[Dovecot] 2.0.5: quota warning failing
From the log:
Oct 6 09:54:10 postamt dovecot: imap(hkunte): Error: quota: connect(/usr/local/scripts/quota-warning2) failed: Permission denied
From the config:
quota = maildir quota_rule = INBOX.Trash:storage=+2048M quota_warning = storage=99%% /usr/local/scripts/quota-warning2 99 %u quota_warning2 = storage=95%% /usr/local/scripts/quota-warning2 95 %u quota_warning3 = storage=90%% /usr/local/scripts/quota-warning2 90 %u quota_warning4 = storage=85%% /usr/local/scripts/quota-warning2 85 %u
service quota-warning { executable = script /usr/local/scripts/quota-warning2 # use some unprivileged user for executing the quota warnings user = vmail unix_listener quota-warning { } }
But how exactly does this work? the user vmail cannot write to the users' mailboxes, so I'd have to run /usr/local/scripts/quota-warning2 as root, don't I?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
Ralf Hildebrandt wrote on 06.10.2010:
From the log:
Oct 6 09:54:10 postamt dovecot: imap(hkunte): Error: quota: connect(/usr/local/scripts/quota-warning2) failed: Permission denied
From the config:
quota = maildir quota_rule = INBOX.Trash:storage=+2048M quota_warning = storage=99%% /usr/local/scripts/quota-warning2 99 %u quota_warning2 = storage=95%% /usr/local/scripts/quota-warning2 95 %u quota_warning3 = storage=90%% /usr/local/scripts/quota-warning2 90 %u quota_warning4 = storage=85%% /usr/local/scripts/quota-warning2 85 %u
service quota-warning { executable = script /usr/local/scripts/quota-warning2 # use some unprivileged user for executing the quota warnings user = vmail unix_listener quota-warning { } }
But how exactly does this work? the user vmail cannot write to the users' mailboxes, so I'd have to run /usr/local/scripts/quota-warning2 as root, don't I?
Personally I use this:
service quota-warning { executable = script /usr/bin/quota-warning.sh user = vmail unix_listener quota-warning { mode = 0660 user = vmail group = vmail } }
Same for some other sockets like "dict"...
-- Daniel
- Daniel Luttermann daniel@dlutt.de:
Personally I use this:
service quota-warning { executable = script /usr/bin/quota-warning.sh user = vmail unix_listener quota-warning { mode = 0660 user = vmail group = vmail } }
What is the meaning of the "unix_listener"? Can I run the script as user root or will dovecot deny this? Why do I need to specify the user twice?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On Wed, 2010-10-06 at 15:33 +0200, Ralf Hildebrandt wrote:
service quota-warning { executable = script /usr/bin/quota-warning.sh user = vmail
The process is run as this user.
unix_listener quota-warning { mode = 0660 user = vmail group = vmail
This is the socket permissions, i.e. specifying what other processes can connect to it.
Can I run the script as user root or will dovecot deny this?
Yeah, you can make the service user=root, but give only vmail user permission to it so only processes running as vmail can connect to it.
Do you use multiple UIDs for users? An alternative to running as root would be to use LMTP to deliver the "over quota" mail to user and use some trick to disable quota for this. Maybe something like:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
- Timo Sirainen tss@iki.fi:
On Wed, 2010-10-06 at 15:33 +0200, Ralf Hildebrandt wrote:
service quota-warning { executable = script /usr/bin/quota-warning.sh user = vmail
The process is run as this user.
unix_listener quota-warning { mode = 0660 user = vmail group = vmail
This is the socket permissions, i.e. specifying what other processes can connect to it.
Can I run the script as user root or will dovecot deny this?
Yeah, you can make the service user=root, but give only vmail user permission to it so only processes running as vmail can connect to it.
Good. The question is: which user will connect to the socket?
dovecot-lda will assume the UID of the user it's trying to deliver to. So any user must be able to connect to the socket?
Do you use multiple UIDs for users?
Yes! Every user has his/her own UID.
An alternative to running as root would be to use LMTP to deliver the "over quota" mail to user and use some trick to disable quota for this. Maybe something like:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
Ugh.
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On Wed, 2010-10-06 at 16:19 +0200, Ralf Hildebrandt wrote:
Yeah, you can make the service user=root, but give only vmail user permission to it so only processes running as vmail can connect to it.
Good. The question is: which user will connect to the socket?
dovecot-lda will assume the UID of the user it's trying to deliver to. So any user must be able to connect to the socket?
Yes. Although you could also play with groups, like make deliver always run with dovemail group enabled for the process (mail_access_groups=dovemail from deliver's side, but might be problematic from Postfix's side).
An alternative to running as root would be to use LMTP to deliver the "over quota" mail to user and use some trick to disable quota for this. Maybe something like:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
Ugh.
You're already using dovecot-lda to deliver the out-of-quota mails? How do you do this there then?
- Timo Sirainen tss@iki.fi:
On Wed, 2010-10-06 at 16:19 +0200, Ralf Hildebrandt wrote:
Yeah, you can make the service user=root, but give only vmail user permission to it so only processes running as vmail can connect to it.
