[Dovecot] imap auto create mailbox: we're not in group 8(mail)
Dear List
Somehow I don't understand the intended work flow to have new mailboxes auto created. On login of a new user with no mailbox, I get
2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)
The imap process runs as the user the login performed and thus it has only the privileges of that user. This is good and desired, when a mailbox already exists. I do not want to allow all users to write to /var/mail, only they should write to their dirs inside /var/mail.
Same story for LMTP, if no mailbox exists yet: 2014-01-09 13:01:47 lmtp(20416, tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)
How can I configure the auto create mailbox feature that it works and let run LMTP and IMAP process as user %u and group mail and let create the mailboxes in /var/mail as (example user tester) with the following permissions:
/var/mail:
drwxrwx--x root mail 3072 Dec 18 01:43 . drwx------ tester tester 1024 Jan 09 12:53 tester
...or do I need a different approach?
Thank you for helping me.
Best regards, Adrian.
My setup:
- Exim delivers to LMTP socket as user %u, group mail
- maildir storage in /var/mail
doveconf -n:
# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.3 ext3 auth_cache_negative_ttl = 0 auth_cache_size = 5 M auth_cache_ttl = 4 hours auth_failure_delay = 3 secs auth_mechanisms = plain login digest-md5 cram-md5 apop rpa auth_username_format = %n auth_verbose = yes auth_worker_max_count = 128 first_valid_gid = 1000 first_valid_uid = 1000 last_valid_gid = 60000 last_valid_uid = 60000 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_location = maildir:/var/mail/./%u/:INDEX=MEMORY mail_prefetch_count = 1024 maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave vacation-seconds namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = type = private } passdb { args = scheme=SHA512-CRYPT username_format=%u /etc/cram-md5.pwd driver = passwd-file } plugin { sieve = /var/mail/%u/sieve/.dovecot.sieve sieve_before = /var/mail/%u/sieve/vacation.sieve sieve_dir = /var/mail/%u/sieve sieve_extensions = +vacation +vacation-seconds sieve_max_actions = 1024 sieve_vacation_default_period = 12d sieve_vacation_max_period = 0 sieve_vacation_min_period = 1d } postmaster_address = postmaster@XXXX protocols = " imap lmtp sieve pop3" service auth-worker { user = $default_login_user } service auth { group = mail-security unix_listener auth-client { mode = 0660 user = Debian-exim } unix_listener auth-userdb { mode = 0666 } user = $default_internal_user } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_min_avail = 5 } service lmtp { process_min_avail = 10 unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } service_count = 1 vsz_limit = 64 M } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service pop3 { process_limit = 256 } ssl_cert = </etc/ssl/XXXX ssl_cipher_list = DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:+TLSv1:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!SSLv2:!3DES:!DSS ssl_key = </etc/ssl/XXXX ssl_parameters_regenerate = 128 hours userdb { args = blocking=no driver = passwd override_fields = home=/var/mail/%u mail=maildir:/var/mail/%u } protocol lmtp { mail_plugins = " sieve" } protocol lda { mail_plugins = " sieve" } protocol imap { mail_max_userip_connections = 64 } protocol pop3 { mail_max_userip_connections = 32 pop3_client_workarounds = oe-ns-eoh pop3_save_uidl = yes }
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 9 Jan 2014, Adrian Zaugg wrote:
Somehow I don't understand the intended work flow to have new mailboxes auto created. On login of a new user with no mailbox, I get
2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)
The errors says all.
- See:
Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group =
# Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups =
chmod 1777 /var/mail
pre-create your user dirs
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUs6X0F3r2wJMiz2NAQJpBQf/QKVG5bMRpWC6U2X+IhTzN+QjIAonsVuY KMyyDkFSvDAr+8eBqek7/H/ijUhyaTQZsbZ7ftYYIqQs5ZgFSZNURhbcuJLd8Y6+ OwXX1uCshQg63hYUpsfJsQiAoQ6vxdw2wFgLFUGjASBcXtiI9BtzLObOZMgfhCzT pqsMOWoIjM9BBQt/u5r4JM/3LJccFnVP4yAn8Wmq73Yu3ozw5L+9eMGjm/NnpT3B 62wuhgqY9p3GxenWvnHN/BgfYsWNrBN9E2AKlDmFainUC7lNZD8YeB64oj0KWxz5 tlQiEKia5xMB2WsUPpEhOHOYTfh7vq0Qm0Sxw3DdhWIZnr/DVru84A== =Z2z1 -----END PGP SIGNATURE-----
Hi Steffen
Am 09.01.14 13:36 schrieb Steffen Kaiser:
The errors says all. Almost ...
If I understand you correctly, I can chose one of the three options you presented to me, right? If so, 3) I did until now. 2) no way. To 1): I now set mail_privileged_group = mail
drwxrwx--x 94 root mail 3072 Dec 18 01:43 /var/mailBut I still get the same error. The LMTP and the IMAP process do still get executed under group %u, when they try to create the mailbox. What's wrong?
Thank you for your help!
Best regards, Adrian.
- See:
Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group =
# Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups =
chmod 1777 /var/mail
pre-create your user dirs
participants (2)
-
Adrian Zaugg
-
Steffen Kaiser