Maildir: ACLs/Unix perms and unable to see content of specific mailbox
Dear Dovecot users, hello. I will merge two issues I have into a single email because they may be related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS r151014) with the following configuration (it shows 2.2.18 because I recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
You can see that I set the Maildir folder inside the shared home folders of my server (it is only one user, anyway). It always worked perfectly, but one-two months ago I changed the permissions of my whole home folder, recursively, to add proper ACLs. I needed them because the clients started using illumos kernel SMB (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms only). I didn't realise I applied the ACLs also to the Maildir folder.
Dovecot worked for several weeks fine, I noticed the issue only yesterday when a mailbox (see below) appeared in Thunderbird completely empty even if the "cur" subfolder on the server still contains all the mails.
Dovecot was throwing some errors like:
dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.cache) failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?)) dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
I will post here the current permissions of the folder containing Maildir, of the Maildir itself, of its contents, and of the folder that appears empty when browsed with a client (Thunderbird).
/tank/home/olaf $ ls -lV .. drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf user:olaf:rwxpdDaARWcCos:fd-----:allow group:2147483648:rwxpdDaARWcCos:fd-----:allow everyone@:rwxpdDaARWcCos:fd-----:deny
/tank/home/olaf $ ls -lV drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
/tank/home/olaf $ ls -lV Maildir/ drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...) -rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rw-rw---- 1 olaf olaf 13709 Sep 19 01:51 subscriptions.lock owner@:rw-p--aARWcCos:-------:allow group@:rw-p--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The folder that appears empty:
/tank/home/olaf $ ls -lV Maildir/.Generiche/ total 513 drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
I really hope you will have the time to help me because I already applied the permissions recursively and I removed the ACLs, almost as it was before my mistake. I specified "almost" because originally (I checked the backups) the Maildir folder had an ACL that gave access permissions also to the group "mail":
drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir group:mail:rwxpdDaARWcCos:fd-----:allow owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxpdDaARWcCos:fd----I:allow everyone@:rwxpdDaARWcCos:fd----I:deny
Yesterday I haven't replicated it because from the documentation I understood it was not necessary.
My questions, in short:
- what are the permissions I need to give to the Maildir folder? I understood from the documentation it's 700, with my user/group (the one of the user accessing the mail). What about ACLs? and what about group "mail"?
- the (only!) subfolder which appears empty in Thunderbird, may it depend on the permissions? maybe due to them the index was not updated and UIDs don't match. If after applying the correct permissions I still cannot see its contents, is there a way to recover the mails? the files are all still there.
Sorry for the long email, but after several tries yesterday I exhausted my ideas.
Regards, Olaf
Hi,
On 2015-09-19 16:17, Olaf Marzocchi wrote:
Dear Dovecot users, hello. I will merge two issues I have into a single email because they may be related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS r151014) with the following configuration (it shows 2.2.18 because I recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
You can see that I set the Maildir folder inside the shared home folders of my server (it is only one user, anyway). It always worked perfectly, but one-two months ago I changed the permissions of my whole home folder, recursively, to add proper ACLs. I needed them because the clients started using illumos kernel SMB (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms only). I didn't realise I applied the ACLs also to the Maildir folder.
Dovecot worked for several weeks fine, I noticed the issue only yesterday when a mailbox (see below) appeared in Thunderbird completely empty even if the "cur" subfolder on the server still contains all the mails.
Dovecot was throwing some errors like:
dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.cache) failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?)) dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
I will post here the current permissions of the folder containing Maildir, of the Maildir itself, of its contents, and of the folder that appears empty when browsed with a client (Thunderbird).
