Permission denied UNIX perms appear ok (ACL/MAC wrong?))

newer
username changed gumby@example.com...

older
Config file syntax: secrets from...

Austin Witmer

20 Aug 2022 20 Aug '22

5:52 p.m.

Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

austin@mail:~$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Attachments:

attachment.html (text/html — 4.9 KB)

Show replies by date

Austin Witmer

20 Aug 20 Aug

6:03 p.m.

Is there any chance that high memory utilization could be responsible for some of these errors? I’ve noticed recently that my memory is running anywhere from 80-85%.

Austin Witmer

...

On Aug 20, 2022, at 8:52 AM, Austin Witmer austin96@emypeople.net wrote:

Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com mailto:user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

austin@mail:~$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Erwan David

6:06 p.m.

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...

Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

Remo Mattei

6:56 p.m.

Try ls -laZ

...

Il giorno 20 ago 2022, alle ore 08:08, Erwan David erwan@rail.eu.org ha scritto:

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

Austin Witmer

7:13 p.m.

Ok, here is the output of that command.

austin@mail:~$ ls -laZ /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.list.index.log -rwxrwxr-- 1 austin austin ? 6796 Aug 20 14:40 /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.list.index.log

Does that tell you anything?

Austin Witmer

...

On Aug 20, 2022, at 9:56 AM, Remo Mattei rm@rm.ht wrote:

Try ls -laZ

...
Il giorno 20 ago 2022, alle ore 08:08, Erwan David erwan@rail.eu.org ha scritto:

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

Austin Witmer

7:23 p.m.

See below.

...

On Aug 20, 2022, at 9:56 AM, Remo Mattei rm@rm.ht wrote:

Try ls -laZ

...
Il giorno 20 ago 2022, alle ore 08:08, Erwan David erwan@rail.eu.org ha scritto:

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

No, I’m not familiar with SeLinux or Apparmor. Tell me what I should do or check.

Thanks!

Austin Witmer

Erwan David

8:44 p.m.

Le 20/08/2022 à 18:23, Austin Witmer a écrit :

...

See below.

...
On Aug 20, 2022, at 9:56 AM, Remo Mattei rm@rm.ht wrote:

Try ls -laZ

...
Il giorno 20 ago 2022, alle ore 08:08, Erwan David erwan@rail.eu.org ha scritto:

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

No, I’m not familiar with SeLinux or Apparmor. Tell me what I should do or check.

Thanks!

Austin Witmer

I'm not sure. apparmor logs in kern.log

You can try a grep mailserver/plain/maildir/domain.com /var/log/*.log for a start

Austin Witmer

21 Aug 21 Aug

5:42 p.m.

Thanks to all of your for your input!

I think I may have gotten this resolved. More time and testing will tell! More details later . . .

Austin Witmer

...

On Aug 20, 2022, at 9:06 AM, Erwan David erwan@rail.eu.org wrote:

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

Remo Mattei

7:03 p.m.

It’s a mount partition you should check that probably it is nfs.

Good luck.

...

Il giorno 21 ago 2022, alle ore 07:43, Austin Witmer austin96@emypeople.net ha scritto:

Thanks to all of your for your input!

I think I may have gotten this resolved. More time and testing will tell! More details later . . .

Austin Witmer

...
On Aug 20, 2022, at 9:06 AM, Erwan David erwan@rail.eu.org wrote:

...
Le 20/08/2022 à 16:52, Austin Witmer a écrit : Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

Austin Witmer

7 Sep 7 Sep

4:45 a.m.

Hello all!

My strange permission errors in my log files seem to have disappeared. The only thing I can think of that I changed was mounting my encrypted folder without using sudo. Example “gocryptfs -allow_other cipher plain” instead of "sudo gocryptfs -allow_other cipher plain”.

Thanks to all of you for your help and suggestions!

Austin Witmer

...

On Aug 21, 2022, at 10:03 AM, Remo Mattei rm@rm.ht wrote:

It’s a mount partition you should check that probably it is nfs.

Good luck.

...
Il giorno 21 ago 2022, alle ore 07:43, Austin Witmer austin96@emypeople.net ha scritto:

Thanks to all of your for your input!

