful quit

The rule is pretty simple actually :

require ["fileinto"]; # rule:[Bad] if header :is "subject" "Bad Filename Detected" { fileinto "INBOX/BAD"; stop; } # rule:[postfix] if allof (header :is "subject" "Postfix Dailly logcheck") { fileinto "INBOX/Postfix"; stop; }

And this is a sample rule from a v user that doesn't work :

require ["fileinto"]; # rule:[1] if  header :is "from" "xxx@xxxxxxx.com" { fileinto "INBOX/9 - 1"; }

The thing is I expected more verbosity from sieve  . is there some option to to turn more verbose messages on ?

On 01/11/2018 12:18 PM, Aki Tuomi wrote:

On 11.01.2018 12:09, CP wrote:

...

On 01/11/2018 11:49 AM, Aki Tuomi wrote:

...

On 11.01.2018 11:45, CP wrote:

...

Hello list,

I'm trying to setup sieve on a Debian 9 install with virtual users. Perhaps I'm getting old, but I can't figure out why managesieve is not working for virtual users. I have about 20 v users on this machine and only one has also a real unix account. The sieve rules work for this single unix account  but not for any other account. I have read tried various HOWTO's found on the net like this :

https://forum.vestacp.com/viewtopic.php?t=11363

but nothing is working for my case, so something is wrong in my setup and I hope you guys might shed some light . The setup is rather simple it's 20 v users with one public folder , I have tried both dovecot lda and lmtp .

doveconf -n  included

Thanks in advance for any help Hi!

Can you enable mail_debug=yes in dovecot config and see what Sieve says for those rules. Also can you provide sieve rules. The sieve rules in your config file are per-user rules, managesieved does not actually do sieve processing, but provides ability to manage sieve rules remotely.

Aki I have already done it but I can't really tell what I 'm supposed to see in the log

this is a line for a message without matching rule :

Jan 09 23:07:48 lda(xxxx@xxxxxx.xxx): Info: sieve: msgid=849d7f91-fdd3-4c07-8039-9e00acfefd2e_2961dc3c-f238-4f72-ad8e-02b1c779e6b5@SYSTEM5.de.local: stored mail into mailbox 'INBOX'

and this with a working rule:

Jan 10 01:00:04 lda(xxxx@xxxxxx.xxx): Info: sieve: msgid=20180109230004.1BC1344773@xxx.xxxxx.xxx: stored mail into mailbox 'INBOX/Postfix'

both are with lda delivery

and with lmtp :

Jan 11 01:00:04 lmtp(xxxx@xxxxxx.xxx): Info: QVkQD/SaVloKFQAAyyBr5g: sieve: msgid=20180110230003.D577A42C77@xxx.xxxxxx.xxx: stored mail into mailbox 'INBOX/Postfix' Jan 11 01:00:04 lmtp(5386): Info: Disconnect from local: Successful quit

The rule is pretty simple actually :

require ["fileinto"]; # rule:[Bad] if header :is "subject" "Bad Filename Detected" { fileinto "INBOX/BAD"; stop; } # rule:[postfix] if allof (header :is "subject" "Postfix Dailly logcheck") { fileinto "INBOX/Postfix"; stop; }

And this is a sample rule from a v user that doesn't work :

require ["fileinto"]; # rule:[1] if  header :is "from" "xxx@xxxxxxx.com" { fileinto "INBOX/9 - 1"; }

The thing is I expected more verbosity from sieve  . is there some option to to turn more verbose messages on ?

I cannot see any Debug prefix messages there.

Do you have syslog configured to log debug messages somewhere else? or do you need to set debug_log_path if you are not using syslog?

Aki

The only thing I tampered with logging is this :

log_path = /var/log/dovecot.log

I wanted to have dovecot messages separeted from mail.log

Anyway I have setup now those two below options re-enabled mail_debug

info_log_path = /var/log/dovecotsieve.log debug_log_path = /var/log/dovecot-sieve-errors.log

George

On 11.01.2018 13:56, CP wrote:

On 01/11/2018 12:18 PM, Aki Tuomi wrote:

...

On 11.01.2018 12:09, CP wrote:

...

On 01/11/2018 11:49 AM, Aki Tuomi wrote:

...

On 11.01.2018 11:45, CP wrote:

...

Hello list,

I'm trying to setup sieve on a Debian 9 install with virtual users. Perhaps I'm getting old, but I can't figure out why managesieve is not working for virtual users. I have about 20 v users on this machine and only one has also a real unix account. The sieve rules work for this single unix account  but not for any other account. I have read tried various HOWTO's found on the net like this :

https://forum.vestacp.com/viewtopic.php?t=11363

but nothing is working for my case, so something is wrong in my setup and I hope you guys might shed some light . The setup is rather simple it's 20 v users with one public folder , I have tried both dovecot lda and lmtp .

doveconf -n  included

Thanks in advance for any help Hi!

Can you enable mail_debug=yes in dovecot config and see what Sieve says for those rules. Also can you provide sieve rules. The sieve rules in your config file are per-user rules, managesieved does not actually do sieve processing, but provides ability to manage sieve rules remotely.

