migration from 2.3 to 2.4 : postfix can't deliver via lmtp
I am in the process of upgrading and rewriting my config.
I can access IMAP etc ... so my database access is working.
I have issues with LMTP: postfix can't deliver to dovecot.
The postfix-confiog wasn't touched at all.
the error:
Mar 27 11:46:37 co dovecot: auth(stefan@oops.co.at): Error: userdb: client doesn't have lookup permissions for this user: userdb reply doesn't contain uid (to bypass this check, set: service auth { unix_listener /run/dovecot/auth-userdb { mode=0777 } })
What I don't understand: I configure this:
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service auth-worker { user = postfix } service lmtp { user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } }
protocol lmtp { mail_plugins = sieve postmaster_address = logs@xunil.at }
And in postfix:
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 local_transport = virtual local_recipient_maps = $virtual_mailbox_maps
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
Where does "/run/dovecot/auth-userdb" come from?
I understand that according to my config /var/spool/postfix/private/auth should be used?
ls /var/spool/postfix/private/auth -l srw-rw-rw- 1 postfix postfix 0 Mar 27 11:45 /var/spool/postfix/private/auth
ls /var/spool/postfix/private/dovecot-lmtp -l srw-rw---- 1 postfix postfix 0 Mar 27 11:45 /var/spool/postfix/private/dovecot-lmtp
I'd appreciate any quick help here ... while googling and testing around ...
thanks!
Am 27.03.26 um 11:54 schrieb Stefan G. Weichinger via dovecot:
I am in the process of upgrading and rewriting my config.
I can access IMAP etc ... so my database access is working.
I have issues with LMTP: postfix can't deliver to dovecot.
The postfix-confiog wasn't touched at all.
the error:
Mar 27 11:46:37 co dovecot: auth(stefan@oops.co.at): Error: userdb: client doesn't have lookup permissions for this user: userdb reply doesn't contain uid (to bypass this check, set: service auth { unix_listener /run/dovecot/auth-userdb { mode=0777 } })
What I don't understand: I configure this:
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service auth-worker { user = postfix } service lmtp { user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } }
protocol lmtp { mail_plugins = sieve postmaster_address = logs@xunil.at }
And in postfix:
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 local_transport = virtual local_recipient_maps = $virtual_mailbox_maps
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
Where does "/run/dovecot/auth-userdb" come from?
I understand that according to my config /var/spool/postfix/private/auth should be used?
ls /var/spool/postfix/private/auth -l srw-rw-rw- 1 postfix postfix 0 Mar 27 11:45 /var/spool/postfix/private/auth
ls /var/spool/postfix/private/dovecot-lmtpĀ -l srw-rw---- 1 postfix postfix 0 Mar 27 11:45 /var/spool/postfix/private/ dovecot-lmtp
I think I have it, at least it works now.
I added this block from 2.3 ...
service auth { client_limit = 1200 unix_listener auth-client { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0777 } user = root }
I assume the 0777 etc aren't ideal.
Suggestions welcome.
But my basic setup seems to work now!
(thanks to all devs for their work, even when it's sometimes hard to keep up ...)
On 27/03/2026 13:28 EET Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 27.03.26 um 11:54 schrieb Stefan G. Weichinger via dovecot:
I am in the process of upgrading and rewriting my config.
I can access IMAP etc ... so my database access is working.
I have issues with LMTP: postfix can't deliver to dovecot.
The postfix-confiog wasn't touched at all.
the error:
Mar 27 11:46:37 co dovecot: auth(stefan@oops.co.at): Error: userdb: client doesn't have lookup permissions for this user: userdb reply doesn't contain uid (to bypass this check, set: service auth { unix_listener /run/dovecot/auth-userdb { mode=0777 } })
What I don't understand: I configure this:
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service auth-worker { user = postfix } service lmtp { user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } }
protocol lmtp { mail_plugins = sieve postmaster_address = logs@xunil.at }
And in postfix:
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 local_transport = virtual local_recipient_maps = $virtual_mailbox_maps
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
Where does "/run/dovecot/auth-userdb" come from?
