Permission denied UNIX perms appear ok (ACL/MAC wrong?))
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
austin@mail:~$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Is there any chance that high memory utilization could be responsible for some of these errors? I’ve noticed recently that my memory is running anywhere from 80-85%.
Austin Witmer
On Aug 20, 2022, at 8:52 AM, Austin Witmer <austin96@emypeople.net> wrote:
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com <mailto:user@domain.com>)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
austin@mail:~$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
Try ls -laZ
Il giorno 20 ago 2022, alle ore 08:08, Erwan David <erwan@rail.eu.org> ha scritto:
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
Ok, here is the output of that command.
austin@mail:~$ ls -laZ /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.list.index.log -rwxrwxr-- 1 austin austin ? 6796 Aug 20 14:40 /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.list.index.log
Does that tell you anything?
Austin Witmer
On Aug 20, 2022, at 9:56 AM, Remo Mattei <rm@rm.ht> wrote:
Try ls -laZ
Il giorno 20 ago 2022, alle ore 08:08, Erwan David <erwan@rail.eu.org> ha scritto:
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
See below.
On Aug 20, 2022, at 9:56 AM, Remo Mattei <rm@rm.ht> wrote:
Try ls -laZ
Il giorno 20 ago 2022, alle ore 08:08, Erwan David <erwan@rail.eu.org> ha scritto:
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
No, I’m not familiar with SeLinux or Apparmor. Tell me what I should do or check.
Thanks!
Austin Witmer
Le 20/08/2022 à 18:23, Austin Witmer a écrit :
See below.
On Aug 20, 2022, at 9:56 AM, Remo Mattei <rm@rm.ht> wrote:
Try ls -laZ
Il giorno 20 ago 2022, alle ore 08:08, Erwan David <erwan@rail.eu.org> ha scritto:
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
No, I’m not familiar with SeLinux or Apparmor. Tell me what I should do or check.
Thanks!
Austin Witmer
I'm not sure. apparmor logs in kern.log
You can try a grep mailserver/plain/maildir/domain.com /var/log/*.log for a start
Thanks to all of your for your input!
I think I may have gotten this resolved. More time and testing will tell! More details later . . .
Austin Witmer
On Aug 20, 2022, at 9:06 AM, Erwan David <erwan@rail.eu.org> wrote:
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
It’s a mount partition you should check that probably it is nfs.
Good luck.
Il giorno 21 ago 2022, alle ore 07:43, Austin Witmer <austin96@emypeople.net> ha scritto:
Thanks to all of your for your input!
I think I may have gotten this resolved. More time and testing will tell! More details later . . .
Austin Witmer
On Aug 20, 2022, at 9:06 AM, Erwan David <erwan@rail.eu.org> wrote:
Le 20/08/2022 à 16:52, Austin Witmer a écrit : Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
Hello all!
My strange permission errors in my log files seem to have disappeared. The only thing I can think of that I changed was mounting my encrypted folder without using sudo. Example “gocryptfs -allow_other cipher plain” instead of "sudo gocryptfs -allow_other cipher plain”.
Thanks to all of you for your help and suggestions!
Austin Witmer
On Aug 21, 2022, at 10:03 AM, Remo Mattei <rm@rm.ht> wrote:
It’s a mount partition you should check that probably it is nfs.
Good luck.
Il giorno 21 ago 2022, alle ore 07:43, Austin Witmer <austin96@emypeople.net> ha scritto:
Thanks to all of your for your input!
I think I may have gotten this resolved. More time and testing will tell! More details later . . .
Austin Witmer
On Aug 20, 2022, at 9:06 AM, Erwan David <erwan@rail.eu.org <mailto:erwan@rail.eu.org>> wrote:
Le 20/08/2022 à 16:52, Austin Witmer a écrit :
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com <mailto:user@domain.com>)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> <http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> <http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> <http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.
Am 20.08.22 um 16:52 schrieb Austin Witmer:
Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?
ACLs you can check by 'getfacl foo'.
-- Cheers spi
And no, I don’t think I am using ACL’s.
getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--
Austin Witmer
On Aug 20, 2022, at 11:15 AM, spi <spi@nurfuerspam.de> wrote:
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?
ACLs you can check by 'getfacl foo'.
-- Cheers spi
Here is the output of dovecot -n
austin@mail:~$ doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail auth_mechanisms = plain login listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_before = /var/lib/dovecot/sieve/ sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com } protocol lda { mail_plugins = " sieve" }
Austin Witmer
On Aug 20, 2022, at 12:09 PM, Austin Witmer <austin96@emypeople.net> wrote:
And no, I don’t think I am using ACL’s.
getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--
Austin Witmer
On Aug 20, 2022, at 11:15 AM, spi <spi@nurfuerspam.de> wrote:
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?
ACLs you can check by 'getfacl foo'.