Aki I have already done it but I can't really tell what I 'm supposed to see in the log

this is a line for a message without matching rule :

Jan 09 23:07:48 lda(xxxx@xxxxxx.xxx): Info: sieve: msgid=849d7f91-fdd3-4c07-8039-9e00acfefd2e_2961dc3c-f238-4f72-ad8e-02b1c779e6b5@SYSTEM5.de.local:

stored mail into mailbox 'INBOX'

and this with a working rule:

Jan 10 01:00:04 lda(xxxx@xxxxxx.xxx): Info: sieve: msgid=20180109230004.1BC1344773@xxx.xxxxx.xxx: stored mail into mailbox 'INBOX/Postfix'

both are with lda delivery

and with lmtp :

Jan 11 01:00:04 lmtp(xxxx@xxxxxx.xxx): Info: QVkQD/SaVloKFQAAyyBr5g: sieve: msgid=20180110230003.D577A42C77@xxx.xxxxxx.xxx: stored mail into mailbox 'INBOX/Postfix' Jan 11 01:00:04 lmtp(5386): Info: Disconnect from local: Successful quit

The rule is pretty simple actually :

require ["fileinto"]; # rule:[Bad] if header :is "subject" "Bad Filename Detected" { fileinto "INBOX/BAD"; stop; } # rule:[postfix] if allof (header :is "subject" "Postfix Dailly logcheck") { fileinto "INBOX/Postfix"; stop; }

And this is a sample rule from a v user that doesn't work :

require ["fileinto"]; # rule:[1] if  header :is "from" "xxx@xxxxxxx.com" { fileinto "INBOX/9 - 1"; }

The thing is I expected more verbosity from sieve  . is there some option to to turn more verbose messages on ?

I cannot see any Debug prefix messages there.

Do you have syslog configured to log debug messages somewhere else? or do you need to set debug_log_path if you are not using syslog?

Aki

This is a fresh log , if you can make something out of it,  it seems that it loads the script alright and then I guess there is something wrong with the rule itself ?

Jan 11 12:43:42 lmtp(user@company.com): Debug: sieve: Pigeonhole version 0.4.16 (fed8554) initializing Jan 11 12:43:42 lmtp(user@company.com): Debug: sieve: include: sieve_global is not set; it is currently not possible to include :global' scripts. Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: file storage: Using active Sieve script path: /home/vmail/company/user/.dovecot.sieve Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: file storage: Using script storage path: /home/vmail/company/user/sieve Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: file storage: Relative path to sieve storage in active link: sieve/ Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: file storage: Using Sieve script path: /home/vmail/company/user/.dovecot.sieve Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: file script: Opened script roundcube' from /home/vmail/company/user/.dovecot.sieve' Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: Using the following location for user's Sieve script: /home/vmail/company/user/.dovecot.sieve Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: Opening script 1 of 1 from /home/vmail/company/user/.dovecot.sieve' Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: Loading script /home/vmail/company/user/.dovecot.sieve Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: Script binary /home/vmail/company/user/.dovecot.svbin successfully loaded Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: binary save: not saving binary /home/vmail/company/user/.dovecot.svbin, because it is already stored Jan 11 12:43:42 lmtp(user@company.com): Debug: SYrVAt4/V1rhUQAAyyBr5g:11: sieve: Executing script from `/home/vmail/company/user/.dovecot.svbin'

If I'm not asking too much is there a way to manually run the script on the virtual users mailbox in order to check the rules without waiting for a message to arrive ?

Thanks anyway ! George

Yes, use 'sieve-test'.

Aki

On 01/11/2018 01:32 PM, Steffen Kaiser wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Thu, 11 Jan 2018, CP wrote:

...

I'm trying to setup sieve on a Debian 9 install with virtual users. Perhaps I'm getting old, but I can't figure out why managesieve is not working for virtual users. I have about 20 v users on this machine and only one has also a real unix account. The sieve rules work for this single unix account  but not for any other account.

Hmm, your conf contains just one passdb and one userbd:

mail_location = maildir:/home/vmail/%d/%n/Maildir

sieve = file:/home/vmail/%d/%n/sieve;active=/home/vmail/%d/%n/.dovecot.sieve

userdb { args = uid=vmail gid=vmail home=/home/vmail/%d/%n/Maildir driver = static }

So, how does the real user authentificate?

Sorry my bad , the real user does not login for mail ,  as I said to Aki probably the rule is not working as expected and on the contrast it works OK for the other v user.

Second, you've violated: https://wiki2.dovecot.org/VirtualUsers/Home?highlight=%28home%29|%28mail%29

make home and mail_location distinct. I guess, above should read: home=/home/vmail/%d/%n/

If I switch it now will it affect how the users are working now ? Will it produce trouble  if I leave it as is ?

You've wrote "managesieve" is not working. That means, sieve is working? So, has vmail write permission to : /home/vmail/%d/%n/sieve is it a directory? Does your users log into managesieve with domain, too?

Yes sieve is a dir , everything is  owned by vmail user, no permissions problem. Sieve is working for other user so I guess something is wrong with rules

Thank you guys for all the help

George