dovecot-lda can't create /var/mail dotlocks on debian

John Clements johnbclements at gmail.com
Tue Nov 3 20:40:42 UTC 2015 

Well, first, here are the logs I generated:

Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Effective
uid=1003, gid=1003, home=/home/granitemon
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail:INBOX=/var/mail/granitemon
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: fs:
root=/home/granitemon/mail, index=, indexpvt=, control=,
inbox=/var/mail/granitemon, alt=
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: userdb lookup
skipped, username taken from USER environment
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: none: root=,
index=, indexpvt=, control=, inbox=, alt=
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Destination
address: granitemon at desmond.brinckerhoff.org (source: user at hostname)
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Error:
setegid(privileged) failed: Operation not permitted
Nov  3 12:23:05 desmond dovecot: lda(granitemon): msgid=<
20151103202305.88BE05FF39 at desmond.brinckerhoff.org>: save failed to INBOX:
BUG: Unknown internal error
Nov  3 12:23:05 desmond dovecot: lda(granitemon): Error:
setegid(privileged) failed: Operation not permitted
Nov  3 12:23:05 desmond postfix/local[26490]: 88BE05FF39:
to=<granitemon at localhost>, relay=local, delay=0.04,
delays=0.01/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure)

At this point... well, I don't understand why dovecot signals an "Unknown
internal error," but I think I understand that even if I *do* get this
working, I'm pretty much throwing in the towel, because since postfix
invokes the lda as the user receiving the mail, then this only works if all
users receiving mail are in the mail group, which means any of them can
mess up any other's mbox.

So, it looks like even if this bug is fixed, I'm left with two obvious
choices:
- make /var/mail writeable by all users that receive mail, or
- use LMTP instead.

Many thanks for your help,

John Clements


On Tue, Nov 3, 2015 at 12:13 PM, Larry Rosenman <larryrtx at gmail.com> wrote:

> and, are you SURE that dovecot-lda has mail in it's group list when it is
> executing?
>
> On Tue, Nov 3, 2015 at 2:12 PM, Larry Rosenman <larryrtx at gmail.com> wrote:
>
>> Hrm.  if you turn up the debug on lda, do you get any more of a clue?
>>
>> Those permissions look fine to me.
>>
>>
>> On Tue, Nov 3, 2015 at 2:10 PM, John Clements <johnbclements at gmail.com>
>> wrote:
>>
>>> clements at desmond:/var/log$ ls -lda /var/mail
>>> drwxrwsr-x 2 root mail 4096 Nov  2 22:07 /var/mail
>>>
>>>
>>> Best,
>>>
>>> John Clements
>>>
>>> On Tue, Nov 3, 2015 at 11:52 AM, Larry Rosenman <larryrtx at gmail.com>
>>> wrote:
>>>
>>>> what is the full permissions of /var/mail?
>>>>
>>>>
>>>> ls -lda /var/mail
>>>>
>>>> On Tue, Nov 3, 2015 at 1:49 PM, John Clements <johnbclements at gmail.com>
>>>> wrote:
>>>>
>>>>> I've been using dovecot+postfix happily for many years, and I'm now
>>>>> configuring it for a new machine. However, I'm running into an old
>>>>> problem
>>>>> again, and thinking that there must be a better solution.
>>>>>
>>>>> The problem is that dovecot-lda is unable to create dotlock files in
>>>>> the
>>>>> /var/mail directory.
>>>>>
>>>>> Dovecot version: 1:2.2.13-12~deb8u1 (I'm guessing this is upstream
>>>>> version
>>>>> 2.2.13)
>>>>> OS: Debian Jessie
>>>>>
>>>>> Currently, my mail directory has these permissions:
>>>>>
>>>>> clements at desmond:~$ ls -ld /var/mail
>>>>> drwxrwsr-x 2 root mail 4096 Nov  2 22:07 /var/mail
>>>>> clements at desmond:~$ ls -l /var/mail
>>>>> total 8
>>>>> -rw------- 1 clements   mail 1382 Nov  2 21:59 clements
>>>>> -rw------- 1 granitemon mail  530 Nov  2 22:07 granitemon
>>>>>
>>>>> I've added
>>>>> mail_privileged_group = mail
>>>>> to allow creation of the dotlock files.
>>>>>
>>>>> When I configure postfix to deliver using dovecot-lda, I get logs that
>>>>> look
>>>>> like this:
>>>>>
>>>>> Nov  3 11:12:20 desmond dovecot: lda(granitemon): Error:
>>>>> setegid(privileged) failed: Operation not permitted
>>>>> Nov  3 11:12:20 desmond dovecot: lda(granitemon): msgid=<
>>>>> 20151103181306.A4B5B5FF32 at desmond.XXXDOMAIN.org>: save failed to
>>>>> INBOX:
>>>>> BUG: Unknown internal error
>>>>>
>>>>> In order to isolate the error, I took postfix out of the equation, and
>>>>> called dovecot-lda directly:
>>>>>
>>>>> clements at desmond:/tmp$ cat bogusmail
>>>>> From: clements at XXXDOMAIN.org
>>>>> To: granitemon at localhost
>>>>> Date: November 3 2015
>>>>> Subject: graaaah
>>>>>
>>>>> this is the body
>>>>> clements at desmond:/tmp$ /usr/lib/dovecot/dovecot-lda -e -d clements <
>>>>> bogusmail
>>>>> BUG: Unknown internal error
>>>>> clements at desmond:/tmp$
>>>>>
>>>>> In response to this, mail.log now contains this similar error:
>>>>>
>>>>> Nov  3 11:34:57 desmond dovecot: lda(clements): msgid=unspecified: save
>>>>> failed to INBOX: BUG: Unknown internal error
>>>>> Nov  3 11:34:57 desmond dovecot: lda(clements): Error:
>>>>> setegid(privileged)
>>>>> failed: Operation not permitted
>>>>>
>>>>>
>>>>> I've tried a number of "random internet search" solutions, including
>>>>> - changing perms on mail files from 660 to 600
>>>>> - enabling 'mail_access_groups=mail' in 10-mail.conf
>>>>> - adding individual users to the mail group.
>>>>>
>>>>> I guess I'm pretty confident that if dovecot is writing "BUG: Unknown
>>>>> internal error" in the logs, that this is is actually a bug in dovecot.
>>>>>
>>>>> OBresearch: I read through the release notes of 2.2.14 -- 2.2.19 to
>>>>> see if
>>>>> a relevant-looking bug had been fixed, but nothing jumped out at me.
>>>>> OBresearch: searching the dovecot mailing list, I found one *extremely*
>>>>> relevant thread called "Re: [Dovecot] started with dovecot sieve
>>>>> <http://dovecot.markmail.org/message/kgd34wberxuvmrsa?q=setegid>", but
>>>>> there didn't seem to be a solution contained in the thread.
>>>>>
>>>>> Final note: this doesn't appear to be confined to debian jessie: I
>>>>> took a
>>>>> look at my existing installation, and I see that in fact I just went
>>>>> ahead
>>>>> and made /var/mail world-writeable, which seems... sub-optimal. I'm
>>>>> sure I
>>>>> could do that here, too, but I'd certainly rather not.
>>>>>
>>>>> Thanks in advance, and let me know if I've left out relevant crucial
>>>>> information.
>>>>>
>>>>> Best,
>>>>>
>>>>> John Clements
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Larry Rosenman                     http://www.lerctr.org/~ler
>>>> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
>>>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>>>>
>>>
>>>
>>
>>
>> --
>> Larry Rosenman                     http://www.lerctr.org/~ler
>> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>>
>
>
>
> --
> Larry Rosenman                     http://www.lerctr.org/~ler
> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>

More information about the dovecot mailing list