/tank/home/olaf $ ls -lV .. drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf user:olaf:rwxpdDaARWcCos:fd-----:allow group:2147483648:rwxpdDaARWcCos:fd-----:allow everyone@:rwxpdDaARWcCos:fd-----:deny
/tank/home/olaf $ ls -lV drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
/tank/home/olaf $ ls -lV Maildir/ drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...) -rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rw-rw---- 1 olaf olaf 13709 Sep 19 01:51 subscriptions.lock owner@:rw-p--aARWcCos:-------:allow group@:rw-p--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The folder that appears empty:
/tank/home/olaf $ ls -lV Maildir/.Generiche/ total 513 drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
I really hope you will have the time to help me because I already applied the permissions recursively and I removed the ACLs, almost as it was before my mistake. I specified "almost" because originally (I checked the backups) the Maildir folder had an ACL that gave access permissions also to the group "mail":
drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir group:mail:rwxpdDaARWcCos:fd-----:allow owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxpdDaARWcCos:fd----I:allow everyone@:rwxpdDaARWcCos:fd----I:deny
Yesterday I haven't replicated it because from the documentation I understood it was not necessary.
From my view the permissions seem to be set correctly, i have to admin, its been a while since i moved to virtual users so i may be wrong here...
The log output also seems to support that permissions are correct.
Have you tried adding the group:mail:.... ACLs back?
Have you set mail_debug=yes or other more verbose logging settings? http://wiki2.dovecot.org/Logging
My questions, in short: the files are all still there.
- what are the permissions I need to give to the Maildir folder? I understood from the documentation it's 700, with my user/group (the one of the user accessing the mail). What about ACLs? and what about group "mail"?
- the (only!) subfolder which appears empty in Thunderbird, may it depend on the permissions? maybe due to them the index was not updated and UIDs don't match. If after applying the correct permissions I still cannot see its contents, is there a way to recover the mails?
Sorry for the long email, but after several tries yesterday I exhausted my ideas.
Regards, Olaf
Regards, Christian
I found that the ACL I gave were not automatically applied to the newly created files and dirs (missing :fd-----:), so I corrected them and I added group:mail.
$ chmod -R A=owner@:rwxpdDaARWcCos:fd-----:allow,
user:olaf:rwxpdDaARWcCos:fd-----:allow,
group@:rwxpdDaARWcCos:fd-----:allow,
group:olaf:rwxpdDaARWcCos:fd-----:allow,
group:mail:rwxpdDaARWcCos:fd-----:allow,
everyone@:------a-R-c--s:fd-----:allow Maildir
(I know I duplicated my username and group, but I wanted to be sure...)
drwxrwx---+348 olaf olaf 359 Sep 20 16:21 Maildir owner@:rwxpdDaARWcCos:fd-----:allow user:olaf:rwxpdDaARWcCos:fd-----:allow group@:rwxpdDaARWcCos:fd-----:allow group:olaf:rwxpdDaARWcCos:fd-----:allow group:mail:rwxpdDaARWcCos:fd-----:allow everyone@:------a-R-c--s:fd-----:allow
I verified that newly created files inside Maildir correctly retain these ACLs.
I still get the errors (I added "mail_debug=yes" and restarted):
[ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.cache) failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
[ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.tmp, /tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index) failed: Permission denied
No further details. I won't post the ls- lV again since the permissions in the specified file and folder are all exactly like the Maildir folder above.
Different errors after I tried to rename a mail folder:
Debug: Namespace : Using permissions from /tank/home/olaf/Maildir: mode=0770 gid=default Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission denied Error: file_dotlock_replace() failed with subscription file /tank/home/olaf/Maildir/subscriptions: Permission denied Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
At this point I don't know if it is an issue with my system, or some sort of incompatibility between dovecot and illumos or ZFS.
Except for folder renaming I can put mails in the IMAP folders and see them, but I fear for future problems caused by this issue.
In case there is someone able to read source code, this is the file where the ACL/MAC issue is generated: http://hg.dovecot.org/dovecot-2.2/file/4f4243794ba1/src/lib/eacces-error.c
Has anyone with this additional information some clue? I still don't.