Good. The question is: which user will connect to the socket?
dovecot-lda will assume the UID of the user it's trying to deliver to. So any user must be able to connect to the socket?
Yes. Although you could also play with groups, like make deliver always run with dovemail group enabled for the process (mail_access_groups=dovemail from deliver's side, but might be problematic from Postfix's side).
In my setup I still have my users in /etc/passwd, thus everybody has their own ID.
An alternative to running as root would be to use LMTP to deliver the "over quota" mail to user and use some trick to disable quota for this. Maybe something like:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
Ugh.
You're already using dovecot-lda to deliver the out-of-quota mails?
No, I'm trying. I migrated from 1.2.4, where I used a script that delivered the "Over quota infomail" by writing into the Maildir DIRECTLY.
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On Wed, 2010-10-06 at 15:29 +0100, Timo Sirainen wrote:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
Ugh.
You're already using dovecot-lda to deliver the out-of-quota mails? How do you do this there then?
Oh, another simpler idea:
service lmtp-noquota { executable = lmtp -o plugin/quota=maildir:user:noenforcing unix_listener lmtp-noquota { mode = 0660 group = .. } }
- Timo Sirainen tss@iki.fi:
On Wed, 2010-10-06 at 15:29 +0100, Timo Sirainen wrote:
protocol lmtp { local_ip 127.0.0.1 { plugin { quota = maildir:user:noenforcing } } }
Ugh.
You're already using dovecot-lda to deliver the out-of-quota mails? How do you do this there then?
Oh, another simpler idea:
service lmtp-noquota { executable = lmtp -o plugin/quota=maildir:user:noenforcing unix_listener lmtp-noquota { mode = 0660 group = .. } }
Right now I have:
Oct 6 16:38:54 postamt dovecot: lda(ghinrich): save: box=INBOX, uid=993, msgid=20101006143814.GP19213@charite.de, size=11165930 Oct 6 16:38:54 postamt dovecot: lda(ghinrich): Error: quota: connect(/usr/local/scripts/quota-warning2) failed: Permission denied Oct 6 16:38:56 postamt dovecot: lda(ghinrich): msgid=20101006143814.GP19213@charite.de: saved mail to INBOX
# groups ghinrich ghinrich : users
But what is uid=993 ?
# grep :993: /etc/passwd yields no result
The socket: srw-rw-rw- 1 vmail users 0 Okt 6 16:44 /usr/dovecot-2/var/run/dovecot/quota-warning
service quota-warning { executable = script /usr/local/scripts/quota-warning2 user = root unix_listener quota-warning { mode = 0666 user = vmail group = users } }
The permissions are ok:
drwxr-xr-x 4 root root 4096 Okt 6 16:44 /usr/dovecot-2/var/run/dovecot drwxr-xr-x 3 root root 4096 Okt 5 23:52 /usr/dovecot-2/var/run drwxr-xr-x 4 root root 4096 Okt 5 23:52 /usr/dovecot-2/var drwxr-xr-x 11 root root 4096 Okt 5 23:52 /usr/dovecot-2 drwxr-xr-x 16 root root 4096 Okt 5 21:13 /usr drwxr-xr-x 23 root root 4096 Sep 9 12:49 /
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On Wed, 2010-10-06 at 16:48 +0200, Ralf Hildebrandt wrote:
Right now I have:
Oct 6 16:38:54 postamt dovecot: lda(ghinrich): save: box=INBOX, uid=993, msgid=20101006143814.GP19213@charite.de, size=11165930 Oct 6 16:38:54 postamt dovecot: lda(ghinrich): Error: quota: connect(/usr/local/scripts/quota-warning2) failed: Permission denied Oct 6 16:38:56 postamt dovecot: lda(ghinrich): msgid=20101006143814.GP19213@charite.de: saved mail to INBOX
# groups ghinrich ghinrich : users
But what is uid=993 ?
Yeah, it's a bit confusing to have both IMAP and UNIX UIDs referred to as only UIDs. So the 993 above means the message's IMAP UID.
The socket: srw-rw-rw- 1 vmail users 0 Okt 6 16:44 /usr/dovecot-2/var/run/dovecot/quota-warning
Note that above it's trying to connect to /usr/local/scripts/quota-warning2, which is a completely different directory. So your quota_warning setting shouldn't have the executable path, but only "quota-warning".
- Timo Sirainen tss@iki.fi:
On Wed, 2010-10-06 at 16:48 +0200, Ralf Hildebrandt wrote:
Right now I have:
Oct 6 16:38:54 postamt dovecot: lda(ghinrich): save: box=INBOX, uid=993, msgid=20101006143814.GP19213@charite.de, size=11165930 Oct 6 16:38:54 postamt dovecot: lda(ghinrich): Error: quota: connect(/usr/local/scripts/quota-warning2) failed: Permission denied Oct 6 16:38:56 postamt dovecot: lda(ghinrich): msgid=20101006143814.GP19213@charite.de: saved mail to INBOX
# groups ghinrich ghinrich : users
But what is uid=993 ?
