[Dovecot] Dovecot Postfix Quota Policy Service
Hallo zusammen,
über den Policy Service von Dovecot zum Abfragen der User Quotas wurde ja schon diskutiert - auch gibt es eine gute Anleitung zum Einrichten, nur leider bekomme ich den Policy Server nicht korrekt konfiguriert.
Folgende Fehler werden protokolliert:
May 3 22:00:13 mail postfix/smtpd[17463]: warning: access table unix:private/quota-status entry has empty value May 3 22:00:42 mail dovecot: quota-status(daniel@dlutt.de): Error: user daniel@dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
Es ist dabei so, dass nach einem Reload der Dienste die erste Mail noch zugestellt wird, die folgende, eingehende Mail dann jedoch abgelehnt wird. Nachfolgend die kompletten Logeinträge:
May 3 22:00:12 mail postfix/smtpd[17463]: connect from mail-ie0-x236.google.com[2607:f8b0:4001:c03::236]
May 3 22:00:13 mail postfix/smtpd[17463]: warning: access table unix:private/quota-status entry has empty value
May 3 22:00:13 mail postfix/smtpd[17463]: 0EB81172391A: client=mail-ie0-x236.google.com[2607:f8b0:4001:c03::236]
May 3 22:00:13 mail postfix/cleanup[17475]: 0EB81172391A: message-id=CAKrzS114MaJGND9BxYUiixMMtORmXJqTA3W13B=QAr0YW_nkUg@mail.gmail.com
May 3 22:00:13 mail postfix/qmgr[17429]: 0EB81172391A: from=sender@googlemail.com, size=5409, nrcpt=1 (queue active)
May 3 22:00:13 mail postfix/smtpd[17463]: disconnect from mail-ie0-x236.google.com[2607:f8b0:4001:c03::236]
May 3 22:00:13 mail klms-smtp_proxy: Message from sender@googlemail.com to daniel@dlutt.de passed
May 3 22:00:14 mail postfix/smtpd[17482]: connect from localhost[127.0.0.1]
May 3 22:00:14 mail postfix/smtpd[17482]: 00776172391C: client=localhost[127.0.0.1], orig_client=mail-ie0-x236.google.com[2607:f8b0:4001:c03::236]
May 3 22:00:14 mail postfix/cleanup[17475]: 00776172391C: message-id=CAKrzS114MaJGND9BxYUiixMMtORmXJqTA3W13B=QAr0YW_nkUg@mail.gmail.com
May 3 22:00:14 mail postfix/qmgr[17429]: 00776172391C: from=sender@googlemail.com, size=6195, nrcpt=1 (queue active)
May 3 22:00:14 mail postfix/smtpd[17482]: disconnect from localhost[127.0.0.1]
May 3 22:00:14 mail postfix/smtp[17476]: 0EB81172391A: to=daniel@dlutt.de, relay=127.0.0.1[127.0.0.1]:10025, delay=1.2, delays=0.54/0.02/0/0.65, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 00776172391C)
May 3 22:00:14 mail postfix/qmgr[17429]: 0EB81172391A: removed
May 3 22:00:14 mail dovecot: lmtp(17484): Connect from local
May 3 22:00:14 mail dovecot: lmtp(17484, daniel@dlutt.de): dEa8BE4XhFFMRAAAG4AjPw: sieve: msgid=CAKrzS114MaJGND9BxYUiixMMtORmXJqTA3W13B=QAr0YW_nkUg@mail.gmail.com: stored mail into mailbox 'INBOX'
May 3 22:00:14 mail dovecot: lmtp(17484): Disconnect from local: Successful quit
May 3 22:00:14 mail postfix/lmtp[17483]: 00776172391C: to=daniel@dlutt.de, relay=mail.dlutt.de[private/dovecot-lmtp], delay=0.11, delays=0.05/0.02/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 daniel@dlutt.de dEa8BE4XhFFMRAAAG4AjPw Saved)
May 3 22:00:14 mail postfix/qmgr[17429]: 00776172391C: removed
May 3 22:00:36 mail postfix/postscreen[17433]: CONNECT from [2607:f8b0:4001:c03::230]:43653 to [2a00:1828:2000:206::2]:25
May 3 22:00:42 mail postfix/postscreen[17433]: PASS NEW [2607:f8b0:4001:c03::230]:43653
May 3 22:00:42 mail postfix/smtpd[17463]: connect from mail-ie0-x230.google.com[2607:f8b0:4001:c03::230]
May 3 22:00:42 mail dovecot: quota-status(daniel@dlutt.de): Error: user daniel@dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
May 3 22:00:42 mail postfix/smtpd[17463]: NOQUEUE: reject: RCPT from mail-ie0-x230.google.com[2607:f8b0:4001:c03::230]: 450 4.7.1 daniel@dlutt.de: Recipient address rejected: Internal error occurred. Refer to server log for more information.; from=absender@googlemail.com to=daniel@dlutt.de proto=ESMTP helo=
Das Problem tritt mit dem unix_listener, aber auch mit dem inet_listener auf - beide Male beschwert sich Dovecot über den Zugriff auf den Service "config". Ich habe auch mal versucht, die Berechtigungen für den Service "config" auf World-Readable zu setzen, leider hat dies auch nicht geklappt, wobei ich nicht weiß, ob dieser unbedingt mit dem Problem etwas zu tun hat.