I understand that according to my config /var/spool/postfix/private/auth should be used?
ls /var/spool/postfix/private/auth -l srw-rw-rw- 1 postfix postfix 0 Mar 27 11:45 /var/spool/postfix/private/auth
ls /var/spool/postfix/private/dovecot-lmtpĀ -l srw-rw---- 1 postfix postfix 0 Mar 27 11:45 /var/spool/postfix/private/ dovecot-lmtp
I think I have it, at least it works now.
I added this block from 2.3 ...
service auth { client_limit = 1200 unix_listener auth-client { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0777 } user = root }
I assume the 0777 etc aren't ideal.
Suggestions welcome.
But my basic setup seems to work now!
(thanks to all devs for their work, even when it's sometimes hard to keep up ...)
0666 would be safer if it works.
Aki
Am 27.03.26 um 12:34 schrieb Aki Tuomi:
I assume the 0777 etc aren't ideal.
Suggestions welcome.
But my basic setup seems to work now!
0666 would be safer if it works.
it works, thanks. I might switch to 0660 again a bit later and see.
Right now things work as far as I see and test ...
I only see this line:
tail -f /var/log/mail.err Mar 27 12:45:09 co dovecot: lmtp(1617792): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied Mar 27 12:50:58 co dovecot: lmtp(1624214): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied
hmm ... I never configured that one in my old config.
Any hints? yes, I promise to google as well, sure
Am 27.03.26 um 13:18 schrieb Stefan G. Weichinger via dovecot:
Any hints? yes, I promise to google as well, sure
It seems related to
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } user = vmail }
Found a note to remove that "user = vmail" although then lmtp breaks completely.
Am 27.03.26 um 13:30 schrieb Stefan G. Weichinger via dovecot:
Am 27.03.26 um 13:18 schrieb Stefan G. Weichinger via dovecot:
Any hints? yes, I promise to google as well, sure
It seems related to
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } user = vmail }
Found a note to remove that "user = vmail" although then lmtp breaks completely.
Seems to have disappeared ... I still have "user = vmail" in there. ok with me ;-)
On 27/03/2026 14:18 EET Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 27.03.26 um 12:34 schrieb Aki Tuomi:
I assume the 0777 etc aren't ideal.
Suggestions welcome.
But my basic setup seems to work now!
0666 would be safer if it works.
it works, thanks. I might switch to 0660 again a bit later and see.
Right now things work as far as I see and test ...
I only see this line:
tail -f /var/log/mail.err Mar 27 12:45:09 co dovecot: lmtp(1617792): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied Mar 27 12:50:58 co dovecot: lmtp(1624214): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied
hmm ... I never configured that one in my old config.
Any hints? yes, I promise to google as well, sure
Try adding
service lmtp { extra_groups = $SET:default_internal_group }
Aki
Am 30.03.26 um 21:16 schrieb Aki Tuomi:
On 27/03/2026 14:18 EET Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 27.03.26 um 12:34 schrieb Aki Tuomi:
I assume the 0777 etc aren't ideal.
Suggestions welcome.
But my basic setup seems to work now!
0666 would be safer if it works.
it works, thanks. I might switch to 0660 again a bit later and see.
Right now things work as far as I see and test ...
I only see this line:
tail -f /var/log/mail.err Mar 27 12:45:09 co dovecot: lmtp(1617792): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied Mar 27 12:50:58 co dovecot: lmtp(1624214): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied
hmm ... I never configured that one in my old config.
Any hints? yes, I promise to google as well, sure
Try adding
service lmtp { extra_groups = $SET:default_internal_group }
Thank you, did so.
I still see these anvil-errors, though
doveconf -a | grep anvil
gives nothing
ls -l /run/dovecot/ total 88 srw------- 1 root root 0 Mar 31 11:40 anvil
pls advise
thanks
That's a weird permission, can you send doveconf -n?
