[Dovecot] Permission denied / missing +r perm

Andrew Crawford drew at sealedabstract.com
Wed Jun 12 13:43:55 EEST 2013 

FYI, the answer was in the filesystem.  EncFS says

>  Secondly, the --public flag changes how encfs's node creation functions work - as they will try and set ownership of new nodes based on the caller identification.

It seems that this was the culprit.



On Jun 12, 2013, at 4:53 AM, Andrew Crawford <drew at sealedabstract.com> wrote:

> I have postfix configured to deliver mail to dovecot over lmtp into a mailbox that then is accessed over imap.  The imap server is running as the user "mail". Whenever I run "postfix flush" I get in mail.log:
> 
>> Jun 12 05:37:45 li212-205 dovecot: lmtp(21288): Connect from local
>> Jun 12 05:37:45 li212-205 spamd[18173]: prefork: child states: II
>> Jun 12 05:37:45 li212-205 dovecot: auth-worker(21289): mysql(127.0.0.1): Connected to database mailserver
>> Jun 12 05:37:45 li212-205 dovecot: lmtp(21288, drew at REDACTED): zXAqF2lBuFEoUwAA5SnFYQ: msgid=<064C5BC7-357B-4366-9A80-5001DBA21F62 at REDACTED>: saved mail to INBOX
>> Jun 12 05:37:45 li212-205 postfix/lmtp[21287]: 57BDA1CC932: to=<drew at REDACTED>, relay=li212-205.members.linode.com[private/dovecot-lmtp], delay=0.06, delays=0.01/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 <drew at REDACTED> zXAqF2lBuFEoUwAA5SnFYQ Saved)
>> Jun 12 05:37:45 li212-205 dovecot: lmtp(21288): Disconnect from local: Client quit (in reset)
>> Jun 12 05:37:45 li212-205 postfix/qmgr[21244]: 57BDA1CC932: removed
>> Jun 12 05:37:45 li212-205 dovecot: imap(drew at REDACTED): Error: open(/decrypted-mail/awesomebox.sealedabstract.com/drew/cur/1371029865.M411903P21288.li212-205,S=2626,W=2673:2,) failed: Permission denied (euid=8(mail) egid=8(mail) missing +r perm: /decrypted-mail/awesomebox.sealedabstract.com/drew/cur/1371029865.M411903P21288.li212-205,S=2626,W=2673:2,, we're not in group 0(root))
>> Jun 12 05:37:45 li212-205 dovecot: imap(drew at REDACTED): Disconnected: Internal error occurred. Refer to server log for more information. [2013-06-12 05:37:45] in=349 out=1084
> 
> 
> Indeed, the file in question is owned by root and would not be accessible to the mail user:
> 
>> ls -la /decrypted-mail/awesomebox.sealedabstract.com/drew/cur/
>> total 24
>> drwxrw---- 2 mail mail 4096 Jun 12 05:37 .
>> drwxrw---- 7 mail mail 4096 Jun 12 05:37 ..
>> -rw-rw---- 1 mail mail 2616 Jun 12 05:26 1371029196.M462737P20302.li212-205,S=2616,W=2662:2,
>> -rw-rw---- 1 mail mail 2635 Jun 12 05:32 1371029564.M454251P20747.li212-205,S=2635,W=2682:2,
>> -rw-rw---- 1 root root 2626 Jun 12 05:37 1371029865.M411903P21288.li212-205,S=2626,W=2673:2,
> 
> So dutifully, I chown / chgrp to the mail user.  But as soon as i receive a new mail, dovecot again creates files owned by root:root.
> 
> How do I convince it to create files as mail:mail ?
> 
> 
> Diagnostic info:
> 
>> $ dovecot --version
>> 2.1.7
> 
>> $ ps -aux | grep dovecot
>> root     20810  0.0  0.0   2892   984 ?        Ss   05:34   0:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
>> dovecot  20813  0.0  0.0   2620   940 ?        S    05:34   0:00 dovecot/anvil
>> root     20814  0.0  0.1   2752  1072 ?        S    05:34   0:00 dovecot/log
>> root     20818  0.0  0.2   4348  2524 ?        S    05:34   0:00 dovecot/config
>> dovenull 21046  0.0  0.2   5248  2500 ?        S    05:35   0:00 dovecot/imap-login
>> mail     21047  0.0  0.2   6392  2088 ?        S    05:35   0:00 dovecot/imap
>> dovenull 21056  0.0  0.2   5248  2500 ?        S    05:35   0:00 dovecot/imap-login
>> mail     21057  0.0  0.2   6752  2576 ?        S    05:35   0:00 dovecot/imap
>> dovenull 21292  0.0  0.2   5248  2500 ?        S    05:37   0:00 dovecot/imap-login
>> root     21293  0.0  0.1   4508  1044 ?        S    05:37   0:00 dovecot/ssl-params
>> mail     21294  0.0  0.2   6540  2624 ?        S    05:37   0:00 dovecot/imap
>> root     21400  0.0  0.0   4104   788 pts/0    S+   05:51   0:00 grep dovecot
> 
>> $ doveconf -n
>> # 2.1.7: /etc/dovecot/dovecot.conf
>> # OS: Linux 3.8.4-linode50 i686 Debian 7.0 fuse.encfs
>> auth_mechanisms = plain login
>> first_valid_uid = 0
>> mail_location = maildir:/decrypted-mail/%d/%n
>> mail_privileged_group = mail
>> namespace inbox {
>>  inbox = yes
>>  location = 
>>  mailbox Drafts {
>>    special_use = \Drafts
>>  }
>>  mailbox Junk {
>>    special_use = \Junk
>>  }
>>  mailbox Sent {
>>    special_use = \Sent
>>  }
>>  mailbox "Sent Messages" {
>>    special_use = \Sent
>>  }
>>  mailbox Trash {
>>    special_use = \Trash
>>  }
>>  prefix = 
>> }
>> passdb {
>>  args = /etc/dovecot/dovecot-sql.conf.ext
>>  driver = sql
>> }
>> protocols = " imap lmtp"
>> service auth-worker {
>>  user = mail
>> }
>> service auth {
>>  unix_listener /var/spool/postfix/private/auth {
>>    group = postfix
>>    mode = 0600
>>    user = postfix
>>  }
>>  unix_listener auth-userdb {
>>    mode = 0600
>>    user = mail
>>  }
>>  user = dovecot
>> }
>> service imap-login {
>>  inet_listener imap {
>>    port = 0
>>  }
>> }
>> service lmtp {
>>  unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>    group = postfix
>>    mode = 0666
>>    user = postfix
>>  }
>>  user = mail
>> }
>> service pop3-login {
>>  inet_listener pop3 {
>>    port = 0
>>  }
>> }
>> ssl = required
>> ssl_cert = </etc/ssl/certs/dovecot.pem
>> ssl_key = </etc/ssl/private/dovecot.pem
>> userdb {
>>  args = uid=mail gid=mail home=/decrypted-mail/%d/%n
>>  driver = static
>> }
>> 
> 
> 
>

More information about the dovecot mailing list