FYI, the answer was in the filesystem. EncFS says

Secondly, the --public flag changes how encfs's node creation functions work - as they will try and set ownership of new nodes based on the caller identification.

It seems that this was the culprit.

On Jun 12, 2013, at 4:53 AM, Andrew Crawford <drew@sealedabstract.com> wrote:

I have postfix configured to deliver mail to dovecot over lmtp into a mailbox that then is accessed over imap. The imap server is running as the user "mail". Whenever I run "postfix flush" I get in mail.log:

...

Jun 12 05:37:45 li212-205 dovecot: lmtp(21288): Connect from local Jun 12 05:37:45 li212-205 spamd[18173]: prefork: child states: II Jun 12 05:37:45 li212-205 dovecot: auth-worker(21289): mysql(127.0.0.1): Connected to database mailserver Jun 12 05:37:45 li212-205 dovecot: lmtp(21288, drew@REDACTED): zXAqF2lBuFEoUwAA5SnFYQ: msgid=<064C5BC7-357B-4366-9A80-5001DBA21F62@REDACTED>: saved mail to INBOX Jun 12 05:37:45 li212-205 postfix/lmtp[21287]: 57BDA1CC932: to=<drew@REDACTED>, relay=li212-205.members.linode.com[private/dovecot-lmtp], delay=0.06, delays=0.01/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 <drew@REDACTED> zXAqF2lBuFEoUwAA5SnFYQ Saved) Jun 12 05:37:45 li212-205 dovecot: lmtp(21288): Disconnect from local: Client quit (in reset) Jun 12 05:37:45 li212-205 postfix/qmgr[21244]: 57BDA1CC932: removed Jun 12 05:37:45 li212-205 dovecot: imap(drew@REDACTED): Error: open(/decrypted-mail/awesomebox.sealedabstract.com/drew/cur/1371029865.M411903P21288.li212-205,S=2626,W=2673:2,) failed: Permission denied (euid=8(mail) egid=8(mail) missing +r perm: /decrypted-mail/awesomebox.sealedabstract.com/drew/cur/1371029865.M411903P21288.li212-205,S=2626,W=2673:2,, we're not in group 0(root)) Jun 12 05:37:45 li212-205 dovecot: imap(drew@REDACTED): Disconnected: Internal error occurred. Refer to server log for more information. [2013-06-12 05:37:45] in=349 out=1084

Indeed, the file in question is owned by root and would not be accessible to the mail user:

...

ls -la /decrypted-mail/awesomebox.sealedabstract.com/drew/cur/ total 24 drwxrw---- 2 mail mail 4096 Jun 12 05:37 . drwxrw---- 7 mail mail 4096 Jun 12 05:37 .. -rw-rw---- 1 mail mail 2616 Jun 12 05:26 1371029196.M462737P20302.li212-205,S=2616,W=2662:2, -rw-rw---- 1 mail mail 2635 Jun 12 05:32 1371029564.M454251P20747.li212-205,S=2635,W=2682:2, -rw-rw---- 1 root root 2626 Jun 12 05:37 1371029865.M411903P21288.li212-205,S=2626,W=2673:2,

So dutifully, I chown / chgrp to the mail user. But as soon as i receive a new mail, dovecot again creates files owned by root:root.

How do I convince it to create files as mail:mail ?

Diagnostic info:

...

$ dovecot --version 2.1.7

...

$ ps -aux | grep dovecot root 20810 0.0 0.0 2892 984 ? Ss 05:34 0:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf dovecot 20813 0.0 0.0 2620 940 ? S 05:34 0:00 dovecot/anvil root 20814 0.0 0.1 2752 1072 ? S 05:34 0:00 dovecot/log root 20818 0.0 0.2 4348 2524 ? S 05:34 0:00 dovecot/config dovenull 21046 0.0 0.2 5248 2500 ? S 05:35 0:00 dovecot/imap-login mail 21047 0.0 0.2 6392 2088 ? S 05:35 0:00 dovecot/imap dovenull 21056 0.0 0.2 5248 2500 ? S 05:35 0:00 dovecot/imap-login mail 21057 0.0 0.2 6752 2576 ? S 05:35 0:00 dovecot/imap dovenull 21292 0.0 0.2 5248 2500 ? S 05:37 0:00 dovecot/imap-login root 21293 0.0 0.1 4508 1044 ? S 05:37 0:00 dovecot/ssl-params mail 21294 0.0 0.2 6540 2624 ? S 05:37 0:00 dovecot/imap root 21400 0.0 0.0 4104 788 pts/0 S+ 05:51 0:00 grep dovecot

...

$ doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.8.4-linode50 i686 Debian 7.0 fuse.encfs auth_mechanisms = plain login first_valid_uid = 0 mail_location = maildir:/decrypted-mail/%d/%n mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = " imap lmtp" service auth-worker { user = mail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } unix_listener auth-userdb { mode = 0600 user = mail } user = dovecot } service imap-login { inet_listener imap { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0666 user = postfix } user = mail } service pop3-login { inet_listener pop3 { port = 0 } } ssl = required ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = uid=mail gid=mail home=/decrypted-mail/%d/%n driver = static }