I think I may have gotten this resolved. More time and testing will tell! More details later . . .

Austin Witmer

...
On Aug 20, 2022, at 9:06 AM, Erwan David mailto:erwan@rail.eu.org> wrote:

Le 20/08/2022 à 16:52, Austin Witmer a écrit :

...
Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com mailto:user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log>*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Did you check wether your linux distribution uses SeLINUX or Apparmor ? In that case you would have to check their policy to give dovecot access to this directory.

spi

20 Aug 20 Aug

8:15 p.m.

Am 20.08.22 um 16:52 schrieb Austin Witmer:

...

Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

-- Cheers spi

Austin Witmer

9:09 p.m.

And no, I don’t think I am using ACL’s.

getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--

Austin Witmer

...

On Aug 20, 2022, at 11:15 AM, spi spi@nurfuerspam.de wrote:

...
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

-- Cheers spi

Austin Witmer

23 Aug 23 Aug

2:52 p.m.

Here is the output of dovecot -n

austin@mail:~$ doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail auth_mechanisms = plain login listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_before = /var/lib/dovecot/sieve/ sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert =

Austin Witmer

...

On Aug 20, 2022, at 12:09 PM, Austin Witmer austin96@emypeople.net wrote:

And no, I don’t think I am using ACL’s.

getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--

Austin Witmer

...
On Aug 20, 2022, at 11:15 AM, spi spi@nurfuerspam.de wrote:

...
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

-- Cheers spi

lorek

24 Aug 24 Aug

9:10 p.m.

There are a number of issues that can appear to be ACL issues when in fact its something else.

As other's have mentioned, AppArmor profiles and SELinux contexts can be checked and are the most common. There are ACL permissions as well if you enabled ACL (they are not enabled by default on Ubuntu server). I've occasionally (rarely) seen some weird interactions with sockets between MDA and MTA if the permissions on the directory were not set correctly.

Additionally, if a mount permission mask is being used, that can occasionally cause similar issues as well, as is often the case with using an NTFS backing filesystem for maildir that's been mounted with unix perms. There can also be some edge-cases with permissions in Ubuntu's flavored snap containers as well as docker containers and custom sieves.

Its difficult to say with any accuracy what is causing your issue with the information provided.

Have you increased the verbosity of the logging?

If all of the normal culprits do not stand out, maybe some others will have an idea.

As a final fallback you can always set a breakpoint and use a reverse debugger. Its not going to be performant but it will at least narrow down where the issue is coming from, and what the intermediate states were that led to the error so you can save/replicate them moving forward for resolution. Non-determinism can creep into code in a lot of different ways.

Best Regards, N

On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer austin96@emypeople.net wrote:

...

Here is the output of dovecot -n

*austin@mail*:*~*$ doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail auth_mechanisms = plain login listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_before = /var/lib/dovecot/sieve/ sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert =
Austin Witmer

On Aug 20, 2022, at 12:09 PM, Austin Witmer austin96@emypeople.net wrote:

And no, I don’t think I am using ACL’s.

getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--

Austin Witmer

On Aug 20, 2022, at 11:15 AM, spi spi@nurfuerspam.de wrote:

Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/ domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

-- Cheers spi

Austin Witmer

30 Aug 30 Aug

9:43 p.m.

I’m am still getting the errors I mentioned previously. Maybe half a dozen of them per day . . .

So, the location of my mail storage (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by gocryptfs. Do you think gocryptfs could be at fault here?

Austin Witmer

...

On Aug 24, 2022, at 12:10 PM, lorek dundir@gmail.com wrote:

There are a number of issues that can appear to be ACL issues when in fact its something else.

As other's have mentioned, AppArmor profiles and SELinux contexts can be checked and are the most common. There are ACL permissions as well if you enabled ACL (they are not enabled by default on Ubuntu server). I've occasionally (rarely) seen some weird interactions with sockets between MDA and MTA if the permissions on the directory were not set correctly.