Auch beim Debug-Logging sind leider nicht mehr Infos zum Fehler zu finden.
Zum Einsatz kommt aktuell Postfix 2.10.0 und Dovecot 2.2.1.
Die Dovecot Quota Konfiguration sieht so aus, wie bei sys4 beschrieben:
service quota-status { executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } client_limit = 1 }
Mittlerweile habe ich schon einige Optionen und Berechtigungen ausprobiert, aber der Fehler bleibt leider der gleiche.
Hat vielleicht jemand noch einen Tip?
Danke schon mal.
-- Daniel
On 2013-05-03, Daniel Luttermann wrote:
Hallo zusammen,
über den Policy Service von Dovecot zum Abfragen der User Quotas wurde ja schon diskutiert - auch gibt es eine gute Anleitung zum Einrichten, nur leider bekomme ich den Policy Server nicht korrekt konfiguriert.
sorry, this was a question for the german Dovecot mailing list.
-- Daniel
Am 03.05.2013 23:34, schrieb Daniel Luttermann:
Zum Einsatz kommt aktuell Postfix 2.10.0 und Dovecot 2.2.1.
Die Dovecot Quota Konfiguration sieht so aus, wie bei sys4 beschrieben:
service quota-status { executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } client_limit = 1 }
Mittlerweile habe ich schon einige Optionen und Berechtigungen ausprobiert, aber der Fehler bleibt leider der gleiche.
Hat vielleicht jemand noch einen Tip?
Danke schon mal.
besser hier nicht in deutsch....
du solltest nur Dovecot 2.2.1 verwenden der quota code in 2.1 ist "nicht voellig vollstaendig" das setup sieht auf den ersten Blick ok aus
hast du es schon mal alternativ exakt wie beschrieben in http://sys4.de/de/blog/2013/04/05/dovecot-quota-mit-postfix-abfragen/ vor allem
quota_grace = 10%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"
etc nicht vergessen
getestet ?
alternativ versuch mal mode = 0666 fuer mich sieht es wie ein permission Problem aus, das könnte unterschiedlich sein je nach setup, user / group postfix muessen existieren usw
verglichen mit
http://hg.dovecot.org/dovecot-2.1/file/0fa68f3a8f6c/doc/example-config/conf....
# Postfix smtp-auth
96 #unix_listener /var/spool/postfix/private/auth {
97 # mode = 0666
98 #}Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Sat, 2013-05-04 at 07:35 +0200, Robert Schetterer wrote:
du solltest nur Dovecot 2.2.1 verwenden der quota code in 2.1 ist "nicht voellig vollstaendig" das setup sieht auf den ersten Blick ok aus
The quota-grace I think was only bit not backported, is that right? Did Timo do or announce plan to do this, or not happening for 2.1 only 2.2?
Am 04.05.2013 09:12, schrieb Noel Butler:
The quota-grace I think was only bit not backported, is that right? Did Timo do or announce plan to do this, or not happening for 2.1 only 2.2?
at my last knowledge it wasnt backported and it will never done, so with most setups, quota policy service in 2.1 is more or less useless in reality, cause lda or lmtp will do the bounce job, so mailboxes mostly may go never "over quota" but however Timo might have better answers
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Sat, May 04, 2013 at 06:02:36PM +0200, Robert Schetterer wrote:
Am 04.05.2013 09:12, schrieb Noel Butler:
The quota-grace I think was only bit not backported, is that right? Did Timo do or announce plan to do this, or not happening for 2.1 only 2.2?
at my last knowledge it wasnt backported and it will never done, so with most setups, quota policy service in 2.1 is more or less useless in reality, cause lda or lmtp will do the bounce job, so mailboxes mostly may go never "over quota"
I haven't actually tried it yet, so this is just from looking at the source code: The policy service will reject (most) messages that would put a mailbox over the quota limit in both 2.1 and 2.2, won't it? That still seems very useful, compared to bouncing it later.