-- Cheers spi
There are a number of issues that can appear to be ACL issues when in fact its something else.
As other's have mentioned, AppArmor profiles and SELinux contexts can be checked and are the most common. There are ACL permissions as well if you enabled ACL (they are not enabled by default on Ubuntu server). I've occasionally (rarely) seen some weird interactions with sockets between MDA and MTA if the permissions on the directory were not set correctly.
Additionally, if a mount permission mask is being used, that can occasionally cause similar issues as well, as is often the case with using an NTFS backing filesystem for maildir that's been mounted with unix perms. There can also be some edge-cases with permissions in Ubuntu's flavored snap containers as well as docker containers and custom sieves.
Its difficult to say with any accuracy what is causing your issue with the information provided.
Have you increased the verbosity of the logging?
If all of the normal culprits do not stand out, maybe some others will have an idea.
As a final fallback you can always set a breakpoint and use a reverse debugger. Its not going to be performant but it will at least narrow down where the issue is coming from, and what the intermediate states were that led to the error so you can save/replicate them moving forward for resolution. Non-determinism can creep into code in a lot of different ways.
Best Regards, N
On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer <austin96@emypeople.net> wrote:
Here is the output of dovecot -n
*austin@mail*:*~*$ doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail auth_mechanisms = plain login listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_before = /var/lib/dovecot/sieve/ sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com } protocol lda { mail_plugins = " sieve" }
Austin Witmer
On Aug 20, 2022, at 12:09 PM, Austin Witmer <austin96@emypeople.net> wrote:
And no, I don’t think I am using ACL’s.
getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--
Austin Witmer
On Aug 20, 2022, at 11:15 AM, spi <spi@nurfuerspam.de> wrote:
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/ domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?
ACLs you can check by 'getfacl foo'.
-- Cheers spi
I’m am still getting the errors I mentioned previously. Maybe half a dozen of them per day . . .
So, the location of my mail storage (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by gocryptfs. Do you think gocryptfs could be at fault here?
Austin Witmer
On Aug 24, 2022, at 12:10 PM, lorek <dundir@gmail.com> wrote:
There are a number of issues that can appear to be ACL issues when in fact its something else.
As other's have mentioned, AppArmor profiles and SELinux contexts can be checked and are the most common. There are ACL permissions as well if you enabled ACL (they are not enabled by default on Ubuntu server). I've occasionally (rarely) seen some weird interactions with sockets between MDA and MTA if the permissions on the directory were not set correctly.
Additionally, if a mount permission mask is being used, that can occasionally cause similar issues as well, as is often the case with using an NTFS backing filesystem for maildir that's been mounted with unix perms. There can also be some edge-cases with permissions in Ubuntu's flavored snap containers as well as docker containers and custom sieves.
Its difficult to say with any accuracy what is causing your issue with the information provided.
Have you increased the verbosity of the logging?
If all of the normal culprits do not stand out, maybe some others will have an idea.
As a final fallback you can always set a breakpoint and use a reverse debugger. Its not going to be performant but it will at least narrow down where the issue is coming from, and what the intermediate states were that led to the error so you can save/replicate them moving forward for resolution. Non-determinism can creep into code in a lot of different ways.
Best Regards, N
On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer <austin96@emypeople.net <mailto:austin96@emypeople.net>> wrote: Here is the output of dovecot -n
austin@mail:~$ doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail auth_mechanisms = plain login listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_before = /var/lib/dovecot/sieve/ sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem <http://mail.mydomain.com/fullchain.pem> ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com <http://mail.mydomain.com/> mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com <mailto:postmaster@mydomain.com> } protocol lda { mail_plugins = " sieve" }
Austin Witmer
On Aug 20, 2022, at 12:09 PM, Austin Witmer <austin96@emypeople.net <mailto:austin96@emypeople.net>> wrote:
And no, I don’t think I am using ACL’s.
getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--
Austin Witmer
On Aug 20, 2022, at 11:15 AM, spi <spi@nurfuerspam.de <mailto:spi@nurfuerspam.de>> wrote:
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com <mailto:user@domain.com>)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> <http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> <http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> <http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?
ACLs you can check by 'getfacl foo'.
-- Cheers spi
Am 30.08.22 um 20:43 schrieb Austin Witmer:
I’m am still getting the errors I mentioned previously. Maybe half a dozen of them per day . . .
So, the location of my mail storage (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by gocryptfs. Do you think gocryptfs could be at fault here?
Austin Witmer
Before and after mounting: What are the mount folder's user/group permissions? Who owns the mount folder (user/group)?
If you do a "stat /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>" as the user dovecot is running as (from your mail I see austin owns that file - is dovecot run as user austin?) - do you also get an error?
If you do get an error - could you create a small encrypted fs and mount it to another folder, create a file there and check again for "stat file"? Play with the permissions and user/group assignments. Still getting an error?