Yeah, it's a bit confusing to have both IMAP and UNIX UIDs referred to as only UIDs. So the 993 above means the message's IMAP UID. I noticed, since the next delivery had 994 :)
The socket: srw-rw-rw- 1 vmail users 0 Okt 6 16:44 /usr/dovecot-2/var/run/dovecot/quota-warning
Note that above it's trying to connect to /usr/local/scripts/quota-warning2, which is a completely different directory. So your quota_warning setting shouldn't have the executable path, but only "quota-warning".
FUUUUCK.
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
- Ralf Hildebrandt Ralf.Hildebrandt@charite.de:
Note that above it's trying to connect to /usr/local/scripts/quota-warning2, which is a completely different directory. So your quota_warning setting shouldn't have the executable path, but only "quota-warning".
FUUUUCK.
Ok, better. Not working, but better
Oct 6 17:06:24 postamt dovecot: quota-warning: Error: lda: Fatal: Unknown argument: plugin/quota=maildir:User quota:noenforcing Oct 6 17:06:24 postamt quota-warning2(ghinrich): writing message failed Oct 6 17:06:24 postamt dovecot: master: Error: service(quota-warning): child 18837 returned error 1
The actual dovecot-lda invocation is: ${BIN_CAT} << EOF | /usr/dovecot-2/libexec/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing" some text EOF
dovecot.conf says: quota = maildir so should I just use "plugin/quota=maildir:noenforcing"?
I also tried that and got: Oct 6 17:11:26 postamt dovecot: quota-warning: Error: lda: Fatal: Unknown argument: plugin/quota=maildir:noenforcing Oct 6 17:11:26 postamt quota-warning2(ghinrich): writing message failed Oct 6 17:11:26 postamt dovecot: master: Error: service(quota-warning): child 23274 returned error 1
Bloody hell, am I acting stupid?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
- Ralf Hildebrandt Ralf.Hildebrandt@charite.de:
The actual dovecot-lda invocation is: ${BIN_CAT} << EOF | /usr/dovecot-2/libexec/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing" some text EOF
dovecot.conf says: quota = maildir so should I just use "plugin/quota=maildir:noenforcing"?
I also tried that and got: Oct 6 17:11:26 postamt dovecot: quota-warning: Error: lda: Fatal: Unknown argument: plugin/quota=maildir:noenforcing Oct 6 17:11:26 postamt quota-warning2(ghinrich): writing message failed Oct 6 17:11:26 postamt dovecot: master: Error: service(quota-warning): child 23274 returned error 1
Bloody hell, am I acting stupid?
# /usr/dovecot-2/libexec/dovecot/dovecot-lda -? /usr/dovecot-2/libexec/dovecot/dovecot-lda: invalid option -- '?' Usage: dovecot-lda [-c <config file>] [-a <address>] [-d <username>] [-p <path>] [-f <envelope sender>] [-m <mailbox>] [-e] [-k]
"-o" is not being mentioned anywhere. WTF?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On Wed, 2010-10-06 at 17:14 +0200, Ralf Hildebrandt wrote:
Oct 6 17:06:24 postamt dovecot: quota-warning: Error: lda: Fatal: Unknown argument: plugin/quota=maildir:User quota:noenforcing
This looks as if it's missing -o parameter..
The actual dovecot-lda invocation is: ${BIN_CAT} << EOF | /usr/dovecot-2/libexec/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing" some text EOF
Looks right. Works with me:
[tss@kurkku] ~/cvs/dovecot-2.0/src/lda% echo hello|./dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
[tss@kurkku] ~/cvs/dovecot-2.0/src/lda% echo $?
0
dovecot.conf says: quota = maildir so should I just use "plugin/quota=maildir:noenforcing"?
plugin/quota=maildir::noenforcing
The second parameter between ':' is quota root name (default is empty).
# /usr/dovecot-2/libexec/dovecot/dovecot-lda -? /usr/dovecot-2/libexec/dovecot/dovecot-lda: invalid option -- '?' Usage: dovecot-lda [-c <config file>] [-a <address>] [-d <username>] [-p <path>] [-f <envelope sender>] [-m <mailbox>] [-e] [-k]
"-o" is not being mentioned anywhere. WTF?
Yeah, the parameters that work with all Dovecot binaries aren't shown in help currently..
- Timo Sirainen tss@iki.fi:
On Wed, 2010-10-06 at 17:14 +0200, Ralf Hildebrandt wrote:
Oct 6 17:06:24 postamt dovecot: quota-warning: Error: lda: Fatal: Unknown argument: plugin/quota=maildir:User quota:noenforcing
This looks as if it's missing -o parameter..
The actual dovecot-lda invocation is: ${BIN_CAT} << EOF | /usr/dovecot-2/libexec/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing" some text EOF
Looks right. Works with me:
[tss@kurkku] ~/cvs/dovecot-2.0/src/lda% echo hello|./dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
[tss@kurkku] ~/cvs/dovecot-2.0/src/lda% echo $? 0
It must be /usr/dovecot-2/libexec/dovecot/dovecot-lda -d $MAIL_TO -o "plugin/quota=maildir:User quota:noenforcing" since $USER was empty...
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
participants (3)
-
Daniel Luttermann
-
Ralf Hildebrandt
-
Timo Sirainen