lmtp report permission denied on delivery to multiple recipients

Patrick Cernko pcernko at mpi-klsb.mpg.de
Wed May 22 14:55:53 EEST 2019 

Hello,

when receiving mails for multiple recipients via LMTP, I often see the 
following messages on our servers:

> May 22 11:06:10 sinon dovecot[44304]: lmtp(119718): Connect from $IP$
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER1$)<119718><2HnmOgIR5Vym0wEA22L5Rg>: msgid=<$MSGID$>: saved mail to INBOX
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER2$)<119718><2HnmOgIR5Vym0wEA22L5Rg:2>: Error: stat(/IMAP/mail/mailboxes/$USER1$/mdbox/mailboxes/INBOX/dbox-Mails/dovecot.index.cache) failed: Permission denied (euid=$UID2$($USER2$) egid=$GID2$(rbg) missing +x perm: /IMAP/mail/mailboxes/$USER1$, dir owned by $UID1$:$GID2$ mode=0700)
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER2$)<119718><2HnmOgIR5Vym0wEA22L5Rg:2>: Error: open(/IMAP/mail/mailboxes/$USER1$/mdbox/mailboxes/INBOX/dbox-Mails/dovecot.index.cache) failed: Permission denied (euid=$UID2$($USER2$) egid=$GID2$(rbg) missing +x perm: /IMAP/mail/mailboxes/$USER1$, dir owned by $UID1$:$GID2$ mode=0700)
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER2$)<119718><2HnmOgIR5Vym0wEA22L5Rg:2>: Error: lstat(/IMAP/mail/mailboxes/$USER1$/mdbox/mailboxes/INBOX/dbox-Mails/dovecot.index.cache.lock) failed: Permission denied
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER2$)<119718><2HnmOgIR5Vym0wEA22L5Rg:2>: Error: file_dotlock_open(/IMAP/mail/mailboxes/$USER1$/mdbox/mailboxes/INBOX/dbox-Mails/dovecot.index.cache) failed: Permission denied (euid=$UID2$($USER2$) egid=$GID2$(rbg) missing +x perm: /IMAP/mail/mailboxes/$USER1$, dir owned by $UID1$:$GID2$ mode=0700)
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER2$)<119718><2HnmOgIR5Vym0wEA22L5Rg:2>: Error: open(/IMAP/mail/mailboxes/$USER1$/mdbox/mailboxes/INBOX/dbox-Mails/dovecot.index.cache) failed: Permission denied (euid=$UID2$($USER2$) egid=$GID2$(rbg) missing +x perm: /IMAP/mail/mailboxes/$USER1$, dir owned by $UID1$:$GID2$ mode=0700)
> May 22 11:06:11 sinon dovecot[44304]: lmtp($USER2$)<119718><2HnmOgIR5Vym0wEA22L5Rg:2>: 2HnmOgIR5Vym0wEA22L5Rg:2: sieve: msgid=<$MSGID$>: stored mail into mailbox 'INBOX'
> May 22 11:06:11 sinon dovecot[44304]: lmtp(119718): Disconnect from $IP$: Successful quit
(usernames, uids, gids and IP addresses anonymized)

So far, I was not able to reproduce this issue on a simple test setup, 
but I have the strong impression, that is has something to do with the 
fact, if some of the affected users have a active sieve script and 
others do not use sieve. In the example above $USER1$ did not have a 
sieve script configured but $USER2$ had one, as you can see. As a 
workaround, I configured an empty sieve script for all users with out 
sieve configured. This seems to work but actually I do not want to have 
users with empty sieve scripts.

This bug seems to be related to 
https://dovecot.org/list/dovecot/2013-February/088540.html where Timo 
stated:

"LMTP always delivers the mail to the first user. Then it tries to copy 
the first mail to the second user, because in some setups this can be 
done using hard links. With mbox that of course doesn't work, but looks 
like instead of failing silently it logs an error. So everything is 
working as it should, except there are these unnecessary errors logged. 
I'll see about getting rid of them."

