[Dovecot] Permission denied creating inbox file in /var/mail

Steve Ochani ochanis at ncc.edu
Fri Aug 1 00:42:11 EEST 2008 

Hi,



On 31 Jul 2008 at 17:16, Tom Diehl wrote:

Date sent:      	Thu, 31 Jul 2008 17:16:24 -0400 (EDT)
From:           	Tom Diehl <tdiehl at rogueind.com>
Subject:        	Re: [Dovecot] Permission denied creating inbox file in /var/mail
To:             	Steve Ochani <Steve.Ochani at ncc.edu>
Copies to:      	dovecot at dovecot.org
Send reply to:  	Dovecot Mailing List <dovecot at dovecot.org>

> On Thu, 31 Jul 2008, Steve Ochani wrote:
> 
> > Hello all,
> >
> > I'm using dovecot version 1.07 on CentoOS 5 (clone of RHEL 5).
> >
> > When there is no existing mbox file for a user in /var/mail I get
> the following error:
> >
> > ---------------
> > Jul 31 16:32:32 newnewton dovecot: imap-login: Login:
> user=<testm2>, method=PLAIN,
> > rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
> > Jul 31 16:32:32 newnewton dovecot: IMAP(testm2):
> open(/var/mail/testm2, O_CREAT)
> > failed: Permission denied
> > Jul 31 16:32:32 newnewton dovecot: IMAP(testm2): access() failed
> with mbox file
> > /var/mail/testm2: No such file or directory
> > Jul 31 16:32:32 newnewton dovecot: IMAP(testm2): stat() failed
> with mbox file
> > /var/mail/testm2: No such file or directory
> > Jul 31 16:32:32 newnewton dovecot: IMAP(testm2): Connection
> closed
> > ----------------
> >
> >
> > My persimmons on /var/mail (which is a symlink to /var/spool/mail)
> :
> >
> > drwxrwxr-x 2 root mail 4096 Jul 31 16:32 mail
> >
> > I have tried adding the mail group as mail_privileged_group, the
> output of dovecot -n :
> >
> > --------------------
> > # 1.0.7: /etc/dovecot.conf
> > login_dir: /var/run/dovecot/login
> > login_executable(default): /usr/libexec/dovecot/imap-login
> > login_executable(imap): /usr/libexec/dovecot/imap-login
> > login_executable(pop3): /usr/libexec/dovecot/pop3-login
> > mail_privileged_group: mail
> > mail_location: mbox:~/IMAPmail:INBOX=/var/mail/%u
> > mail_executable(default): /usr/libexec/dovecot/imap
> > mail_executable(imap): /usr/libexec/dovecot/imap
> > mail_executable(pop3): /usr/libexec/dovecot/pop3
> > mail_plugin_dir(default): /usr/lib/dovecot/imap
> > mail_plugin_dir(imap): /usr/lib/dovecot/imap
> > mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
> > auth default:
> >  passdb:
> >    driver: pam
> >  userdb:
> >    driver: passwd
> > --------------------
> >
> >
> > Here is the permission on /etc/dovecot.conf
> >
> > -rw-r--r-- 1 root root 42833 Jul 31 15:30 /etc/dovecot.conf
> >
> >
> > I've searched google and the mailing list archive and tried the
> couple of things commonly
> > suggested.
> >
> > As for a test I changed perms on /var/spool/mail to 777 and then
> dovecot made the inbox file.
> > The file ended up being owned by the user and the group owner was
> the group that the user
> > belongs to, not mail.
> >
> > When I create new users using useradd there is a 0 byte file
> created in /var/mail for the user
> > but I use scripts to create student accounts every semester (about
> 10,000) so I'm trying to
> > avoid having to add more things that the script will have to
> create.
> >
> > Any help is greatly appreciated.
> 
> I am not sure if this is the right answer or not but how about
> "chmod 1777 /var/spool/mail"? I do this so that procmail can write
> to the
> mail spool.

Setting the sticky bit works but I'm not sure if I will use this solution because it creates a bit of 
security problem.

1. Any user can start writing files in the dir now.

2. user1 can create a file as user2 and put fake mail in it. I tested this and it works, I was also 
unable to delete the mail since the file is owned by user1. The file got fixed by sendmail when 
I sent mail to user2.


Thanks for you help.

I think dovecot should use the mail_privileged_group group to also be able to create files, this 
was mentioned a couple of times before in other posts.


-Steve O.

More information about the dovecot mailing list