(Please keep me CC'd, I'm not subscribed)

Hi folks,

I'm using dovecot 2.1.7 (from Debian stable) with sieve. I have default sieve script configured, which lives in /etc/dovecot/sieve. I use dovecot-lda running under the virtual-mail user, which does not have write access to the /etc/dovecot/sieve directory.

Now, when a mail gets delivered, I get the following message in my logs.

Jun 25 14:29:43 mail dovecot: lda(2001): Error: sieve: binary save: failed to create temporary file: open(/etc/dovecot/sieve/default.svbin.mail.local.18902.) failed: Permission denied (euid=2009(virtual-mail) egid=2009(virtual-mail) missing +w perm: /etc/dovecot/sieve, dir owned by 0:0 mode=0755) Jun 25 14:29:43 mail dovecot: lda(2001): Error: sieve: the lda sieve plugin does not have permission to save global sieve script binaries; global sieve scripts like /etc/dovecot/sieve/default need to be pre-compiled using the sievec tool

Due to the lack of permissions, this is of course expected. However, when I then try to precompile the script using sievec, that also fails:

# sievec /etc/dovecot/sieve/default sievec(root): Error: sieve: binary save: failed to create temporary file: open(/etc/dovecot/sieve/default.svbin.mail.local.18952.) failed: Permission denied (euid=2009(virtual-mail) egid=2009(virtual-mail) missing +w perm: /etc/dovecot/sieve, dir owned by 0:0 mode=0755)

So, apparently sievec drops privileges to the virtual-mail user. Why does this happen? It seems kind of counter-productive - I don't see a way to properly run sievec as root now? How is this supposed to work?

Now I wrote this, I realized that it might be related that I have specified mail_uid and mail_gid globally in my dovecot.conf file. Perhaps those are intended to only be put inside the protocol imap and protocol lda blocks? This would mean duplicating of this bit of configuration, which doesn't really sound nice.

Gr.

Matthijs

PS, here's my dovecot -n output:

# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.10-1-amd64 x86_64 Debian 7.5 log_timestamp = "%Y-%m-%d %H:%M:%S " mail_access_groups = spamd-access mail_debug = yes mail_gid = virtual-mail mail_location = Maildir:~/Folders:INBOX=~/INBOX:LAYOUT=fs mail_uid = virtual-mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { antispam_backend = pipe antispam_pipe_program = /usr/bin/spamc antispam_pipe_program_args = --socket=/var/run/spamd.socket antispam_pipe_program_notspam_arg = --learntype=ham antispam_pipe_program_spam_arg = --learntype=spam antispam_spam = Spam antispam_trash_pattern_ignorecase = trash;Deleted *;Prullenbak;Verwijderde * sieve = ~/sieve sieve_dir = ~/sieve.d sieve_global_path = /etc/dovecot/sieve/default } protocols = imap sieve service auth { unix_listener auth-client { group = Debian-exim mode = 0600 user = Debian-exim } unix_listener auth-master { group = virtual-mail mode = 0600 user = virtual-mail } user = nobody } ssl_cert = <ssl/mail.tikatika.nl.crt-chain ssl_key = <ssl/mail.tikatika.nl.key userdb { args = home=/data/mail/%u allow_all_users=yes uid=virtual-mail gid=virtual-mail driver = static } protocol imap { mail_plugins = antispam } protocol lda { lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_plugins = sieve postmaster_address = }