Aki
On 31/03/2026 12:41 EEST Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 30.03.26 um 21:16 schrieb Aki Tuomi:
On 27/03/2026 14:18 EET Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 27.03.26 um 12:34 schrieb Aki Tuomi:
I assume the 0777 etc aren't ideal.
Suggestions welcome.
But my basic setup seems to work now!
0666 would be safer if it works.
it works, thanks. I might switch to 0660 again a bit later and see.
Right now things work as far as I see and test ...
I only see this line:
tail -f /var/log/mail.err Mar 27 12:45:09 co dovecot: lmtp(1617792): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied Mar 27 12:50:58 co dovecot: lmtp(1624214): Error: conn unix:/run/dovecot/anvil: net_connect_unix(/run/dovecot/anvil) failed: Permission denied
hmm ... I never configured that one in my old config.
Any hints? yes, I promise to google as well, sure
Try adding
service lmtp { extra_groups = $SET:default_internal_group }
Thank you, did so.
I still see these anvil-errors, though
doveconf -a | grep anvil
gives nothing
ls -l /run/dovecot/ total 88 srw------- 1 root root 0 Mar 31 11:40 anvil
pls advise
thanks
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Am 31.03.26 um 11:51 schrieb Aki Tuomi via dovecot:
That's a weird permission, can you send
doveconf -n?
Sure:
2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.1-4 (0a86619f)
OS: Linux 6.12.74+deb13+1-amd64 x86_64 Debian 13.4
Hostname: ---
dovecot_config_version = 2.4.1 acl_driver = vfile auth_allow_weak_schemes = yes auth_cache_size = 4M auth_mechanisms = plain login auth_verbose = yes dovecot_storage_version = 2.4.0 import_environment { CORE_ERROR = %{env:CORE_ERROR} CORE_OUTOFMEM = %{env:CORE_OUTOFMEM} LISTEN_FDS = %{env:LISTEN_FDS} LISTEN_PID = %{env:LISTEN_PID} MALLOC_MMAP_THRESHOLD_ = 131072 NOTIFY_SOCKET = %{env:NOTIFY_SOCKET} PATH = %{env:PATH} TZ = :/etc/localtime } info_log_path = /var/log/dovecot.info listen = * [::] log_path = /var/log/dovecot.log mail_driver = maildir mail_home = /home/vmail/%{user | domain}/%{user} mail_path = ~ mail_plugins { acl = yes quota = yes } protocols = imap sieve lmtp quota_status_overquota = 552 5.2.2 Mailbox is full quota_storage_grace = 30M quota_storage_size = 10G sieve_extensions { fileinto = yes reject = yes envelope = yes encoded-character = yes vacation = yes subaddress = yes comparator-i;ascii-numeric = yes relational = yes regex = yes imap4flags = yes copy = yes include = yes body = yes variables = yes enotify = yes environment = yes mailbox = yes date = yes index = yes ihave = yes duplicate = yes mime = yes foreverypart = yes extracttext = yes editheader = yes mboxmetadata = yes servermetadata = yes spamtest = yes spamtestplus = yes virustest = yes } sieve_global_extensions { vnd.dovecot.debug = yes vnd.dovecot.environment = yes vnd.dovecot.pipe = yes } sieve_pipe_bin_dir = /usr/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_spamtest_score_max_value = 6 sieve_spamtest_status_header = X-Spamd-Result: .*? \[([[:digit:]]+\.[[:digit:]]+) / [[:digit:]]+\.[[:digit:]]+\]; sql_driver = mysql ssl = required verbose_proctitle = yes namespace inbox { inbox = yes type = private mailbox Sent { auto = subscribe special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } mailbox Spam { auto = subscribe special_use = "\\Junk" sieve_script script-1 { cause = COPY driver = file path = /usr/lib/dovecot/sieve/report-spam.sieve type = before } } mailbox Trash { auto = subscribe special_use = "\\Trash" } mailbox Drafts { special_use = "\\Drafts" } mailbox * { sieve_script script-2 { } } imapsieve_from Spam { sieve_script script-2 { cause = COPY driver = file path = /usr/lib/dovecot/sieve/report-ham.sieve type = before } } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener quota-status-listener-1 { port = 12340 } } protocol lda { mail_plugins = sieve } protocol lmtp { mail_plugins = sieve postmaster_address = logs@xunil.at } protocol imap { imap_idle_notify_interval = 29 mins mail_max_userip_connections = 50 mail_plugins { imap_acl = yes imap_quota = yes imap_sieve = yes } } mysql /var/run/mysqld/mysqld.sock { dbname = postfix password = # hidden, use -P to show it user = postfix } passdb sql { default_password_scheme = MD5-CRYPT query = SELECT username as user, password, '/home/vmail/%{user | domain }/%{user}' as userdb_home, 'maildir:/home/vmail/%{user | domain }/%{user}' as userdb_mail, 1001 as userdb_uid, 1001 as userdb_gid FROM mailbox WHERE username = '%{user}' AND active = '1' } userdb prefetch { } userdb sql { iterate_query = SELECT userid AS username, domain FROM users query = SELECT username as user, password, '/home/vmail/%{user | domain }/%{user}' as userdb_home, 'maildir:/home/vmail/%{user | domain }/%{user}' as userdb_mail, 1001 as userdb_uid, 1001 as userdb_gid FROM mailbox WHERE username = '%{user}' AND active = '1' } service imap-login { process_min_avail = 8 inet_listener imap { port = 0 ssl = no listen = } inet_listener imaps { port = 993 ssl = yes listen = } } service lmtp { extra_groups = $SET:default_internal_group user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service imap { } service auth { client_limit = 1200 user = root unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-client { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0660 } } service auth-worker { } service dict { unix_listener dict { } } ssl_server { cert_file = /opt/dockerfiles/traefik/cert-dump/certs/some.crt dh_file = /etc/dovecot/dh.pem key_file = /opt/dockerfiles/traefik/cert-dump/private/some.key } service managesieve-login { inet_listener sieve { port = 4190 } } service managesieve { } protocol sieve { managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave } quota "User quota" { driver = count storage_size = 10G } protocol !indexer-worker { mail_vsize_bg_after_count = 100 } sieve_script personal { active_path = /home/vmail/%{user | domain}/%{user}/sieve/scripts/.dovecot.sieve driver = file path = /home/vmail/%{user | domain}/%{user}/sieve/scripts } sieve_script before-0 { driver = file path = /usr/lib/dovecot/sieve/global-spam.sieve type = before }
I am open to any suggestions, this is a work in progress ;-)
thank you
On 31/03/2026 13:20 EEST Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 31.03.26 um 11:51 schrieb Aki Tuomi via dovecot:
That's a weird permission, can you send
doveconf -n?Sure:
Did you touch the socket by hand? The default config is different.
$ doveconf -o dovecot_config_version=2.4.1 -d service/anvil service anvil { ... unix_listener anvil { group = $SET:default_internal_group mode = 0660 } }
Can you compare the output on your system?
Just run doveconf service/anvil
Aki
Am 31.03.26 um 12:34 schrieb Aki Tuomi:
Did you touch the socket by hand?
Can't tell for sure ...
The default config is different.
$ doveconf -o dovecot_config_version=2.4.1 -d service/anvil service anvil { ... unix_listener anvil { group = $SET:default_internal_group mode = 0660 } }
Can you compare the output on your system?
Just run
doveconf service/anvil
doveconf service/anvil service anvil { chroot = drop_priv_before_exec = no executable = anvil group = idle_kill_interval = infinite privileged_group = process_limit = 1 process_min_avail = 1 protocol = type = anvil user = unix_listener anvil { mode = 0600 } unix_listener anvil-auth-penalty { mode = 0600 } }
On 31/03/2026 13:40 EEST Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 31.03.26 um 12:34 schrieb Aki Tuomi:
Did you touch the socket by hand?
Can't tell for sure ...
The default config is different.
$ doveconf -o dovecot_config_version=2.4.1 -d service/anvil service anvil { ... unix_listener anvil { group = $SET:default_internal_group mode = 0660 } }
Can you compare the output on your system?
