Different behavior of ACLs in MUA and doveadm
Thomas Leuxner
tlx at leuxner.net
Tue Sep 8 11:26:51 UTC 2015
* Timo Sirainen <tss at iki.fi> 2015.09.08 12:20:
> How does the PublicMailboxAdmins group get set? Looks to me like the problem is that it's not getting set to doveadm. Here's an easy way to check if that's the problem or something else: http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389
>
> If that doesn't help: Show your full doveconf -n, set auth_debug=yes and mail_debug=yes and show the debug logs for IMAP login and doveadm. There's a difference somewhere in there.
$ doveadm mailbox create -u tlx at leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015
doveadm(tlx at leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied
Both debug levels raised, it doesn't log about the problem when using doveadm. I guess the patch is not enough:
Sep 8 13:19:07 nihlus dovecot: auth: Debug: master in: USER#0111#011tlx at leuxner.net#011service=doveadm
Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx at leuxner.net): userdb cache miss
Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file /var/vmail/auth.d/leuxner.net/passwd: Read 1 users in 0 secs
Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx at leuxner.net): lookup: user=tlx at leuxner.net file=/var/vmail/auth.d/leuxner.net/passwd
Sep 8 13:19:07 nihlus dovecot: auth: Debug: userdb out: USER#0111#011tlx at leuxner.net#011uid=5000#011gid=5000#011home=/var/vmail/domains/leuxner.net/tlx#011quota_rule=*:storage=5G#011acl_groups=PublicMailboxAdmins
With IMAP it is more talkative:
3 create "Public/Archive/Mailing-Lists/Dovecot/2015"
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Added userdb setting: plugin/acl_groups=PublicMailboxAdmins
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Added userdb setting: plugin/quota_rule=*:storage=5G
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Effective uid=5000, gid=5000, home=/var/vmail/domains/leuxner.net/tlx
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota root: name=user backend=dict args=:file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota rule: root=user mailbox=* bytes=5368709120 messages=0
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota rule: root=user mailbox=Trash bytes=+536870912 (10%) messages=0
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota grace: root=user bytes=536870912 (10%)
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: dict quota: user=tlx at leuxner.net, uri=file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota, noenforcing=0
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox, index=, indexpvt=, control=, inbox=, alt=
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: owner = 1
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: group added: PublicMailboxAdmins
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox
/public
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt=
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: owner = 0
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: group added: PublicMailboxAdmins
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt=
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: owner = 1
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: group added: PublicMailboxAdmins
Sep 8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
Sep 8 13:07:13 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/domains/leuxner.net/tlx/mdbox/mailboxes/dovecot-acl not found
Sep 8 13:07:13 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace : Using permissions from /var/vmail/domains/leuxner.net/tlx/mdbox: mode=0700 gid=default
Sep 8 13:07:13 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015 doesn't exist yet, using default permissions
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/dbox-Mails/dovecot-acl not found
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*'
Sep 8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found
# 2.2.18 (500e8dd7a389): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.2
auth_cache_size = 16 k
auth_debug = yes
auth_verbose = yes
deliver_log_format = msgid=%m, time=%{delivery_time}ms, status=%$
hostname = host.domain.tld
imap_hibernate_timeout = 1 mins
imap_id_log = *
imap_logout_format = in=%i out=%o hdr=%{fetch_hdr_count} body=%{fetch_body_count} del=%{deleted} exp=%{expunged} trash=%{trashed}
mail_debug = yes
mail_location = mdbox:~/mdbox
mail_plugins = acl quota stats zlib virtual
mailbox_list_index = yes
namespace {
list = yes
location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace {
location = virtual:~/mdbox/virtual
prefix = Virtual/
separator = /
}
namespace inbox {
hidden = no
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = username_format=%u /var/vmail/auth.d/%d/passwd
driver = passwd-file
}
plugin {
acl = vfile:/var/vmail/conf.d/%d/global-acl:cache_secs=300
mail_log_events = expunge mailbox_delete
quota = dict:user::file:%h/mdbox/dovecot-quota
quota_grace = 10%%
quota_rule = *:storage=1GB
quota_rule2 = Trash:storage=+10%%
quota_status_nouser = DUNNO
quota_status_success = DUNNO
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_global_dir = /var/vmail/conf.d/%d/sieve
stats_refresh = 30s
stats_track_cmds = yes
zlib_save = gz
zlib_save_level = 6
}
protocols = " imap lmtp"
quota_full_tempfail = yes
service auth-worker {
unix_listener auth-worker {
user = doveauth
}
user = doveauth
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = doveauth
}
service imap-hibernate {
unix_listener imap-hibernate {
user = vmail
}
}
service imap-login {
inet_listener imap {
address = 1.2.3.4
port = 143
reuse_port = yes
}
inet_listener imaps {
port = 0
}
process_min_avail = 8
}
service imap {
unix_listener imap-master {
user = dovecot
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/quota-status {
group = postfix
mode = 0660
user = postfix
}
}
service stats {
fifo_listener stats-mail {
mode = 0600
user = vmail
}
}
ssl_ca = </etc/ssl/certs/Comodo_RSA_Domain_Validation_SHA-2_Intermediates_CA_Bundle.crt
ssl_cert = </etc/ssl/certs/host_domain_tld.crt
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/host_domain_tld.key
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local1
userdb {
args = username_format=%u /var/vmail/auth.d/%d/passwd
driver = passwd-file
}
verbose_proctitle = yes
protocol lmtp {
mail_plugins = acl quota stats zlib virtual sieve
}
protocol imap {
mail_max_userip_connections = 20
mail_plugins = acl quota stats zlib virtual mail_log notify imap_acl imap_quota imap_stats
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150908/88adc761/attachment.sig>
More information about the dovecot
mailing list