Am 04.05.2013 19:25, schrieb Ulrich Zehl:
On Sat, May 04, 2013 at 06:02:36PM +0200, Robert Schetterer wrote:
Am 04.05.2013 09:12, schrieb Noel Butler:
The quota-grace I think was only bit not backported, is that right? Did Timo do or announce plan to do this, or not happening for 2.1 only 2.2?
at my last knowledge it wasnt backported and it will never done, so with most setups, quota policy service in 2.1 is more or less useless in reality, cause lda or lmtp will do the bounce job, so mailboxes mostly may go never "over quota"
I haven't actually tried it yet, so this is just from looking at the source code: The policy service will reject (most) messages that would put a mailbox over the quota limit in both 2.1 and 2.2, won't it? That still seems very useful, compared to bouncing it later.
my understanding you need quota-grace to make sure mailbox get overquota for setup percent, if there ist no quota-grace ( like in 2.1.x ), most mail will be bounced by normal lda/lmtp quota rules , so policy quota always will seen some free space in the mailbox, unless the rare case that one ( last ) mail fits the mailbox quota in exact 100 percent
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Sat, May 04, 2013 at 07:34:44PM +0200, Robert Schetterer wrote:
I haven't actually tried it yet, so this is just from looking at the source code: The policy service will reject (most) messages that would put a mailbox over the quota limit in both 2.1 and 2.2, won't it? That still seems very useful, compared to bouncing it later.
my understanding you need quota-grace to make sure mailbox get overquota for setup percent, if there ist no quota-grace ( like in 2.1.x ), most mail will be bounced by normal lda/lmtp quota rules , so policy quota always will seen some free space in the mailbox, unless the rare case that one ( last ) mail fits the mailbox quota in exact 100 percent
I just tested it, and now I can verify: As long as the size= attribute is present in the policy request, Dovecot will correctly reject messages that are too large to fit in whatever quota you have left.
On 2013-05-04, Robert Schetterer wrote:
Am 03.05.2013 23:34, schrieb Daniel Luttermann:
Zum Einsatz kommt aktuell Postfix 2.10.0 und Dovecot 2.2.1.
Die Dovecot Quota Konfiguration sieht so aus, wie bei sys4 beschrieben:
service quota-status { executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } client_limit = 1 }
Mittlerweile habe ich schon einige Optionen und Berechtigungen ausprobiert, aber der Fehler bleibt leider der gleiche.
Hat vielleicht jemand noch einen Tip?
Danke schon mal.
besser hier nicht in deutsch....
sorry - I wanted to ask on the german Dovecot mailing list but sent this mail to the english list.
du solltest nur Dovecot 2.2.1 verwenden der quota code in 2.1 ist "nicht voellig vollstaendig" das setup sieht auf den ersten Blick ok aus
Current I'm using Dovecot 2.2.1 and Postfix 2.10.0.
hast du es schon mal alternativ exakt wie beschrieben in http://sys4.de/de/blog/2013/04/05/dovecot-quota-mit-postfix-abfragen/ vor allem
quota_grace = 10%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"
etc nicht vergessen
getestet ?
yes, I've tried this (see doveconf/postconf below).
