Maildir: ACLs/Unix perms: unlink(...) failed: Permission denied

Olaf Marzocchi lists at marzocchi.net
Sat Oct 10 16:09:05 UTC 2015 

I solved the issue I mentioned some days ago.

I checked in the logs the datethe issue appeared, and I noticed it did 
not correspond to a dovecot update, dovecot was not the culprit.

The date also did not correspond to a update of OmniOS, and in any case 
the previous OmniOS update contained only userland updates.

Since the issue appeared when I assigned for the first time ACLs to my 
home folder on the fileserver to make it better compatible with SMB 
sharing, I decided the easiest way was to start a new ZFS dataset only 
for mail, splitting home folder and mail.

$ zfs create -o compression=on tank/mail
$ chgrp mail /tank/mail
$ mkdir /tank/mail/olaf
$ mv /tank/home/olaf/Maildir /tank/mail/olaf/
$ chown -R olaf:olaf /tank/mail/olaf
$ find Maildir -type d -exec chmod 700 {} \;
$ find Maildir -type f -exec chmod 600 {} \;
$ svcadm enable dovecot

This time in the dataset I did not set the options:
-o aclinherit=passthrough-x -o aclmode=passthrough
because dovecot does not need ACL anyway. I'm not even sure those two 
options are what I actually need, but the server is running so I won't 
change them.

Anyway, the server is running fine now.
I'm not sure why I cannot see in Thunderbird any folder "Trash" but if I 
try to create one it fails with "Folder already existing", but I will 
find out.

I also wrote a summary of the issue and of the solution here, because 
other people had the same problem in the past 
(http://www.dovecot.org/list/dovecot/2013-November/093778.html) and 
there was no solution posted.
http://www.marzocchi.net/Olafsen/Software/InstallationOfOmniOSAndBasicSetup