Olaf
On 19/09/2015 19:22, Christian Kivalo wrote:
Hi,
On 2015-09-19 16:17, Olaf Marzocchi wrote:
Dear Dovecot users, hello. I will merge two issues I have into a single email because they may be related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS r151014) with the following configuration (it shows 2.2.18 because I recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
You can see that I set the Maildir folder inside the shared home folders of my server (it is only one user, anyway). It always worked perfectly, but one-two months ago I changed the permissions of my whole home folder, recursively, to add proper ACLs. I needed them because the clients started using illumos kernel SMB (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms only). I didn't realise I applied the ACLs also to the Maildir folder.
Dovecot worked for several weeks fine, I noticed the issue only yesterday when a mailbox (see below) appeared in Thunderbird completely empty even if the "cur" subfolder on the server still contains all the mails.
Dovecot was throwing some errors like:
dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.cache) failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?)) dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
I will post here the current permissions of the folder containing Maildir, of the Maildir itself, of its contents, and of the folder that appears empty when browsed with a client (Thunderbird).
/tank/home/olaf $ ls -lV .. drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf user:olaf:rwxpdDaARWcCos:fd-----:allow group:2147483648:rwxpdDaARWcCos:fd-----:allow everyone@:rwxpdDaARWcCos:fd-----:deny
/tank/home/olaf $ ls -lV drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
/tank/home/olaf $ ls -lV Maildir/ drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...) -rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rw-rw---- 1 olaf olaf 13709 Sep 19 01:51 subscriptions.lock owner@:rw-p--aARWcCos:-------:allow group@:rw-p--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The folder that appears empty:
/tank/home/olaf $ ls -lV Maildir/.Generiche/ total 513 drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
I really hope you will have the time to help me because I already applied the permissions recursively and I removed the ACLs, almost as it was before my mistake. I specified "almost" because originally (I checked the backups) the Maildir folder had an ACL that gave access permissions also to the group "mail":
drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir group:mail:rwxpdDaARWcCos:fd-----:allow owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxpdDaARWcCos:fd----I:allow everyone@:rwxpdDaARWcCos:fd----I:deny
Yesterday I haven't replicated it because from the documentation I understood it was not necessary.
From my view the permissions seem to be set correctly, i have to admin, its been a while since i moved to virtual users so i may be wrong here...
The log output also seems to support that permissions are correct.
Have you tried adding the group:mail:.... ACLs back?
Have you set mail_debug=yes or other more verbose logging settings? http://wiki2.dovecot.org/Logging
My questions, in short: the files are all still there.
- what are the permissions I need to give to the Maildir folder? I understood from the documentation it's 700, with my user/group (the one of the user accessing the mail). What about ACLs? and what about group "mail"?
- the (only!) subfolder which appears empty in Thunderbird, may it depend on the permissions? maybe due to them the index was not updated and UIDs don't match. If after applying the correct permissions I still cannot see its contents, is there a way to recover the mails?
Sorry for the long email, but after several tries yesterday I exhausted my ideas.
Regards, Olaf
Regards, Christian
Hi, I tried again with some other options.
After finding http://www.dovecot.org/list/dovecot/2013-November/093793.html I deleted every ACL from the directory Maildir and I also assigned the group "mail" to it, recursively:
OmniOS-Xeon:/tank/home/olaf/Maildir/.Generiche $ ls -lV total 903 drwxrwxrwx 2 olaf mail 2 Sep 27 23:47 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:rwxp--a-R-c--s:-------:allow (and so on)
I tried also mail_full_filesystem_access = yes hoping that it would solve the issue, but nothing. Even with mail_debug = yes the log does not give any info besides dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/.Generiche/dovecot-uidlist.tmp) failed: Permission denied
(it shows also "rename" instead of "unlink")
With these additional info, has anyone any idea about the cause of the problem?
My doveconf -n:
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_debug = yes mail_full_filesystem_access = yes mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
Any help will be appreciated.