-- Cheers spi
See below . . .
On Aug 30, 2022, at 1:41 PM, spi <spi@nurfuerspam.de> wrote:
Am 30.08.22 um 20:43 schrieb Austin Witmer:
I’m am still getting the errors I mentioned previously. Maybe half a dozen of them per day . . .
So, the location of my mail storage (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by gocryptfs. Do you think gocryptfs could be at fault here?
Austin Witmer
Before and after mounting: What are the mount folder's user/group permissions? Who owns the mount folder (user/group)?
The owner is austin and group is austin before and after mounting the folder. I would need to verify that the owner is still the same before the folder is mounted sometime while my server is offline.
If you do a "stat /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>" as the user dovecot is running as (from your mail I see austin owns that file - is dovecot run as user austin?) - do you also get an error?
I would think that dovecot is running as user austin, but I’m not sure how to verify that?
If you do get an error - could you create a small encrypted fs and mount it to another folder, create a file there and check again for "stat file"? Play with the permissions and user/group assignments. Still getting an error?
-- Cheers spi
So here is one of the last log lines from my mail.err file.
Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: open(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist.lock) failed: Operation not permitted Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: lmtp-server: conn unix:pid=179136,uid=112 [1]: rcpt user@domain.com: Mailbox INBOX: file_dotlock_create(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist) failed: Operation not permitted Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: sieve: msgid=<d37ab115ceaf45b3b3ff87b90b4fb3ca@Exchange.ssmail.org>: failed to store into mailbox 'INBOX': Mailbox INBOX: file_dotlock_create(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist) failed: Operation not permitted Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: sieve: Execution of script /var/lib/dovecot/sieve/default.sieve was aborted due to temporary failure
Here is the stat command one of the files that dovecot seem to not be able to access.
austin@mail:/mnt/volume1/mailserver$ stat /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist File: /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist Size: 60565 Blocks: 120 IO Block: 4096 regular file Device: 2bh/43d Inode: 146325 Links: 1 Access: (0660/-rw-rw----) Uid: ( 1000/ austin) Gid: ( 1000/ austin) Access: 2022-08-30 23:19:24.701469295 +0000 Modify: 2022-08-30 23:16:34.155318207 +0000 Change: 2022-08-30 23:16:34.163318308 +0000 Birth: -
Is the problem that the x perm is missing from both the user and group for this file? I have tried different times to recursively apply wrx permissions to all the folders and files but it seems like dovecot must create files that it later cannot access. Or maybe I am not understanding this correctly?
Why am I getting these errors only about 1% of the time and the rest of the time it works fine? This seems to be randomly happening to various users on my server.
Thanks again to all of you for your help!
Austin Witmer
"Austin" == Austin Witmer <austin96@emypeople.net> writes:
Austin> So, the location of my mail storage Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault Austin> here?
Is it automounted? I've seen issues where dovecot tries to access a file before the mount has finished, giving a pmerssions denied error.
Peter C
No, I am manually mounting it when I start my server. I then start dovecot.
Austin Witmer
On Aug 30, 2022, at 9:40 PM, peter@chubb.wattle.id.au wrote:
"Austin" == Austin Witmer <austin96@emypeople.net> writes:
Austin> So, the location of my mail storage Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault Austin> here?
Is it automounted? I've seen issues where dovecot tries to access a file before the mount has finished, giving a pmerssions denied error.
Peter C
If you are running gocryptfs with Dovecot, you need to ensure that Dovecot has access to the files even when you are not logged in. Perhaps gocryptfs is blocking access to processes not originating from your session?
Aki
On 31/08/2022 07:14 EEST Austin Witmer <austin96@emypeople.net> wrote:
No, I am manually mounting it when I start my server. I then start dovecot.
Austin Witmer
On Aug 30, 2022, at 9:40 PM, peter@chubb.wattle.id.au wrote:
> "Austin" == Austin Witmer <austin96@emypeople.net> writes:
Austin> So, the location of my mail storage Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault Austin> here?
Is it automounted? I've seen issues where dovecot tries to access a file before the mount has finished, giving a pmerssions denied error.
Peter C
My mail storage is located on a block storage volume connected to my droplet in digital ocean.
Austin Witmer
On Aug 20, 2022, at 11:15 AM, spi <spi@nurfuerspam.de> wrote:
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!
Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
And here is the listing showing the permissions for that file.
*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log>*
What in the world is causing these errors, and what can I do about them?
Thanks in advance!
Austin Witmer
Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?
ACLs you can check by 'getfacl foo'.
-- Cheers spi
participants (7)
-
Aki Tuomi
-
Austin Witmer
-
Erwan David
-
lorek
-
peter@chubb.wattle.id.au
-
Remo Mattei
-
spi