Is it possible to get rid of these error messages, either by a config 
setting that prevents if they do not lead to a real problem or by 
changing the code to avoid the behaviour described by Timo?

Attached you can find doveconf -n output and the used ldap.conf (both 
anonymized), the referenced /etc/dovecot/passdb.deny and 
/etc/dovecot/userdb.overrides are usually empty files and only used 
during mailbox migrations.

Best regards,
-- 
Patrick Cernko <pcernko at mpi-klsb.mpg.de> +49 681 9325 5815
Joint Administration: Information Services and Technology
Max-Planck-Institute fuer Informatik & Softwaresysteme
-------------- next part --------------
# 2.2.36.3 (a7d78f5a2): /etc/dovecot/dovecot.conf
# Object storage plugin version 2.2.36.3 (64b24e4d)
# Pigeonhole version 0.4.24 (5a7e9e62)
# OS: Linux 4.14.99.1.amd64-smp x86_64 Debian 9.8 
# Hostname: XXX
auth_verbose = yes
default_vsz_limit = 2 G
doveadm_password =  # hidden, use -P to show it
doveadm_port = 12345
license_checksum = </var/lib/dovecot/dovecot-license.txt
listen = *
login_log_format_elements = pid=%p user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_attachment_dir = /IMAP/mail/attachments
mail_attachment_fs = sis-queue /IMAP/mail/attachments/queue:posix
mail_home = /IMAP/mail/mailboxes/%u
mail_location = mdbox:~/mdbox
mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
mail_max_userip_connections = 0
mail_plugins = " notify replication zlib fts fts_dovecot"
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
  separator = .
}
passdb {
  args = /etc/dovecot/passdb.deny
  deny = yes
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/ldap.conf
  driver = ldap
}
plugin {
  fts = dovecot
  fts_autoindex = yes
  fts_dovecot_fs = posix:prefix=%h/fts/
  fts_filters = normalizer-icu snowball stopwords
  fts_filters_en = lowercase english-possessive stopwords
  fts_languages = en de
  fts_lucene = whitespace_chars=@.
  fts_solr = url=http://localhost:8080/solr/
  fts_squat = partial=4 full=10
  fts_tokenizer_generic = algorithm=simple
  fts_tokenizers = generic email-address
  license_checksum = </var/lib/dovecot/dovecot-license.txt
  zlib_save = gz
  zlib_save_level = 3
}
postmaster_address = <>
protocols = imap lmtp sieve
service aggregator {
  fifo_listener replication-notify-fifo {
    mode = 0666
  }
  unix_listener replication-notify {
    mode = 0666
  }
}
service anvil {
  client_limit = 2250
}
service auth {
  client_limit = 2447
}
service doveadm {
  inet_listener doveadm-server {
    port = 12345
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  process_limit = 2047
}
service imap {
  process_limit = 2047
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0666
  }
}
ssl = required
ssl_cert = </etc/ssl/cert.pem
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/userdb.overrides
  driver = passwd-file
}
userdb {
  args = /etc/dovecot/ldap.conf
  driver = ldap
  override_fields = mail_replica=tcp:YYY
}
verbose_proctitle = yes
protocol lmtp {
  auth_username_format = %n
  mail_plugins = " notify replication zlib fts fts_dovecot sieve"
}
protocol lda {
  mail_plugins = " notify replication zlib fts fts_dovecot sieve"
}
-------------- next part --------------
uris = ldaps://LDAP1/ ldaps://LDAP2/
base = ANONYMIZED
user_filter = (&(objectClass=posixAccount)(istMailHomeServer=ANONYMIZED)(uid=%u))
user_attrs = \
  =user=%{ldap:uid}, \
  =uid=%{ldap:uidNumber}, \
  =gid=%{ldap:gidNumber}
pass_filter = (&(objectClass=posixAccount)(uid=%u))
iterate_filter = (&(objectClass=posixAccount)(istMailHomeServer=ANONYMIZED))
auth_bind = yes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190522/d9723eba/attachment-0001.p7s>

More information about the dovecot mailing list