Sieve LDA Errors (Improper Saving?)

Richard Laager rlaager at wiktel.com
Tue Feb 7 04:04:12 UTC 2017 

I'm getting lots of errors like this (possibly on every message delivery):

imap2 dovecot: lmtp(rlaager at wiktel.com): Error: OU02K+gQmFhUAwAAVtfydQ
: sieve: binary save: failed to create temporary file:
open(/var/lib/dovecot/sieve/junk-mail.svbin.ima
p2.852.) failed: Permission denied (euid=500(vmail) egid=500(vmail)
missing +w perm: /var/lib/dovecot/
sieve, dir owned by 0:0 mode=0755)

imap2 dovecot: lmtp(rlaager at wiktel.com): Error: OU02K+gQmFhUAwAAVtfydQ:
sieve: The LDA Sieve plugin does not have permission to save global
Sieve script binaries; global Sieve scripts like
`/var/lib/dovecot/sieve/junk-mail.sieve' need to be pre-compiled using
the sievec tool

It's intentional in my setup that the vmail user can't write to the
global sieve script directory. But it shouldn't need to, as those are
already pre-compiled:

rlaager at imap2:/var/lib/dovecot/sieve$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 29 22:27 .
drwxr-xr-x 3 root root 4096 Feb  6 20:39 ..
lrwxrwxrwx 1 root root   53 Sep 12 01:35 junk-mail.sieve ->
/usr/share/wiktel-server-mail-backend/junk-mail.sieve
-rw-r--r-- 1 root root  254 Nov 29 22:27 junk-mail.svbin

rlaager at imap2:/var/lib/dovecot/sieve$ ls -la
/usr/share/wiktel-server-mail-backend/junk-mail.sieve
-rw-r--r-- 1 root root 124 Oct 31 09:34
/usr/share/wiktel-server-mail-backend/junk-mail.sieve

Note that the .svbin is from November, while the text version is from
October. Even if something is looking at the date of the symlink, that's
from September.

So the first question is... why is Dovecot trying to write the binary file?

I dug into the Pigeonhole code... I think, but am certainly not sure,
that lda_sieve_open() in
pigeonhole/src/plugins/lda-sieve/lda-sieve-plugin.c is the relevant
function calling lda_sieve_binary_save(). At the end of the function, it
has:

        if (!recompile)
                lda_sieve_binary_save(srctx, sbin, script);

This seems odd to me. Why is it trying to save in the "!recompile" case?
It seems like it should be saving in the "recompile" case. If I'm
reading this code right, recompile is set when it loads a corrupt sieve
binary script and needs to recompile from text.

I could be completely off, though.

Any thoughts?

-- 
Richard

More information about the dovecot mailing list