LDA ignores virtual mailbox settings

Sun Dec 27 21:18:25 EET 2020

> On 27/12/2020 18:19 Toni Mueller <support at oeko.net> wrote:
> 
>  
> Hi,
> 
> I have a Debian/Buster system with Postfix and Dovecot from the Debian
> repo, and with virtual users only (ie, no system users). These virtual
> users are having all of their uids, gids, homes and mail quota in an
> PostgreSQL database. The intent is to have postfix deliver the email via
> dovecot's LDA, so I can set quota on a per-user basis.
> 
> But for some odd reason, Dovecot's LDA can't find the user data from the
> userdb, and then complains about not being able to write to /var/mail.
> The following example shows how things fail when delivering a message
> from Postfix's queue (therefore, the passdb failure is expected):
> 
> In /etc/dovecot.conf, I have this, amongst other things:
> 
> 
> mail_location = maildir:~/Maildir:INBOX=~/Maildir
> passdb {
>   driver = sql
>   args = /etc/dovecot/dovecot-sql.conf.ext
> }
> userdb {
>   driver = prefetch
> }
> userdb {
>   driver = sql
>   args = /etc/dovecot/dovecot-sql.conf.ext
> }
> protocol lda {
>   mail_plugins = autocreate quota mail_log trash virtual notify
> }
> 
> 
> 
> 
> 16:04:16 postfix/qmgr[4970]: 8CD6CE072E: from=<user at example.com>, size=880, nrcpt=1 (queue active)
> 16:04:16 dovecot: auth: Debug: master in: USER#0111#011user at example.com#011service=lda
> 16:04:16 dovecot: auth: Debug: prefetch(user at example.com): passdb didn't return userdb entries, trying the next userdb
> 16:04:16 dovecot: auth: Debug: sql(user at example.com): SELECT '/path-to-mailboxen/' || virtual_users.home AS home, uid , gid , quota as quota_rule FROM virtual_users WHERE email = 'user at example.com' AND status = 'A'
> 16:04:16 dovecot: auth: Debug: userdb out: USER#0111#011user at example.com#011home=/path-to-mailboxen/example.com/user#011uid=12345#011gid=12345#011quota_rule=*:storage=0
> 
> ^^^^^^^^^^^^^^^^^^^^^^
> 
> This shows that the database lookup works. The intended effect should be
> that the message is delivered to
> 
> /path-to-mailboxen/example.com/user/Maidir/new
> 
> 
> 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: setegid(privileged) failed: Operation not permitted
> 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)
> 
> ^^^^^^^^^^^^^^^^^^^^^^
> 
> And this shows that dovecot-lda just ignores the result.
> 
> 
> 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)
> 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: msgid=<20201226224933.014608 at laptop.example.com>: save failed to open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)
> 16:04:16 postfix/pipe[5284]: 8CD6CE072E: to=<user at example.com>, orig_to=<userA at example2.com>, relay=dovecot, delay=62083, delays=62083/0.04/0/0.04, dsn=4.3.0, status=deferred (temporary failure)
> 
> 
> In /etc/postfix/master.cf, I have this to call it:
> 
> dovecot   unix  -       n       n       -       -       pipe
>   flags=DRhu user=_mailbox argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -a ${recipient}
> 
> 
> I've tried strace-ing dovecot-lda, but it didn't really help me to
> understand why it discards the result of the userdb lookup.
> 
> 
> Can anyone please provide a cluebat, please?
> 
> 
> 
> Thanks,
> Toni

Try adding

mail_privileged_group = mail

to your dovecot.conf. See https://doc.dovecot.org/settings/core/#mail-privileged-group

Aki