Cheers,
Olaf


On 28/09/2015 00:05, Olaf Marzocchi wrote:
> Hi,
> I tried again with some other options.
>
> After finding
> http://www.dovecot.org/list/dovecot/2013-November/093793.html
> I deleted every ACL from the directory Maildir and I also assigned the
> group "mail" to it, recursively:
>
> OmniOS-Xeon:/tank/home/olaf/Maildir/.Generiche $ ls -lV
> total 903
> drwxrwxrwx   2 olaf     mail           2 Sep 27 23:47 cur
>                   owner@:rwxp--aARWcCos:-------:allow
>                   group@:rwxp--a-R-c--s:-------:allow
>                everyone@:rwxp--a-R-c--s:-------:allow
> (and so on)
>
> I tried also
> mail_full_filesystem_access = yes
> hoping that it would solve the issue, but nothing. Even with
> mail_debug = yes
> the log does not give any info besides
> dovecot: [ID 583609 mail.error] imap(olaf): Error:
> unlink(/tank/home/olaf/Maildir/.Generiche/dovecot-uidlist.tmp) failed:
> Permission denied
>
> (it shows also "rename" instead of "unlink")
>
> With these additional info, has anyone any idea about the cause of the
> problem?
>
> My doveconf -n:
>
> # 2.2.18: /etc/dovecot/dovecot.conf
> # OS: SunOS 5.11 i86pc  zfs
> mail_debug = yes
> mail_full_filesystem_access = yes
> mail_location = maildir:/tank/home/%u/Maildir
> mail_privileged_group = mail
> namespace inbox {
>    inbox = yes
>    location =
>    mailbox Sent {
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      special_use = \Sent
>    }
>    mailbox Trash {
>      special_use = \Trash
>    }
>    prefix =
> }
> passdb {
>    driver = pam
> }
> protocols = imap
> ssl = required
> ssl_cert = </etc/dovecot/certs/dovecot.pem
> ssl_key = </etc/dovecot/private/dovecot.pem
> userdb {
>    driver = passwd
> }
>
>
> Any help will be appreciated.
>
> Regards,
> Olaf Marzocchi
>
>
>
>
> On 19/09/2015 19:22, Christian Kivalo wrote:
>> Hi,
>>
>> On 2015-09-19 16:17, Olaf Marzocchi wrote:
>>> Dear Dovecot users, hello.
>>> I will merge two issues I have into a single email because they may be
>>> related.
>>>
>>> I used dovecot on a OmniOS server since 2014 (currently OmniOS
>>> r151014) with the following configuration (it shows 2.2.18 because I
>>> recently updated dovecot, skipping only the PostgreSQL plugin):
>>>
>>> # 2.2.18: /etc/dovecot/dovecot.conf
>>> # OS: SunOS 5.11 i86pc  zfs
>>> mail_location = maildir:/tank/home/%u/Maildir
>>> mail_privileged_group = mail
>>> namespace inbox {
>>>   inbox = yes
>>>   location =
>>>   mailbox Drafts {
>>>     special_use = \Drafts
>>>   }
>>>   mailbox Junk {
>>>     special_use = \Junk
>>>   }
>>>   mailbox Sent {
>>>     special_use = \Sent
>>>   }
>>>   mailbox "Sent Messages" {
>>>     special_use = \Sent
>>>   }
>>>   mailbox Trash {
>>>     special_use = \Trash
>>>   }
>>>   prefix =
>>> }
>>> passdb {
>>>   driver = pam
>>> }
>>> protocols = imap
>>> ssl = required
>>> ssl_cert = </etc/dovecot/certs/dovecot.pem
>>> ssl_key = </etc/dovecot/private/dovecot.pem
>>> userdb {
>>>   driver = passwd
>>> }
>>>
>>> You can see that I set the Maildir folder inside the shared home
>>> folders of my server (it is only one user, anyway).
>>> It always worked perfectly, but one-two months ago I changed the
>>> permissions of my whole home folder, recursively, to add proper ACLs.
>>> I needed them because the clients started using illumos kernel SMB
>>> (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms
>>> only).
>>> I didn't realise I applied the ACLs also to the Maildir folder.
>>>
>>> Dovecot worked for several weeks fine, I noticed the issue only
>>> yesterday when a mailbox (see below) appeared in Thunderbird
>>> completely empty even if the "cur" subfolder on the server still
>>> contains all the mails.
>>>
>>> Dovecot was throwing some errors like:
>>>
>>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>>> Lists.Log/dovecot.index.cache) failed: Permission denied
>>> (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
>>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>>> Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing
>>> Lists.Log/dovecot.index) failed: Permission denied
>>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>>> unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission
>>> denied
>>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>>> rename(/tank/home/olaf/Maildir/subscriptions.lock,
>>> /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
>>>
>>> I will post here the current permissions of the folder containing
>>> Maildir, of the Maildir itself, of its contents, and of the folder
>>> that appears empty when browsed with a client (Thunderbird).
>>>
>>> /tank/home/olaf $ ls -lV ..
>>> drwx------+ 16 olaf     olaf          17 Sep 19 01:52 olaf
>>>               user:olaf:rwxpdDaARWcCos:fd-----:allow
>>>        group:2147483648:rwxpdDaARWcCos:fd-----:allow
>>>               everyone@:rwxpdDaARWcCos:fd-----:deny
>>>
>>> /tank/home/olaf $ ls -lV
>>> drwxrwx--- 348 olaf     olaf         359 Sep 19 01:51 Maildir
>>>                  owner@:rwxp--aARWcCos:-------:allow
>>>                  group@:rwxp--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>>
>>> /tank/home/olaf $ ls -lV Maildir/
>>> drwxrwx---   2 olaf     olaf           2 Jan 30  2014 cur
>>>                  owner@:rwxp--aARWcCos:-------:allow
>>>                  group@:rwxp--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>> -rwxrwx---   1 olaf     olaf          21 Jan 30  2014 dovecot-keywords
>>>                  owner@:rwxp--aARWcCos:-------:allow
>>>                  group@:rwxp--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...)
>>> -rwxrwx---   1 olaf     olaf       13735 Jan 24  2015 subscriptions
>>>                  owner@:rwxp--aARWcCos:-------:allow
>>>                  group@:rwxp--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>> -rw-rw----   1 olaf     olaf       13709 Sep 19 01:51 subscriptions.lock
>>>                  owner@:rw-p--aARWcCos:-------:allow
>>>                  group@:rw-p--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>>
>>> The folder that appears empty:
>>>
>>> /tank/home/olaf $ ls -lV Maildir/.Generiche/
>>> total 513
>>> drwxrwx---   2 olaf     olaf         949 Sep 18 01:42 cur
>>>                  owner@:rwxp--aARWcCos:-------:allow
>>>                  group@:rwxp--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>> -rwxrwx---   1 olaf     olaf          46 May 18  2014 dovecot-keywords
>>>                  owner@:rwxp--aARWcCos:-------:allow
>>>                  group@:rwxp--a-R-c--s:-------:allow
>>>               everyone@:------a-R-c--s:-------:allow
>>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
>>>
>>>
>>> I really hope you will have the time to help me because I already
>>> applied the permissions recursively and I removed the ACLs, almost as
>>> it was before my mistake.
>>> I specified "almost" because originally (I checked the backups) the
>>> Maildir folder had an ACL that gave access permissions also to the
>>> group "mail":
>>>
>>> drwxrwx---+349 olaf     olaf         359 Feb 16  2014 Maildir
>>>              group:mail:rwxpdDaARWcCos:fd-----:allow
>>>                  owner@:rwxpdDaARWcCos:fd----I:allow
>>>                  group@:rwxpdDaARWcCos:fd----I:allow
>>>               everyone@:rwxpdDaARWcCos:fd----I:deny
>>>
>>> Yesterday I haven't replicated it because from the documentation I
>>> understood it was not necessary.
>>
>>  From my view the permissions seem to be set correctly, i have to admin,
>> its been a while since i moved to virtual users so i may be wrong here...
>>
>> The log output also seems to support that permissions are correct.
>>
>> Have you tried adding the group:mail:.... ACLs back?
>>
>> Have you set mail_debug=yes or other more verbose logging settings?
>> http://wiki2.dovecot.org/Logging

More information about the dovecot mailing list