dovecot-lda can't create /var/mail dotlocks on debian

John Clements johnbclements at gmail.com
Tue Nov 3 20:46:35 UTC 2015 

Yep, yep, yep, consider this solved. I believe I understand the issues
involved, now.

Many thanks for your help!

John Clements


On Tue, Nov 3, 2015 at 12:44 PM, Larry Rosenman <larryrtx at gmail.com> wrote:

> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Effective
> uid=1003, gid=1003, home=/home/granitemon
>
>
> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Error:
> setegid(privileged) failed: Operation not permitted
>
>
> so it's running as the normal user, and NOT with the mail group.
>
> I'm using exim with LMTP.  LMTP is NOT a bad thing, and might make your
> life easier.  It does allow you to add sieve scripting if you want to via
> pigeonhole.
>
> Sorry, I'm at a loss, as I do NOT run postfix.  I'm not sure what it needs
> to invoke dovecot-lda with gid mail in the group list.
>
>
>
> On Tue, Nov 3, 2015 at 2:40 PM, John Clements <johnbclements at gmail.com>
> wrote:
>
>> Well, first, here are the logs I generated:
>>
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Effective
>> uid=1003, gid=1003, home=/home/granitemon
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Namespace inbox:
>> type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
>> subscriptions=yes location=mbox:~/mail:INBOX=/var/mail/granitemon
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: fs:
>> root=/home/granitemon/mail, index=, indexpvt=, control=,
>> inbox=/var/mail/granitemon, alt=
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: userdb lookup
>> skipped, username taken from USER environment
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: none: root=,
>> index=, indexpvt=, control=, inbox=, alt=
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Debug: Destination
>> address: granitemon at desmond.brinckerhoff.org (source: user at hostname)
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Error:
>> setegid(privileged) failed: Operation not permitted
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): msgid=<
>> 20151103202305.88BE05FF39 at desmond.brinckerhoff.org>: save failed to
>> INBOX: BUG: Unknown internal error
>> Nov  3 12:23:05 desmond dovecot: lda(granitemon): Error:
>> setegid(privileged) failed: Operation not permitted
>> Nov  3 12:23:05 desmond postfix/local[26490]: 88BE05FF39:
>> to=<granitemon at localhost>, relay=local, delay=0.04,
>> delays=0.01/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure)
>>
>> At this point... well, I don't understand why dovecot signals an "Unknown
>> internal error," but I think I understand that even if I *do* get this
>> working, I'm pretty much throwing in the towel, because since postfix
>> invokes the lda as the user receiving the mail, then this only works if all
>> users receiving mail are in the mail group, which means any of them can
>> mess up any other's mbox.
>>
>> So, it looks like even if this bug is fixed, I'm left with two obvious
>> choices:
>> - make /var/mail writeable by all users that receive mail, or
>> - use LMTP instead.
>>
>> Many thanks for your help,
>>
>> John Clements
>>
>>
>> On Tue, Nov 3, 2015 at 12:13 PM, Larry Rosenman <larryrtx at gmail.com>
>> wrote:
>>
>>> and, are you SURE that dovecot-lda has mail in it's group list when it
>>> is executing?
>>>
>>> On Tue, Nov 3, 2015 at 2:12 PM, Larry Rosenman <larryrtx at gmail.com>
>>> wrote:
>>>
>>>> Hrm.  if you turn up the debug on lda, do you get any more of a clue?
>>>>
>>>> Those permissions look fine to me.
>>>>
>>>>
>>>> On Tue, Nov 3, 2015 at 2:10 PM, John Clements <johnbclements at gmail.com>
>>>> wrote:
>>>>
>>>>> clements at desmond:/var/log$ ls -lda /var/mail
>>>>> drwxrwsr-x 2 root mail 4096 Nov  2 22:07 /var/mail
>>>>>
>>>>>
>>>>> Best,
>>>>>
>>>>> John Clements
>>>>>
>>>>> On Tue, Nov 3, 2015 at 11:52 AM, Larry Rosenman <larryrtx at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> what is the full permissions of /var/mail?
>>>>>>
>>>>>>
>>>>>> ls -lda /var/mail
>>>>>>
>>>>>> On Tue, Nov 3, 2015 at 1:49 PM, John Clements <
>>>>>> johnbclements at gmail.com> wrote:
>>>>>>
>>>>>>> I've been using dovecot+postfix happily for many years, and I'm now
>>>>>>> configuring it for a new machine. However, I'm running into an old
>>>>>>> problem
>>>>>>> again, and thinking that there must be a better solution.
