Sieve permissions issue following update

Tue Dec 9 22:09:17 UTC 2014

-------- Original Message --------
Subject: Re: Sieve permissions issue following update
From: Pascal Volk <user+dovecot at localhost.localdomain.org>
To: Dovecot Mailing List <dovecot at dovecot.org>
Date: Wed Dec 10 2014 00:00:04 GMT+0300 (Arabic Standard Time)

> On 12/09/2014 07:50 PM, David Gessel wrote:
>> It has been running flawlessly for quite some time until the update.  
>>
>> Global scripts were compiled:
>>
>> /usr/local/etc/dovecot/sieve # ls
>> 10-move-spam.sieve      10-move-spam.svbin
>>
>> However, I ran sievec again and tried saving a modified script and got the same:
>>
>> shiofuki dovecot: lda(gessel at blackrosetech.com): Error: sieve: binary save: failed to create temporary file: open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.shiofuki.blackrosetech.com.96421.) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6 mode=0775)
>> Dec  9 11:30:39 shiofuki dovecot: lda(gessel at blackrosetech.com): Error: sieve: The LDA Sieve plugin does not have permission to save global Sieve script binaries; global Sieve scripts like `/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled using the sievec tool
>>
>>
>> I use Thomas Schmid's Sieve 0.2.3d add on to Thunderbird, if that might have any significance.
>>
>> Compiling with sievec shouldn't change the permission error, which I still don't understand.
>>
>>
>>> [TOFU snipped}
> 
> /usr/local/etc/dovecot/sieve is not the user's sieve_dir; see
> <http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration>.
> 
> The GLOBAL sieve scripts (see your error message above) is manged by the
> system administrator. Adnmins are using their favorite $EDITOR, the
> chmod(1) and chown(1) commands. They don't need a ManageSieve client.
> 

Pascal, 

Thank you very much for your prompt assistance.  I apologize that I haven't been able to use your advice to sort out the issues, but I'm either not getting it or it is tangential to the problem I'm having.  I apologize if I haven't provided enough information.

90-sieve.conf's specification of those file locations for global and user scripts (relevant lines from the config below):

 sieve = ~/.dovecot.sieve
 sieve_dir = ~/sieve
 #sieve_global_dir =
 sieve_before = /usr/local/etc/dovecot/sieve/

I brought up the plugin only because only two things have touched any part of the dovecot/sieve configuration between "working" and "not working" states:

- An update using portmaster to dovecot2-2.2.15_1/dovecot-pigeonhole-0.4.6 and 
- an edit via the Sieve plugin/Managesieve.  

One of the two has broken sieve. Unfortunately I did take note of the last working version of dovecot/dovecot-pigeonhole, but it could not be more than a few months old as I update ports fairly regularly and my last buildworld wasn't that long ago.

It is consistent with the errors and my understanding that user scripts are not the likely culprit: I included the information for the sake of completeness, which can now be dismissed.  Moving back to the logged warnings:

Error: sieve: binary save: failed to create temporary file: open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.shiofuki.blackrosetech.com.96421.) failed:

- this seems to me to indicate that sieve tried to write "10-move-spam.svbin.shiofuki.blackrosetech.com.96421" in the directory /usr/local/etc/dovecot/sieve/

Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /usr/local/etc/dovecot/sieve

- I read this as sieve determining that "vmail" is not permitted to write to /usr/local/etc/dovecot/sieve

we're not in group 6(mail), dir owned by 143:6 mode=0775)

- and giving a very helpful bit of advice that "we're" not in group 6(mail) - which I'm reading as "vmail" not being in group "mail" - and that the target directory is owned by 143:6 0775.  The latter is consistent with the OS's reporting of the directory:

drwxrwxr-x   2 dovecot  mail      4B Dec  9 11:27 sieve

from /etc/group
mail:*:6:postfix,clamav,vscan,dovecot,vmail,spamd
dovecot:*:143:

IF I'm reading "we're" as "vmail" correctly, this is incorrect ("we're not in group 6(mail)).  vmail IS in group "mail" and group "mail" does have write permissions to /usr/local/etc/dovecot/sieve/
(group is rwx).  Perhaps "we're" now refers to another user?  I see from top (I realize this is unlikely):

96387 dovenull       1  20    0 29120K  6080K kqread  7   0:00   0.00% managesieve-login

As for the error 

dovecot: lda(gessel at blackrosetech.com): Error: sieve: The LDA Sieve plugin does not have permission to save global Sieve script binaries; global Sieve scripts like `/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled using the sievec tool

The reported error is consistent with the previous - a newly minted permission problem that seems to have come with the update.  In this case the advice given about precompiling global scripts seems misplaced.  The script is compiled, as reported by the error immediately preceding (10-move-spam.svbin, the svbin suffix is added by the compilation process) and just to be sure I ran seivec again and #service dovecot restart without changing the error.

My inexpert intuition is that the latest update introduced a bug that is manifesting itself as a permission error.