[Dovecot] ChgrpNoPerm issue

Joseph Tam jtam.home at gmail.com
Tue Sep 11 02:03:46 EEST 2012


Robert JR <roundcube222 at alaadin.org> writes:

> The problem is /var/mail (Owner is
> useraccount and the group us mail) , and here comes the problem
> Dovecot
> keeps trying to chown the imap folder inside the homedirectory with
> user:mail account and since
> And this is the reason of error that appears
> in my log file.

Dovecot is trying to keep the permission of your index caches consistent
with that of your mailbox it indexes.  The INBOX index cache is kept in
your user's mail directory (as per your default settings), although you
can change that location.

> The option mail_access_groups=mail solve the problem..
> but I read it is not secure..
> With my current configutation, users login
> with imap to read mail , can they use
> any the mail_access_groups=mail
> and read other poeple mail ?

Yes, that's the security problem.

> does my configutation
> is a shard mailbox
> and could be unsecure..

Could not parse your question/comment.

> why didnot have
> this issue with uw-imapd? and why dovecot try to chown the .imap 
> folder
> with the mail group ?

uw-imapd was not as picky.  The extra consideration for group ownership
is so that shared access to mailbox files, and their associated index
caches, remain consistent.   For example, if you shared a mailbox among
your colleagues in group "staff" and the mailbox has group=staff,perm=g+rw,
then the index caches will inherit those permissions, and members of
group staff can access mailbox and indices alike.

[You later write ...]

> Sep 9 11:22:30 dovecot: pop3(r): Error:
> fchown(/home/r/.imap/INBOX/dovecot.index.log.newlock, -1, 12(mail))
> failed: Operation not permitted (egid=501(r), group based on
> /var/mail/r) 
> 
> i know that chmod 0600 /var/mail , will solve the problem
> and i will no longer receive the above errors again

You also have to make sure that autocreated INBOXs (i.e. a brand
new account) does not start out with anything other than 0600.
You may have to use dovecot's LDA or twist your LDA's arm to create
mailboxes that way.

I guess you can also avoid these errors by using memory indices, but
you forego the advantages of persistent indices.

> But my question is
> that incase i did not set chmod /var/mail 0600, can i ignore such
> errors, is these errors harmful ? if this errors keep coming and i
> ignored them would this cause mbx corruption .. please advise

No, you can't ignore these errors.  They will break IMAP access to
those mailboxes (as you will find out).

Joseph Tam <jtam.home at gmail.com>



More information about the dovecot mailing list