[Dovecot] Permissions errors while reading messages via IMAP
Greetings all, I have been trying to setup a new system using Postfix and Dovecot to manage email for a bunch of virtual domains. So far everything is great, and I am now at the point where I am trying to build a webmail interface for the system. I'm using RoundCube for now.
The tutorial I have been working from is here: http://workaround.org/articles/ispmail-etch/ Which seems to be a decent enough read.
At this point I can login without issue but I can't see any mail messages. When I login, dovecot throws errors like this:
Dec 23 12:08:49 mail1 dovecot: auth(default): client out: OK 1 user=geoff.sweet@test.com Dec 23 12:08:49 mail1 dovecot: auth(default): master in: REQUEST 1 4312 1 Dec 23 12:08:49 mail1 dovecot: auth(default): master out: USER 1 geoff.sweet@test.com uid=5000 gid=5000 home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): Effective uid=5000, gid=5000, home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): maildir: data=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): maildir++: root=/home/vmail/test.com/geoff.sweet/Maildir, index=, control=, inbox=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: imap-login: Login: user=geoff.sweet@test.com, method=PLAIN, rip=192.168.20.11, lip=192.168.20.12 Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): Disconnected: Logged out bytes=39/431 Dec 23 12:08:49 mail1 dovecot: auth(default): new auth connection: pid=4315 Dec 23 12:08:49 mail1 dovecot: auth-worker(default): sql(geoff.sweet@test.com,192.168.20.11): query: SELECT email as user, password FROM view_mailboxes WHERE email='geoff.sweet@test.com'; Dec 23 12:08:49 mail1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=192.168.20.12 rip=192.168.20.11 lport=143 rport=43878 resp=AGdlb2ZmLnN3ZWV0QHdob290aXMuY29tAGJvYjEyMzQ1 Dec 23 12:08:49 mail1 dovecot: auth(default): client out: OK 1 user=geoff.sweet@test.com Dec 23 12:08:49 mail1 dovecot: auth(default): master in: REQUEST 2 4311 1 Dec 23 12:08:49 mail1 dovecot: auth(default): master out: USER 2 geoff.sweet@test.com uid=5000 gid=5000 home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: imap-login: Login: user=geoff.sweet@test.com, method=PLAIN, rip=192.168.20.11, lip=192.168.20.12 Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): Effective uid=5000, gid=5000, home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): maildir: data=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): maildir++: root=/home/vmail/test.com/geoff.sweet/Maildir, index=, control=, inbox=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): Namespace : Using permissions from /home/vmail/test.com/geoff.sweet/Maildir: mode=0700 gid=-1 Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot-uidlist) failed: Permission denied Dec 23 12:08:49 mail1 last message repeated 2 times
There is some permission issue that allows dovecot to deliver email to the /home/vmail location (I dislike this location and want to change it) via the dovecot LDA process, but then not be able to read it when accessed via IMAP. I'm very confused lol.
Dovecot version 1.2.9 dovecot -n: # 1.2.9: /etc/dovecot.conf # OS: Linux 2.6.18-164.6.1.el5 i686 CentOS release 5.4 (Final) ext3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_greeting: Dovecot ready. mail_location: maildir:/home/vmail/%d/%n/Maildir mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 lda: log_path: /home/vmail/dovecot-deliver.log auth_socket_path: /var/run/dovecot/auth-master postmaster_address: postmaster@test.com mail_plugins: global_script_path: /home/vmail/globalsieverc auth default: mechanisms: plain login debug: yes debug_passwords: yes passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: static args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
On Wed, 2009-12-23 at 12:18 -0800, Geoff Sweet wrote:
Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) .. There is some permission issue that allows dovecot to deliver email to the /home/vmail location (I dislike this location and want to change it) via the dovecot LDA process, but then not be able to read it when accessed via IMAP. I'm very confused lol.
Apparently you want the emails to be owned by vmail:vmail, but you're running deliver as something else than vmail and the resulting files won't be owned by vmail:vmail..
So you're calling deliver wrong from Postfix. Your master.cf probably has dovecot pipe, it should have user=vmail:vmail.
Delivery doesn't seem to be the issue. The issue appears to be reading the mail later on.