Just run
doveconf service/anvil
What's the source of this package?
Aki
Am 31.03.26 um 12:41 schrieb Aki Tuomi via dovecot:
Just run
doveconf service/anvilWhat's the source of this package?
You ask for the debian-package?
As far as I see we talk of the binary /usr/lib/dovecot/anvil, this is shown as part of dovecot-core.
And dovecot-core comes from:
apt-cache policy dovecot-core dovecot-core: Installed: 1:2.4.1+dfsg1-6+deb13u3 Candidate: 1:2.4.1+dfsg1-6+deb13u3 Version table: *** 1:2.4.1+dfsg1-6+deb13u3 500 500 http://ftp.at.debian.org/debian trixie/main amd64 Packages 500 http://deb.debian.org/debian trixie/main amd64 Packages 100 /var/lib/dpkg/status 1:2.4.1+dfsg1-6+deb13u1 500 500 http://security.debian.org trixie-security/main amd64 Packages
OK?
On 31/03/2026 13:53 EEST Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 31.03.26 um 12:41 schrieb Aki Tuomi via dovecot:
Just run
doveconf service/anvilWhat's the source of this package?
You ask for the debian-package?
As far as I see we talk of the binary /usr/lib/dovecot/anvil, this is shown as part of dovecot-core.
And dovecot-core comes from:
apt-cache policy dovecot-core dovecot-core: Installed: 1:2.4.1+dfsg1-6+deb13u3 Candidate: 1:2.4.1+dfsg1-6+deb13u3 Version table: *** 1:2.4.1+dfsg1-6+deb13u3 500 500 http://ftp.at.debian.org/debian trixie/main amd64 Packages 500 http://deb.debian.org/debian trixie/main amd64 Packages 100 /var/lib/dpkg/status 1:2.4.1+dfsg1-6+deb13u1 500 500 http://security.debian.org trixie-security/main amd64 Packages
OK?
Then it sounds like debian is mucking with the defaults. You can resolve this by setting the default listener config that I sent you, and if you want, you can open issue in Debian bug tracker.
Aki
Am 31.03.26 um 13:03 schrieb Aki Tuomi:
Then it sounds like debian is mucking with the defaults. You can resolve this by setting the default listener config that I sent you, and if you want, you can open issue in Debian bug tracker.
So I'd set this in a separate conf-file in for example /etc/dovecot/conf.d/91-anvil.conf (?):
service anvil { chroot = drop_priv_before_exec = no executable = anvil group = idle_kill_interval = infinite privileged_group = process_limit = 1 process_min_avail = 1 protocol = type = anvil user = unix_listener anvil { group = $SET:default_internal_group mode = 0660 } unix_listener anvil-auth-penalty { mode = 0600 } }
I quote the full block just to avoid any more mistakes.
Thank you!
(issue in Debian tracker .. dunno ;-))
On 31/03/2026 14:07 EEST Stefan G. Weichinger via dovecot <dovecot@dovecot.org> wrote:
Am 31.03.26 um 13:03 schrieb Aki Tuomi:
Then it sounds like debian is mucking with the defaults. You can resolve this by setting the default listener config that I sent you, and if you want, you can open issue in Debian bug tracker.
So I'd set this in a separate conf-file in for example /etc/dovecot/conf.d/91-anvil.conf (?):
service anvil { chroot = drop_priv_before_exec = no executable = anvil group = idle_kill_interval = infinite privileged_group = process_limit = 1 process_min_avail = 1 protocol = type = anvil user = unix_listener anvil { group = $SET:default_internal_group mode = 0660 } unix_listener anvil-auth-penalty { mode = 0600 } }
I quote the full block just to avoid any more mistakes.
Thank you!
(issue in Debian tracker .. dunno ;-))
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
I'd put just
service anvil { unix_listener anvil { group = $SET:default_internal_group mode = 0660 } }
Aki
participants (2)
-
Aki Tuomi
-
Stefan G. Weichinger