alternativ versuch mal mode = 0666 fuer mich sieht es wie ein permission Problem aus, das könnte unterschiedlich sein je nach setup, user / group postfix muessen existieren usw
When I use
service config { unix_listener config { group = mode = 0666 user = } }
then the error "permission denied" doesn't occur anymore but the error
warning: access table unix:private/quota-status entry has empty value
is the same. The verbose logging shows this:
===== May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=no location=mdbox:%h/sdbox May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: shared: root=/usr/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls:cache_secs=300 May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: acl: acl username = daniel@dlutt.de May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: acl: owner = 0 May 4 14:01:52 mail dovecot: quota-status(daniel@dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls May 4 14:01:52 mail postfix/smtpd[26993]: private/quota-status: wanted attribute: action May 4 14:01:52 mail postfix/smtpd[26993]: input attribute name: action May 4 14:01:52 mail postfix/smtpd[26993]: input attribute value: (end) May 4 14:01:52 mail postfix/smtpd[26993]: private/quota-status: wanted attribute: (list terminator) May 4 14:01:52 mail postfix/smtpd[26993]: input attribute name: (end) May 4 14:01:52 mail postfix/smtpd[26993]: check_table_result: unix:private/quota-status policy query May 4 14:01:52 mail postfix/smtpd[26993]: warning: access table unix:private/quota-status entry has empty value May 4 14:01:52 mail postfix/smtpd[26993]: generic_checks: name=check_policy_service status=1 May 4 14:01:52 mail postfix/smtpd[26993]: >>> END Recipient address RESTRICTIONS <<< May 4 14:01:52 mail postfix/smtpd[26993]: >>> CHECKING RECIPIENT MAPS <<< May 4 14:01:52 mail postfix/smtpd[26993]: ctable_locate: move existing entry key daniel@dlutt.de .... .... May 4 14:01:53 mail dovecot: lmtp(27012): Debug: auth input: daniel@dlutt.de home=/home/vmail/dlutt.de/daniel uid=5000 gid=5000 quota_rule=*:bytes=900000000 May 4 14:01:53 mail dovecot: lmtp(27012): Debug: Added userdb setting: plugin/quota_rule=*:bytes=900000000 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Effective uid=5000, gid=5000, home=/home/vmail/dlutt.de/daniel May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Quota root: name=User quota backend=dict args=:proxy::quota May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Quota rule: root=User quota mailbox=* bytes=900000000 messages=0 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Quota rule: root=User quota mailbox=Trash bytes=+104857600 messages=0 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Quota warning: bytes=855000000 (95%) messages=0 reverse=no command=quota-warning 95 daniel@dlutt.de May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Quota warning: bytes=720000000 (80%) messages=0 reverse=no command=quota-warning 80 daniel@dlutt.de May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Quota grace: root=User quota bytes=90000000 (10%) May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: dict quota: user=daniel@dlutt.de, uri=proxy::quota, noenforcing=0 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: fs: root=/home/vmail/dlutt.de/daniel/mdbox, index=, indexpvt=, control=, inbox=, alt= May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls:cache_secs=300 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl: acl username = daniel@dlutt.de May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl: owner = 1 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=no location=mdbox:%h/sdbox May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: shared: root=/usr/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls:cache_secs=300 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl: acl username = daniel@dlutt.de May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl: owner = 0 May 4 14:01:53 mail dovecot: lmtp(27012, daniel@dlutt.de): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
When I use the Dovecot default for the service "config" which is root:root, then I get this error (permission denied):
May 4 14:46:51 mail postfix/postscreen[29225]: CONNECT from [2607:f8b0:4001:c02::229]:41474 to [2a00:1828:2000:206::2]:25
May 4 14:46:57 mail postfix/postscreen[29225]: PASS NEW [2607:f8b0:4001:c02::229]:41474
May 4 14:46:57 mail postfix/smtpd[29240]: connect from mail-ia0-x229.google.com[2607:f8b0:4001:c02::229]
May 4 14:46:58 mail postfix/smtpd[29240]: NOQUEUE: reject: RCPT from mail-ia0-x229.google.com[2607:f8b0:4001:c02::229]: 450 4.7.1 daniel@dlutt.de: Recipient address rejected: Internal error occurred. Refer to server log for more information.; from=free4cd@googlemail.com to=daniel@dlutt.de proto=ESMTP helo=
My Dovecot and Postfix config:
doveconf -n
# 2.2.1: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.7 dict { acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } hostname = mail.dlutt.de listen = 217.11.53.7 mail_debug = yes mail_location = mdbox:~/mdbox mail_plugins = acl quota expire mail_privileged_group = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = mdbox:%%h/sdbox prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / subscriptions = yes type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/etc/dovecot/global-acls:cache_secs=300 acl_shared_dict = proxy::acl expire = Trash expire2 = Junk expire_dict = proxy::expire mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = dict:User quota::proxy::quota quota_grace = 10%% quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Recipient mailbox is is full quota_status_success = DUNNO quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@dlutt.de protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service dict { unix_listener dict { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail } user = vmail } ssl_cert =
postconf -n