Here is my master.cf line for dovecot: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
and as you can see, the files in the delivery location have the correct permissions for being delivered by user "vmail": # ls -la total 64 drwx------ 5 vmail vmail 4096 Dec 23 12:11 . drwx------ 3 vmail vmail 4096 Dec 21 17:41 .. drwx------ 2 vmail vmail 4096 Dec 21 17:41 cur -rw------- 1 vmail vmail 224 Dec 22 00:01 dovecot.index -rw------- 1 vmail vmail 572 Dec 23 11:51 dovecot.index.log -rw------- 1 vmail vmail 472 Dec 23 11:51 dovecot-uidlist drwx------ 2 vmail vmail 4096 Dec 23 11:51 new drwx------ 2 vmail vmail 4096 Dec 23 11:51 tmp
The errors appear when I login via IMAP and try to read the messages.
-Geoff
From: Timo Sirainen [tss@iki.fi] Sent: Wednesday, December 23, 2009 1:03 PM To: Geoff Sweet Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Permissions errors while reading messages via IMAP
On Wed, 2009-12-23 at 12:18 -0800, Geoff Sweet wrote:
Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) .. There is some permission issue that allows dovecot to deliver email to the /home/vmail location (I dislike this location and want to change it) via the dovecot LDA process, but then not be able to read it when accessed via IMAP. I'm very confused lol.
Apparently you want the emails to be owned by vmail:vmail, but you're running deliver as something else than vmail and the resulting files won't be owned by vmail:vmail..
So you're calling deliver wrong from Postfix. Your master.cf probably has dovecot pipe, it should have user=vmail:vmail.
On Wed, 2009-12-23 at 13:13 -0800, Geoff Sweet wrote:
and as you can see, the files in the delivery location have the correct permissions for being delivered by user "vmail": # ls -la total 64 -rw------- 1 vmail vmail 572 Dec 23 11:51 dovecot.index.log
What about this:
Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
Is that file also owned by vmail:vmail? The error message shows that vmail user doesn't have read access to the file. If that file is also owned by vmail, I have only two ideas:
a) You have multiple vmail users. See that ls -ln shows the uids to be actually 5000 and not something else.
b) SELinux or something similar is preventing the access to the files.
Appears to be an SELinux issue. I checked it out with audit2allow and discovered several items that needed tweaking. Here is the result of my te file:
# cat DovecotDelivery.te
module DovecotDelivery 1.0;
require { type sysadm_passwd_t; type postfix_spool_t; type user_home_dir_t; type dovecot_auth_t; type user_home_t; type var_spool_t; type dovecot_t; type mysqld_etc_t; type dovecot_var_run_t; type mysqld_port_t; type system_mail_t; class process setcap; class tcp_socket name_connect; class dir { search setattr }; class file { rename execute read lock write getattr unlink }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t mysqld_etc_t:file { read getattr }; allow dovecot_auth_t mysqld_port_t:tcp_socket name_connect;
#============= dovecot_t ============== allow dovecot_t dovecot_var_run_t:dir setattr; allow dovecot_t self:process setcap; allow dovecot_t user_home_dir_t:file { rename write getattr read lock unlink };
#============= sysadm_passwd_t ============== allow sysadm_passwd_t postfix_spool_t:dir search; allow sysadm_passwd_t var_spool_t:dir search;
#============= system_mail_t ============== allow system_mail_t user_home_t:file execute;
Some of that is left over from a previous attempt to get this working. It all seems to be fine once I load that module.
-Geoff
From: Timo Sirainen [tss@iki.fi] Sent: Wednesday, December 23, 2009 1:26 PM To: Geoff Sweet Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Permissions errors while reading messages via IMAP
On Wed, 2009-12-23 at 13:13 -0800, Geoff Sweet wrote:
and as you can see, the files in the delivery location have the correct permissions for being delivered by user "vmail": # ls -la total 64 -rw------- 1 vmail vmail 572 Dec 23 11:51 dovecot.index.log
What about this:
Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
Is that file also owned by vmail:vmail? The error message shows that vmail user doesn't have read access to the file. If that file is also owned by vmail, I have only two ideas:
a) You have multiple vmail users. See that ls -ln shows the uids to be actually 5000 and not something else.
b) SELinux or something similar is preventing the access to the files.
participants (2)
-
Geoff Sweet
-
Timo Sirainen