Maildir: ACLs/Unix perms and unable to see content of specific mailbox
Olaf Marzocchi
lists at marzocchi.net
Sun Sep 20 14:39:27 UTC 2015
I found that the ACL I gave were not automatically applied to the newly
created files and dirs (missing :fd-----:), so I corrected them and I
added group:mail.
$ chmod -R A=owner@:rwxpdDaARWcCos:fd-----:allow,\
user:olaf:rwxpdDaARWcCos:fd-----:allow,\
group@:rwxpdDaARWcCos:fd-----:allow,\
group:olaf:rwxpdDaARWcCos:fd-----:allow,\
group:mail:rwxpdDaARWcCos:fd-----:allow,\
everyone@:------a-R-c--s:fd-----:allow Maildir
(I know I duplicated my username and group, but I wanted to be sure...)
drwxrwx---+348 olaf olaf 359 Sep 20 16:21 Maildir
owner@:rwxpdDaARWcCos:fd-----:allow
user:olaf:rwxpdDaARWcCos:fd-----:allow
group@:rwxpdDaARWcCos:fd-----:allow
group:olaf:rwxpdDaARWcCos:fd-----:allow
group:mail:rwxpdDaARWcCos:fd-----:allow
everyone@:------a-R-c--s:fd-----:allow
I verified that newly created files inside Maildir correctly retain
these ACLs.
I still get the errors (I added "mail_debug=yes" and restarted):
[ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.cache)
failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms
appear ok (ACL/MAC wrong?))
[ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.tmp,
/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index) failed:
Permission denied
No further details.
I won't post the ls- lV again since the permissions in the specified
file and folder are all exactly like the Maildir folder above.
Different errors after I tried to rename a mail folder:
Debug: Namespace : Using permissions from /tank/home/olaf/Maildir:
mode=0770 gid=default
Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed:
Permission denied
Error: file_dotlock_replace() failed with subscription file
/tank/home/olaf/Maildir/subscriptions: Permission denied
Error: rename(/tank/home/olaf/Maildir/subscriptions.lock,
/tank/home/olaf/Maildir/subscriptions) failed: Permission denied
At this point I don't know if it is an issue with my system, or some
sort of incompatibility between dovecot and illumos or ZFS.
Except for folder renaming I can put mails in the IMAP folders and see
them, but I fear for future problems caused by this issue.
In case there is someone able to read source code, this is the file
where the ACL/MAC issue is generated:
http://hg.dovecot.org/dovecot-2.2/file/4f4243794ba1/src/lib/eacces-error.c
Has anyone with this additional information some clue? I still don't.
Olaf
On 19/09/2015 19:22, Christian Kivalo wrote:
> Hi,
>
> On 2015-09-19 16:17, Olaf Marzocchi wrote:
>> Dear Dovecot users, hello.
>> I will merge two issues I have into a single email because they may be
>> related.
>>
>> I used dovecot on a OmniOS server since 2014 (currently OmniOS
>> r151014) with the following configuration (it shows 2.2.18 because I
>> recently updated dovecot, skipping only the PostgreSQL plugin):
>>
>> # 2.2.18: /etc/dovecot/dovecot.conf
>> # OS: SunOS 5.11 i86pc zfs
>> mail_location = maildir:/tank/home/%u/Maildir
>> mail_privileged_group = mail
>> namespace inbox {
>> inbox = yes
>> location =
>> mailbox Drafts {
>> special_use = \Drafts
>> }
>> mailbox Junk {
>> special_use = \Junk
>> }
>> mailbox Sent {
>> special_use = \Sent
>> }
>> mailbox "Sent Messages" {
>> special_use = \Sent
>> }
>> mailbox Trash {
>> special_use = \Trash
>> }
>> prefix =
>> }
>> passdb {
>> driver = pam
>> }
>> protocols = imap
>> ssl = required
>> ssl_cert = </etc/dovecot/certs/dovecot.pem
>> ssl_key = </etc/dovecot/private/dovecot.pem
>> userdb {
>> driver = passwd
>> }
>>
>> You can see that I set the Maildir folder inside the shared home
>> folders of my server (it is only one user, anyway).
>> It always worked perfectly, but one-two months ago I changed the
>> permissions of my whole home folder, recursively, to add proper ACLs.