address_verify_map = memcache:/etc/postfix/verify-memcache.cf address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 3h address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d alias_maps = hash:/etc/aliases body_checks = pcre:/etc/postfix/body_checks bounce_queue_lifetime = 1d command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks html_directory = no mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man maximal_queue_lifetime = 1d mydestination = $myhostname, localhost.$mydomain, localhost mydomain = dlutt.de myhostname = mail.dlutt.de mynetworks_style = host myorigin = $myhostname newaliases_path = /usr/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = enforce postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen.cf postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org, ix.dnsbl.manitu.net proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps proxy:btree:/var/lib/postfix/postscreen_cache_map proxy:btree:/var/lib/postfix/verify_cache_map proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map proxy:btree:/var/lib/postfix/postscreen_cache_map proxy:btree:/var/lib/postfix/verify_cache_map queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + relay_domains = hash:/etc/postfix/relay_domains sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop show_user_unknown_table_name = no smtp_bind_address = 217.11.53.6 smtp_bind_address6 = 2a00:1828:2000:206::2 smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_helo_required = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem smtpd_tls_key_file = /etc/ssl/private/postfix.key smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transport_maps unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
master.cf
217.11.53.6:25 pass - - n - - smtpd -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_mynetworks,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unverified_recipient,check_policy_service,unix:private/quota-status -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination -o content_filter=klms_postfix-afterqueue:127.0.0.1:10025 -o receive_override_options=no_address_mappings
[2a00:1828:2000:206::2]:25 pass - - n - - smtpd -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_recipient_domain,reject_unknown_sender_domain,permit_mynetworks,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unverified_recipient,check_policy_service,unix:private/quota-status -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination -o content_filter=klms_postfix-afterqueue:127.0.0.1:10025 -o receive_override_options=no_address_mappings
-- Daniel
Daniel Luttermann daniel@dlutt.de wrote:
When I use
service config { unix_listener config { group = mode = 0666 user = } }
then the error "permission denied" doesn't occur anymore but the error
warning: access table unix:private/quota-status entry has empty value
I don't know if this is related to your problem but the error may be caused because of the doublespace between "entry" and "has". Timo has already recogniced this.
Andreas
Am 04.05.2013 15:06, schrieb Daniel Luttermann:
service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix }
try
service quota-status { executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0666 user = postfix } client_limit = 1 }
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 2013-05-04, Robert Schetterer wrote:
Am 04.05.2013 15:06, schrieb Daniel Luttermann:
service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix }
try
service quota-status { executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0666 user = postfix } client_limit = 1 }
OK, changed the permissions of the service as you suggested:
srw-rw-rw- 1 postfix postfix 0 May 4 20:53 /var/spool/postfix/private/quota-status
Log of the first incoming email:
May 4 20:54:13 mail postfix/postscreen[12627]: CONNECT from [193.99.144.71]:46355 to [217.11.53.6]:25 May 4 20:54:13 mail postfix/postscreen[12627]: PASS OLD [193.99.144.71]:46355 May 4 20:54:13 mail postfix/smtpd[12631]: connect from web.heise.de[193.99.144.71] May 4 20:54:13 mail postfix/smtpd[12631]: warning: access table unix:private/quota-status entry has empty value
Mail gets delivered...
Second incoming email (mail.log)
May 4 20:55:16 mail postfix/postscreen[12627]: CONNECT from [193.99.144.71]:33634 to [217.11.53.6]:25
May 4 20:55:16 mail postfix/postscreen[12627]: PASS OLD [193.99.144.71]:33634
May 4 20:55:16 mail postfix/smtpd[12631]: connect from web.heise.de[193.99.144.71]
May 4 20:55:16 mail dovecot: quota-status(daniel@dlutt.de): Error: user daniel@dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
May 4 20:55:16 mail postfix/smtpd[12631]: NOQUEUE: reject: RCPT from web.heise.de[193.99.144.71]: 450 4.7.1 daniel@dlutt.de: Recipient address rejected: Internal error occurred. Refer to server log for more information.; from=www@heise.de to=daniel@dlutt.de proto=ESMTP helo=
mail.warn:
May 4 20:55:16 mail dovecot: quota-status(daniel@dlutt.de): Error: user daniel@dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
Permissions of the Dovecot config service:
srw------- 1 root root 0 May 4 20:53 /usr/var/run/dovecot/config
Maybe the problem has something to do with the double space as pointed out by Andreas?
"quota-status entry has empty value"-- Daniel
Am 04.05.2013 21:11, schrieb Daniel Luttermann:
May 4 20:55:16 mail dovecot: quota-status(daniel@dlutt.de): Error: user daniel@dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
Permissions of the Dovecot config service:
srw------- 1 root root 0 May 4 20:53 /usr/var/run/dovecot/config
Maybe the problem has something to do with the double space as pointed out by Andreas?