Regards, Olaf Marzocchi
On 19/09/2015 19:22, Christian Kivalo wrote:
Hi,
On 2015-09-19 16:17, Olaf Marzocchi wrote:
Dear Dovecot users, hello. I will merge two issues I have into a single email because they may be related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS r151014) with the following configuration (it shows 2.2.18 because I recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
You can see that I set the Maildir folder inside the shared home folders of my server (it is only one user, anyway). It always worked perfectly, but one-two months ago I changed the permissions of my whole home folder, recursively, to add proper ACLs. I needed them because the clients started using illumos kernel SMB (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms only). I didn't realise I applied the ACLs also to the Maildir folder.
Dovecot worked for several weeks fine, I noticed the issue only yesterday when a mailbox (see below) appeared in Thunderbird completely empty even if the "cur" subfolder on the server still contains all the mails.
Dovecot was throwing some errors like:
dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.cache) failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?)) dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
I will post here the current permissions of the folder containing Maildir, of the Maildir itself, of its contents, and of the folder that appears empty when browsed with a client (Thunderbird).
/tank/home/olaf $ ls -lV .. drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf user:olaf:rwxpdDaARWcCos:fd-----:allow group:2147483648:rwxpdDaARWcCos:fd-----:allow everyone@:rwxpdDaARWcCos:fd-----:deny
/tank/home/olaf $ ls -lV drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
/tank/home/olaf $ ls -lV Maildir/ drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...) -rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rw-rw---- 1 olaf olaf 13709 Sep 19 01:51 subscriptions.lock owner@:rw-p--aARWcCos:-------:allow group@:rw-p--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The folder that appears empty:
/tank/home/olaf $ ls -lV Maildir/.Generiche/ total 513 drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
I really hope you will have the time to help me because I already applied the permissions recursively and I removed the ACLs, almost as it was before my mistake. I specified "almost" because originally (I checked the backups) the Maildir folder had an ACL that gave access permissions also to the group "mail":
drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir group:mail:rwxpdDaARWcCos:fd-----:allow owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxpdDaARWcCos:fd----I:allow everyone@:rwxpdDaARWcCos:fd----I:deny
Yesterday I haven't replicated it because from the documentation I understood it was not necessary.
From my view the permissions seem to be set correctly, i have to admin, its been a while since i moved to virtual users so i may be wrong here...
The log output also seems to support that permissions are correct.
Have you tried adding the group:mail:.... ACLs back?
Have you set mail_debug=yes or other more verbose logging settings? http://wiki2.dovecot.org/Logging
I solved the issue I mentioned some days ago.
I checked in the logs the datethe issue appeared, and I noticed it did not correspond to a dovecot update, dovecot was not the culprit.
The date also did not correspond to a update of OmniOS, and in any case the previous OmniOS update contained only userland updates.
Since the issue appeared when I assigned for the first time ACLs to my home folder on the fileserver to make it better compatible with SMB sharing, I decided the easiest way was to start a new ZFS dataset only for mail, splitting home folder and mail.
$ zfs create -o compression=on tank/mail $ chgrp mail /tank/mail $ mkdir /tank/mail/olaf $ mv /tank/home/olaf/Maildir /tank/mail/olaf/ $ chown -R olaf:olaf /tank/mail/olaf $ find Maildir -type d -exec chmod 700 {} \; $ find Maildir -type f -exec chmod 600 {} \; $ svcadm enable dovecot
This time in the dataset I did not set the options: -o aclinherit=passthrough-x -o aclmode=passthrough because dovecot does not need ACL anyway. I'm not even sure those two options are what I actually need, but the server is running so I won't change them.
Anyway, the server is running fine now. I'm not sure why I cannot see in Thunderbird any folder "Trash" but if I try to create one it fails with "Folder already existing", but I will find out.
I also wrote a summary of the issue and of the solution here, because other people had the same problem in the past (http://www.dovecot.org/list/dovecot/2013-November/093778.html) and there was no solution posted. http://www.marzocchi.net/Olafsen/Software/InstallationOfOmniOSAndBasicSetup
Cheers, Olaf
On 28/09/2015 00:05, Olaf Marzocchi wrote:
Hi, I tried again with some other options.