Additionally, if a mount permission mask is being used, that can occasionally cause similar issues as well, as is often the case with using an NTFS backing filesystem for maildir that's been mounted with unix perms. There can also be some edge-cases with permissions in Ubuntu's flavored snap containers as well as docker containers and custom sieves.

Its difficult to say with any accuracy what is causing your issue with the information provided.

Have you increased the verbosity of the logging?

If all of the normal culprits do not stand out, maybe some others will have an idea.

As a final fallback you can always set a breakpoint and use a reverse debugger. Its not going to be performant but it will at least narrow down where the issue is coming from, and what the intermediate states were that led to the error so you can save/replicate them moving forward for resolution. Non-determinism can creep into code in a lot of different ways.

Best Regards, N

On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer mailto:austin96@emypeople.net> wrote: Here is the output of dovecot -n

austin@mail:~$ doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail auth_mechanisms = plain login listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_before = /var/lib/dovecot/sieve/ sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = http://mail.mydomain.com/fullchain.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com http://mail.mydomain.com/ mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com mailto:postmaster@mydomain.com } protocol lda { mail_plugins = " sieve" }

Austin Witmer

...
On Aug 20, 2022, at 12:09 PM, Austin Witmer mailto:austin96@emypeople.net> wrote:

And no, I don’t think I am using ACL’s.

getfacl austin /mnt/volume1/mailserver/plain/maildir/ getfacl: austin: No such file or directory getfacl: Removing leading '/' from absolute path names # file: mnt/volume1/mailserver/plain/maildir/ # owner: austin # group: austin user::rwx group::rwx other::r--

Austin Witmer

...
On Aug 20, 2022, at 11:15 AM, spi mailto:spi@nurfuerspam.de> wrote:

...
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com mailto:user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log>) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log <http://domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log>*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

-- Cheers spi

spi

10:41 p.m.

Am 30.08.22 um 20:43 schrieb Austin Witmer:

...

I’m am still getting the errors I mentioned previously. Maybe half a dozen of them per day . . .

So, the location of my mail storage (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by gocryptfs. Do you think gocryptfs could be at fault here?

Austin Witmer

Before and after mounting: What are the mount folder's user/group permissions? Who owns the mount folder (user/group)?

If you do a "stat /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log" as the user dovecot is running as (from your mail I see austin owns that file - is dovecot run as user austin?) - do you also get an error?

If you do get an error - could you create a small encrypted fs and mount it to another folder, create a file there and check again for "stat file"? Play with the permissions and user/group assignments. Still getting an error?

-- Cheers spi

Austin Witmer

31 Aug 31 Aug

4:34 a.m.

See below . . .

...

On Aug 30, 2022, at 1:41 PM, spi spi@nurfuerspam.de wrote:

Am 30.08.22 um 20:43 schrieb Austin Witmer:

...
I’m am still getting the errors I mentioned previously. Maybe half a dozen of them per day . . .

So, the location of my mail storage (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by gocryptfs. Do you think gocryptfs could be at fault here?

Austin Witmer

Before and after mounting: What are the mount folder's user/group permissions? Who owns the mount folder (user/group)?

The owner is austin and group is austin before and after mounting the folder. I would need to verify that the owner is still the same before the folder is mounted sometime while my server is offline.

...

If you do a "stat /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log" as the user dovecot is running as (from your mail I see austin owns that file - is dovecot run as user austin?) - do you also get an error?

I would think that dovecot is running as user austin, but I’m not sure how to verify that?

...

If you do get an error - could you create a small encrypted fs and mount it to another folder, create a file there and check again for "stat file"? Play with the permissions and user/group assignments. Still getting an error?

-- Cheers spi

So here is one of the last log lines from my mail.err file.

Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: open(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist.lock) failed: Operation not permitted Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: lmtp-server: conn unix:pid=179136,uid=112 [1]: rcpt user@domain.com: Mailbox INBOX: file_dotlock_create(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist) failed: Operation not permitted Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: sieve: msgid=d37ab115ceaf45b3b3ff87b90b4fb3ca@Exchange.ssmail.org: failed to store into mailbox 'INBOX': Mailbox INBOX: file_dotlock_create(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist) failed: Operation not permitted Aug 30 23:09:11 mail dovecot: lmtp(user@domain.com)<179137><WgoPM5eYDmPBuwIAZU03Dg>: Error: sieve: Execution of script /var/lib/dovecot/sieve/default.sieve was aborted due to temporary failure

Here is the stat command one of the files that dovecot seem to not be able to access.

austin@mail:/mnt/volume1/mailserver$ stat /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist File: /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist Size: 60565 Blocks: 120 IO Block: 4096 regular file Device: 2bh/43d Inode: 146325 Links: 1 Access: (0660/-rw-rw----) Uid: ( 1000/ austin) Gid: ( 1000/ austin) Access: 2022-08-30 23:19:24.701469295 +0000 Modify: 2022-08-30 23:16:34.155318207 +0000 Change: 2022-08-30 23:16:34.163318308 +0000 Birth: -

Is the problem that the x perm is missing from both the user and group for this file? I have tried different times to recursively apply wrx permissions to all the folders and files but it seems like dovecot must create files that it later cannot access. Or maybe I am not understanding this correctly?

Why am I getting these errors only about 1% of the time and the rest of the time it works fine? This seems to be randomly happening to various users on my server.

Thanks again to all of you for your help!

Austin Witmer

peter＠chubb.wattle.id.au

12:14 a.m.

...

...
...
...
...
"Austin" == Austin Witmer austin96@emypeople.net writes:

Austin> So, the location of my mail storage Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault Austin> here?

Is it automounted? I've seen issues where dovecot tries to access a file before the mount has finished, giving a pmerssions denied error.

Peter C

Austin Witmer

7:14 a.m.

No, I am manually mounting it when I start my server. I then start dovecot.

Austin Witmer

...

On Aug 30, 2022, at 9:40 PM, peter@chubb.wattle.id.au wrote:

...
...
...
...
...
"Austin" == Austin Witmer austin96@emypeople.net writes:

Austin> So, the location of my mail storage Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault Austin> here?

Is it automounted? I've seen issues where dovecot tries to access a file before the mount has finished, giving a pmerssions denied error.

Peter C

Aki Tuomi

8:45 a.m.

If you are running gocryptfs with Dovecot, you need to ensure that Dovecot has access to the files even when you are not logged in. Perhaps gocryptfs is blocking access to processes not originating from your session?

Aki

...

On 31/08/2022 07:14 EEST Austin Witmer austin96@emypeople.net wrote:

No, I am manually mounting it when I start my server. I then start dovecot.

Austin Witmer

...
On Aug 30, 2022, at 9:40 PM, peter@chubb.wattle.id.au wrote:

...
...
...
...
> "Austin" == Austin Witmer austin96@emypeople.net writes:

Austin> So, the location of my mail storage Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault Austin> here?

Is it automounted? I've seen issues where dovecot tries to access a file before the mount has finished, giving a pmerssions denied error.

Peter C

Austin Witmer

20 Aug 20 Aug

9:11 p.m.

My mail storage is located on a block storage volume connected to my droplet in digital ocean.

Austin Witmer

...

On Aug 20, 2022, at 11:15 AM, spi spi@nurfuerspam.de wrote:

...
Am 20.08.22 um 16:52 schrieb Austin Witmer: Hello all!

Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I am periodically getting some dovecot errors like the below in my mail log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?

Aug 20 14:41:58 mail dovecot: imap(user@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log) failed: Permission denied (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))

And here is the listing showing the permissions for that file.

*austin@mail*:*~*$ ls -la /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log http://domain.com/user/dovecot.index.log*

What in the world is causing these errors, and what can I do about them?

Thanks in advance!

Austin Witmer

Do you use any ACLs? Is this just a block device mounted or do you use any network file sharing like nfs?

ACLs you can check by 'getfacl foo'.

-- Cheers spi

802

Age (days ago)

820

Last active (days ago)

List overview

20 comments

7 participants

participants (7)

Aki Tuomi
Austin Witmer
Erwan David
lorek
peter＠chubb.wattle.id.au
Remo Mattei
spi