"quota-status entry has empty value"
maybe, sorry i cant test it here yet, did you use latest code from http://hg.dovecot.org/dovecot-2.2/ seems like there was a patch http://hg.dovecot.org/dovecot-2.2/rev/aefdf65442cc
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 2013-05-05, Robert Schetterer wrote:
Am 04.05.2013 21:11, schrieb Daniel Luttermann:
May 4 20:55:16 mail dovecot: quota-status(daniel@dlutt.de): Error: user daniel@dlutt.de: Error reading configuration: net_connect_unix(/usr/var/run/dovecot/config) failed: Permission denied
Permissions of the Dovecot config service:
srw------- 1 root root 0 May 4 20:53 /usr/var/run/dovecot/config
Maybe the problem has something to do with the double space as pointed out by Andreas?
"quota-status entry has empty value"
maybe, sorry i cant test it here yet, did you use latest code from http://hg.dovecot.org/dovecot-2.2/ seems like there was a patch http://hg.dovecot.org/dovecot-2.2/rev/aefdf65442cc
I've just compiled aefdf65442cc from source but the problem still exists, also the problem with the permissions of the Dovecot config service if I doesn't change the permission of the service.
-- Daniel
- Robert Schetterer rs@sys4.de:
quota_grace = 10%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"
The very last line "quota_status_overquota" doesn't work. No matter which kind of quoting I'm using ', "", or none at all, dovecot will always misbehave (it will accept ANY mail)
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Ralf Hildebrandt r@sys4.de wrote:
- Robert Schetterer rs@sys4.de:
quota_grace = 10%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"
The very last line "quota_status_overquota" doesn't work. No matter which kind of quoting I'm using ', "", or none at all, dovecot will always misbehave (it will accept ANY mail)
It would be desireable this feature in dovecot would work so that email would be rejected at first instance and not be bounced after they where accepted by the MDA.
Nice Sunday!
Andreas
Am 05.05.2013 12:58, schrieb Andreas Meyer:
Ralf Hildebrandt r@sys4.de wrote:
- Robert Schetterer rs@sys4.de:
quota_grace = 10%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"
The very last line "quota_status_overquota" doesn't work. No matter which kind of quoting I'm using ', "", or none at all, dovecot will always misbehave (it will accept ANY mail)
It would be desireable this feature in dovecot would work so that email would be rejected at first instance and not be bounced after they where accepted by the MDA.
it should that work this way in 2.2.x quota_grace overides lmtp/lda quota settings in percent to make sure mailbox in fact is really over quota but looks like have a bug in recent versions with quota_status_overquota
Nice Sunday!
Andreas
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 05.05.2013 12:47, schrieb Ralf Hildebrandt:
- Robert Schetterer rs@sys4.de:
quota_grace = 10%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full / Mailbox ist voll"
The very last line "quota_status_overquota" doesn't work. No matter which kind of quoting I'm using ', "", or none at all, dovecot will always misbehave (it will accept ANY mail)
so its a bug, thx Ralf
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
I was able to replicate your problem with 2.1.16 rev 0fa68f3a8f6c (from Stephan's auto-built packages).
I have the following configuration in 10-master.conf, and no special configuration for the service in 90-quota.conf.
| service quota-status { | executable = quota-status -p postfix | inet_listener { | port = 12340 | } | client_limit = 1 | user = root | }
When I first query the quota-status service, I get the correct response:
| $ printf "recipient=test@example.org\nsize=1234\n\n" | nc 127.0.0.1 12340 | action=OK |
But on every subsequent try, I always receive a response like this:
| $ printf "recipient=test@example.org\nsize=1234\n\n" | nc 127.0.0.1 12340 | action=DEFER_IF_PERMIT Internal error occurred. Refer to server log for more information. |
Where the server log only says
| May 7 11:59:45 minna dovecot: quota-status(test@example.org): Error: user test@example.org: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied
Looking at the quota-status process, I notice it is not running as root, but rather as $mail_uid. It seems the service drops / changes its privileges at some point, which would explains the permission error on subsequent requests.
Setting service_count=1 for the service is not a viable workaround, as Postfix sends all policy requests for one SMTP session via one TCP connection.
participants (6)
-
Andreas Meyer
-
Daniel Luttermann
-
Noel Butler
-
Ralf Hildebrandt
-
Robert Schetterer
-
Ulrich Zehl