After finding http://www.dovecot.org/list/dovecot/2013-November/093793.html I deleted every ACL from the directory Maildir and I also assigned the group "mail" to it, recursively:
OmniOS-Xeon:/tank/home/olaf/Maildir/.Generiche $ ls -lV total 903 drwxrwxrwx 2 olaf mail 2 Sep 27 23:47 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:rwxp--a-R-c--s:-------:allow (and so on)
I tried also mail_full_filesystem_access = yes hoping that it would solve the issue, but nothing. Even with mail_debug = yes the log does not give any info besides dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/.Generiche/dovecot-uidlist.tmp) failed: Permission denied
(it shows also "rename" instead of "unlink")
With these additional info, has anyone any idea about the cause of the problem?
My doveconf -n:
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_debug = yes mail_full_filesystem_access = yes mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
Any help will be appreciated.
Regards, Olaf Marzocchi
On 19/09/2015 19:22, Christian Kivalo wrote:
Hi,
On 2015-09-19 16:17, Olaf Marzocchi wrote:
Dear Dovecot users, hello. I will merge two issues I have into a single email because they may be related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS r151014) with the following configuration (it shows 2.2.18 because I recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf # OS: SunOS 5.11 i86pc zfs mail_location = maildir:/tank/home/%u/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl = required ssl_cert = </etc/dovecot/certs/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { driver = passwd }
You can see that I set the Maildir folder inside the shared home folders of my server (it is only one user, anyway). It always worked perfectly, but one-two months ago I changed the permissions of my whole home folder, recursively, to add proper ACLs. I needed them because the clients started using illumos kernel SMB (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms only). I didn't realise I applied the ACLs also to the Maildir folder.
Dovecot worked for several weeks fine, I noticed the issue only yesterday when a mailbox (see below) appeared in Thunderbird completely empty even if the "cur" subfolder on the server still contains all the mails.
Dovecot was throwing some errors like:
dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.cache) failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?)) dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing Lists.Log/dovecot.index) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission denied dovecot: [ID 583609 mail.error] imap(olaf): Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
I will post here the current permissions of the folder containing Maildir, of the Maildir itself, of its contents, and of the folder that appears empty when browsed with a client (Thunderbird).
/tank/home/olaf $ ls -lV .. drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf user:olaf:rwxpdDaARWcCos:fd-----:allow group:2147483648:rwxpdDaARWcCos:fd-----:allow everyone@:rwxpdDaARWcCos:fd-----:deny
/tank/home/olaf $ ls -lV drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
/tank/home/olaf $ ls -lV Maildir/ drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...) -rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rw-rw---- 1 olaf olaf 13709 Sep 19 01:51 subscriptions.lock owner@:rw-p--aARWcCos:-------:allow group@:rw-p--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The folder that appears empty:
/tank/home/olaf $ ls -lV Maildir/.Generiche/ total 513 drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
I really hope you will have the time to help me because I already applied the permissions recursively and I removed the ACLs, almost as it was before my mistake. I specified "almost" because originally (I checked the backups) the Maildir folder had an ACL that gave access permissions also to the group "mail":
drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir group:mail:rwxpdDaARWcCos:fd-----:allow owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxpdDaARWcCos:fd----I:allow everyone@:rwxpdDaARWcCos:fd----I:deny
Yesterday I haven't replicated it because from the documentation I understood it was not necessary.
From my view the permissions seem to be set correctly, i have to admin, its been a while since i moved to virtual users so i may be wrong here...
The log output also seems to support that permissions are correct.
Have you tried adding the group:mail:.... ACLs back?
Have you set mail_debug=yes or other more verbose logging settings? http://wiki2.dovecot.org/Logging
participants (2)
-
Christian Kivalo
-
Olaf Marzocchi