>> I needed them because the clients started using illumos kernel SMB
>> (relying on ACLs) instead of Netatalk/AFP (relying on Unix perms
>> only).
>> I didn't realise I applied the ACLs also to the Maildir folder.
>>
>> Dovecot worked for several weeks fine, I noticed the issue only
>> yesterday when a mailbox (see below) appeared in Thunderbird
>> completely empty even if the "cur" subfolder on the server still
>> contains all the mails.
>>
>> Dovecot was throwing some errors like:
>>
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index.cache) failed: Permission denied
>> (euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing
>> Lists.Log/dovecot.index) failed: Permission denied
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission
>> denied
>> dovecot: [ID 583609 mail.error] imap(olaf): Error:
>> rename(/tank/home/olaf/Maildir/subscriptions.lock,
>> /tank/home/olaf/Maildir/subscriptions) failed: Permission denied
>>
>> I will post here the current permissions of the folder containing
>> Maildir, of the Maildir itself, of its contents, and of the folder
>> that appears empty when browsed with a client (Thunderbird).
>>
>> /tank/home/olaf $ ls -lV ..
>> drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf
>> user:olaf:rwxpdDaARWcCos:fd-----:allow
>> group:2147483648:rwxpdDaARWcCos:fd-----:allow
>> everyone@:rwxpdDaARWcCos:fd-----:deny
>>
>> /tank/home/olaf $ ls -lV
>> drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir
>> owner@:rwxp--aARWcCos:-------:allow
>> group@:rwxp--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>>
>> /tank/home/olaf $ ls -lV Maildir/
>> drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur
>> owner@:rwxp--aARWcCos:-------:allow
>> group@:rwxp--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>> -rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords
>> owner@:rwxp--aARWcCos:-------:allow
>> group@:rwxp--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...)
>> -rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions
>> owner@:rwxp--aARWcCos:-------:allow
>> group@:rwxp--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>> -rw-rw---- 1 olaf olaf 13709 Sep 19 01:51 subscriptions.lock
>> owner@:rw-p--aARWcCos:-------:allow
>> group@:rw-p--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>>
>> The folder that appears empty:
>>
>> /tank/home/olaf $ ls -lV Maildir/.Generiche/
>> total 513
>> drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur
>> owner@:rwxp--aARWcCos:-------:allow
>> group@:rwxp--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>> -rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords
>> owner@:rwxp--aARWcCos:-------:allow
>> group@:rwxp--a-R-c--s:-------:allow
>> everyone@:------a-R-c--s:-------:allow
>> (ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
>>
>>
>> I really hope you will have the time to help me because I already
>> applied the permissions recursively and I removed the ACLs, almost as
>> it was before my mistake.
>> I specified "almost" because originally (I checked the backups) the
>> Maildir folder had an ACL that gave access permissions also to the
>> group "mail":
>>
>> drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir
>> group:mail:rwxpdDaARWcCos:fd-----:allow
>> owner@:rwxpdDaARWcCos:fd----I:allow
>> group@:rwxpdDaARWcCos:fd----I:allow
>> everyone@:rwxpdDaARWcCos:fd----I:deny
>>
>> Yesterday I haven't replicated it because from the documentation I
>> understood it was not necessary.
>
> From my view the permissions seem to be set correctly, i have to admin,
> its been a while since i moved to virtual users so i may be wrong here...
>
> The log output also seems to support that permissions are correct.
>
> Have you tried adding the group:mail:.... ACLs back?
>
> Have you set mail_debug=yes or other more verbose logging settings?
> http://wiki2.dovecot.org/Logging
>
>
>
>> My questions, in short:
>> - what are the permissions I need to give to the Maildir folder? I
>> understood from the documentation it's 700, with my user/group (the
>> one of the user accessing the mail). What about ACLs? and what about
>> group "mail"?
>> - the (only!) subfolder which appears empty in Thunderbird, may it
>> depend on the permissions? maybe due to them the index was not updated
>> and UIDs don't match. If after applying the correct permissions I
>> still cannot see its contents, is there a way to recover the mails?
>> the files are all still there.
>>
>> Sorry for the long email, but after several tries yesterday I
>> exhausted my ideas.
>>
>> Regards,
>> Olaf
>
> Regards,
> Christian
More information about the dovecot
mailing list