Maildir: ACLs/Unix perms and unable to see content of specific mailbox

Olaf Marzocchi lists at marzocchi.net
Sun Sep 20 14:39:27 UTC 2015


I found that the ACL I gave were not automatically applied to the newly 
created files and dirs (missing :fd-----:), so I corrected them and I 
added group:mail.

$ chmod -R A=owner@:rwxpdDaARWcCos:fd-----:allow,\
           user:olaf:rwxpdDaARWcCos:fd-----:allow,\
              group@:rwxpdDaARWcCos:fd-----:allow,\
          group:olaf:rwxpdDaARWcCos:fd-----:allow,\
          group:mail:rwxpdDaARWcCos:fd-----:allow,\
           everyone@:------a-R-c--s:fd-----:allow Maildir
(I know I duplicated my username and group, but I wanted to be sure...)

drwxrwx---+348 olaf     olaf         359 Sep 20 16:21 Maildir
                  owner@:rwxpdDaARWcCos:fd-----:allow
               user:olaf:rwxpdDaARWcCos:fd-----:allow
                  group@:rwxpdDaARWcCos:fd-----:allow
              group:olaf:rwxpdDaARWcCos:fd-----:allow
              group:mail:rwxpdDaARWcCos:fd-----:allow
               everyone@:------a-R-c--s:fd-----:allow

I verified that newly created files inside Maildir correctly retain 
these ACLs.

I still get the errors (I added "mail_debug=yes" and restarted):

[ID 583609 mail.error] imap(olaf): Error: 
rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.cache) 
failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms 
appear ok (ACL/MAC wrong?))

[ID 583609 mail.error] imap(olaf): Error: 
rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.tmp, 
/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index) failed: 
Permission denied

No further details.
I won't post the ls- lV again since the permissions in the specified 
file and folder are all exactly like the Maildir folder above.

Different errors after I tried to rename a mail folder:

Debug: Namespace : Using permissions from /tank/home/olaf/Maildir: 
mode=0770 gid=default
Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: 
Permission denied
Error: file_dotlock_replace() failed with subscription file 
/tank/home/olaf/Maildir/subscriptions: Permission denied
Error: rename(/tank/home/olaf/Maildir/subscriptions.lock, 
/tank/home/olaf/Maildir/subscriptions) failed: Permission denied

At this point I don't know if it is an issue with my system, or some 
sort of incompatibility between dovecot and illumos or ZFS.

Except for folder renaming I can put mails in the IMAP folders and see 
them, but I fear for future problems caused by this issue.

In case there is someone able to read source code, this is the file 
where the ACL/MAC issue is generated:
http://hg.dovecot.org/dovecot-2.2/file/4f4243794ba1/src/lib/eacces-error.c

Has anyone with this additional information some clue? I still don't.