>>>>>>>
>>>>>>> The problem is that dovecot-lda is unable to create dotlock files in
>>>>>>> the
>>>>>>> /var/mail directory.
>>>>>>>
>>>>>>> Dovecot version: 1:2.2.13-12~deb8u1 (I'm guessing this is upstream
>>>>>>> version
>>>>>>> 2.2.13)
>>>>>>> OS: Debian Jessie
>>>>>>>
>>>>>>> Currently, my mail directory has these permissions:
>>>>>>>
>>>>>>> clements at desmond:~$ ls -ld /var/mail
>>>>>>> drwxrwsr-x 2 root mail 4096 Nov  2 22:07 /var/mail
>>>>>>> clements at desmond:~$ ls -l /var/mail
>>>>>>> total 8
>>>>>>> -rw------- 1 clements   mail 1382 Nov  2 21:59 clements
>>>>>>> -rw------- 1 granitemon mail  530 Nov  2 22:07 granitemon
>>>>>>>
>>>>>>> I've added
>>>>>>> mail_privileged_group = mail
>>>>>>> to allow creation of the dotlock files.
>>>>>>>
>>>>>>> When I configure postfix to deliver using dovecot-lda, I get logs
>>>>>>> that look
>>>>>>> like this:
>>>>>>>
>>>>>>> Nov  3 11:12:20 desmond dovecot: lda(granitemon): Error:
>>>>>>> setegid(privileged) failed: Operation not permitted
>>>>>>> Nov  3 11:12:20 desmond dovecot: lda(granitemon): msgid=<
>>>>>>> 20151103181306.A4B5B5FF32 at desmond.XXXDOMAIN.org>: save failed to
>>>>>>> INBOX:
>>>>>>> BUG: Unknown internal error
>>>>>>>
>>>>>>> In order to isolate the error, I took postfix out of the equation,
>>>>>>> and
>>>>>>> called dovecot-lda directly:
>>>>>>>
>>>>>>> clements at desmond:/tmp$ cat bogusmail
>>>>>>> From: clements at XXXDOMAIN.org
>>>>>>> To: granitemon at localhost
>>>>>>> Date: November 3 2015
>>>>>>> Subject: graaaah
>>>>>>>
>>>>>>> this is the body
>>>>>>> clements at desmond:/tmp$ /usr/lib/dovecot/dovecot-lda -e -d clements <
>>>>>>> bogusmail
>>>>>>> BUG: Unknown internal error
>>>>>>> clements at desmond:/tmp$
>>>>>>>
>>>>>>> In response to this, mail.log now contains this similar error:
>>>>>>>
>>>>>>> Nov  3 11:34:57 desmond dovecot: lda(clements): msgid=unspecified:
>>>>>>> save
>>>>>>> failed to INBOX: BUG: Unknown internal error
>>>>>>> Nov  3 11:34:57 desmond dovecot: lda(clements): Error:
>>>>>>> setegid(privileged)
>>>>>>> failed: Operation not permitted
>>>>>>>
>>>>>>>
>>>>>>> I've tried a number of "random internet search" solutions, including
>>>>>>> - changing perms on mail files from 660 to 600
>>>>>>> - enabling 'mail_access_groups=mail' in 10-mail.conf
>>>>>>> - adding individual users to the mail group.
>>>>>>>
>>>>>>> I guess I'm pretty confident that if dovecot is writing "BUG: Unknown
>>>>>>> internal error" in the logs, that this is is actually a bug in
>>>>>>> dovecot.
>>>>>>>
>>>>>>> OBresearch: I read through the release notes of 2.2.14 -- 2.2.19 to
>>>>>>> see if
>>>>>>> a relevant-looking bug had been fixed, but nothing jumped out at me.
>>>>>>> OBresearch: searching the dovecot mailing list, I found one
>>>>>>> *extremely*
>>>>>>> relevant thread called "Re: [Dovecot] started with dovecot sieve
>>>>>>> <http://dovecot.markmail.org/message/kgd34wberxuvmrsa?q=setegid>",
>>>>>>> but
>>>>>>> there didn't seem to be a solution contained in the thread.
>>>>>>>
>>>>>>> Final note: this doesn't appear to be confined to debian jessie: I
>>>>>>> took a
>>>>>>> look at my existing installation, and I see that in fact I just went
>>>>>>> ahead
>>>>>>> and made /var/mail world-writeable, which seems... sub-optimal. I'm
>>>>>>> sure I
>>>>>>> could do that here, too, but I'd certainly rather not.
>>>>>>>
>>>>>>> Thanks in advance, and let me know if I've left out relevant crucial
>>>>>>> information.
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> John Clements
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Larry Rosenman                     http://www.lerctr.org/~ler
>>>>>> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
>>>>>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Larry Rosenman                     http://www.lerctr.org/~ler
>>>> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
>>>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>>>>
>>>
>>>
>>>
>>> --
>>> Larry Rosenman                     http://www.lerctr.org/~ler
>>> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
>>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>>>
>>
>>
>
>
> --
> Larry Rosenman                     http://www.lerctr.org/~ler
> Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>

More information about the dovecot mailing list