Bill Oliver writes:

There's *one* user I can't get it to work on without a workaround. The user is "newuser" and the uid is 1111 (actual name and number changed to protect the innocent). The error I get in my maillog is:

The error I get in may maillog is: Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted

Now, it looks to me like dovecot is saying that the user newuser can't get to the /home/newuser/mail/.imap directory because it doesn't have permission. However, the user newuser has all the permissions it needs:

$ ls -la /home/newuser/mail

total 20 drwxrw---- 3 newuser newuser 4096 Aug 29 15:01 . drwxrw---- 6 newuser newuser 4096 Aug 29 12:16 .. drwxrwx--- 2 newuser newuser 4096 Aug 29 16:05 .imap -rw-rw---- 1 newuser newuser 499 Aug 13 07:56 saved-messages -rw-rw---- 1 newuser newuser 1756 Aug 16 11:15 sent-mail

The output of doveconf -n would have been useful, especially as it relates to your mail_location value, but I can make a pretty good guess at what is happening.

Dovecot is trying to create indices with analogous permissions to your mailbox files. Your user's INBOX (/var/mail/newuser) has permission user:group:mode = 1111:12:0660 *but* newuser is not in group "mail" (GID 12), hence it cannot do the required chown operations.

(Notice the mode of .imap/: the group write is on so the chmod worked.)

Your INBOX ended up this way because some LDA's auto-create new INBOX's with these permissions (to allow access to other part of the mail sysyem that are set-gid "mail"). Options:

1) chmod g-rwx /var/mail/newuser
	- assumes you have no other parts of your
	mailsystem that needs access to all user
	INBOX by assuming group "mail".
	- dovecot is smart enough to figure out
	group membersip is irrelevant is groups access
	is nil.

2) chgrp newuser /var/mail/newuser

3) To avoid future problems: make sure new mailboxes
	are created with workable permissions.

There are also dovecot configs that loosen up some group access, but you'll have to investigate that yourself.

Joseph Tam tam@math.ubc.ca