Olaf



On 19/09/2015 19:22, Christian Kivalo wrote:
> Hi,
>
> On 2015-09-19 16:17, Olaf Marzocchi wrote:
>> Dear Dovecot users, hello.
>> I will merge two issues I have into a single email because they may be
>> related.
>>
>> I used dovecot on a OmniOS server since 2014 (currently OmniOS
>> r151014) with the following configuration (it shows 2.2.18 because I
>> recently updated dovecot, skipping only the PostgreSQL plugin):
>>
>> # 2.2.18: /etc/dovecot/dovecot.conf
>> # OS: SunOS 5.11 i86pc  zfs
>> mail_location = maildir:/tank/home/%u/Maildir
>> mail_privileged_group = mail
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   mailbox Drafts {
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     special_use = \Trash
>>   }
>>   prefix =
>> }
>> passdb {
>>   driver = pam
>> }
>> protocols = imap
>> ssl = required
>> ssl_cert = </etc/dovecot/certs/dovecot.pem
>> ssl_key = </etc/dovecot/private/dovecot.pem
>> userdb {
>>   driver = passwd
>> }
>>
>> You can see that I set the Maildir folder inside the shared home
>> folders of my server (it is only one user, anyway).
>> It always worked perfectly, but one-two months ago I changed the
>> permissions of my whole home folder, recursively, to add proper ACLs.
>> I needed them because the clients started using illumos kernel SMB
>> (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms
>> only).
>> I didn't realise I applied the ACLs also to the Maildir folder.
>>
>> Dovecot worked for several weeks fine, I noticed the issue only
>> yesterday when a mailbox (see below) appeared in Thunderbird
>> completely empty even if the "cur" subfolder on the server still
>> contains all the mails.
>>
>> Dovecot was throwing some errors like:
>>
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index.cache) failed: Permission denied
>> (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index) failed: Permission denied
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission
>> denied
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/subscriptions.lock,
>> /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
>>
>> I will post here the current permissions of the folder containing
>> Maildir, of the Maildir itself, of its contents, and of the folder
>> that appears empty when browsed with a client (Thunderbird).
>>
>> /tank/home/olaf $ ls -lV ..
>> drwx------+ 16 olaf     olaf          17 Sep 19 01:52 olaf
>>               user:olaf:rwxpdDaARWcCos:fd-----:allow
>>        group:2147483648:rwxpdDaARWcCos:fd-----:allow
>>               everyone@:rwxpdDaARWcCos:fd-----:deny
>>
>> /tank/home/olaf $ ls -lV
>> drwxrwx--- 348 olaf     olaf         359 Sep 19 01:51 Maildir
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>>
>> /tank/home/olaf $ ls -lV Maildir/
>> drwxrwx---   2 olaf     olaf           2 Jan 30  2014 cur
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> -rwxrwx---   1 olaf     olaf          21 Jan 30  2014 dovecot-keywords
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...)
>> -rwxrwx---   1 olaf     olaf       13735 Jan 24  2015 subscriptions
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> -rw-rw----   1 olaf     olaf       13709 Sep 19 01:51 subscriptions.lock
>>                  owner@:rw-p--aARWcCos:-------:allow
>>                  group@:rw-p--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>>
>> The folder that appears empty:
>>
>> /tank/home/olaf $ ls -lV Maildir/.Generiche/
>> total 513
>> drwxrwx---   2 olaf     olaf         949 Sep 18 01:42 cur
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> -rwxrwx---   1 olaf     olaf          46 May 18  2014 dovecot-keywords
>>                  owner@:rwxp--aARWcCos:-------:allow
>>                  group@:rwxp--a-R-c--s:-------:allow
>>               everyone@:------a-R-c--s:-------:allow
>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
>>
>>
>> I really hope you will have the time to help me because I already
>> applied the permissions recursively and I removed the ACLs, almost as
>> it was before my mistake.
>> I specified "almost" because originally (I checked the backups) the
>> Maildir folder had an ACL that gave access permissions also to the
>> group "mail":
>>
>> drwxrwx---+349 olaf     olaf         359 Feb 16  2014 Maildir
>>              group:mail:rwxpdDaARWcCos:fd-----:allow
>>                  owner@:rwxpdDaARWcCos:fd----I:allow
>>                  group@:rwxpdDaARWcCos:fd----I:allow
>>               everyone@:rwxpdDaARWcCos:fd----I:deny
>>
>> Yesterday I haven't replicated it because from the documentation I
>> understood it was not necessary.
>
>  From my view the permissions seem to be set correctly, i have to admin,
> its been a while since i moved to virtual users so i may be wrong here...
>
> The log output also seems to support that permissions are correct.
>
> Have you tried adding the group:mail:.... ACLs back?
>
> Have you set mail_debug=yes or other more verbose logging settings?
> http://wiki2.dovecot.org/Logging
>
>
>
>> My questions, in short:
>> - what are the permissions I need to give to the Maildir folder? I
>> understood from the documentation it's 700, with my user/group (the
>> one of the user accessing the mail). What about ACLs? and what about
>> group "mail"?
>> - the (only!) subfolder which appears empty in Thunderbird, may it
>> depend on the permissions? maybe due to them the index was not updated
>> and UIDs don't match. If after applying the correct permissions I
>> still cannot see its contents, is there a way to recover the mails?
>> the files are all still there.
>>
>> Sorry for the long email, but after several tries yesterday I
>> exhausted my ideas.
>>
>> Regards,
>> Olaf
>
> Regards,
> Christian


More information about the dovecot mailing list