dovecot - Jun 2011 - Maildir parent directory permissions incorrect for new mailbox

Hi,

My issue is with the automatic creation of parent directories above new 
maildirs. It seems to be that they're being set with incorrect (or 
unhelpful) permissions, applying the permissions of the mailbox down the 
path towards the mailbox root, as opposed to taking the permissions of 
the mailbox root up towards the mailbox.

Our mail is stored under the scheme:

   location = maildir:/var/dovecot/mail/%d/%n:INDEX=/var/dovecot/index/%d/%n

Initially, /var/dovecot consists of acl, index and mail, all empty. The 
permissions on these are:

 >> ls -l
total 6
drwxrwxr-x  2 hmgp  hmgp  512 17 Jun 12:23 acl
drwxrwxr-x  3 hmgp  hmgp  512 17 Jun 15:56 index
drwxrwxr-x  3 hmgp  hmgp  512 17 Jun 15:56 mail

If I perform a mail delivery to my mailbox, the mailbox parent directory 
is created with the following permissions:

 >> ls -l
total 2
drwx------  3 dm  hmgp  512 17 Jun 15:56 insidetrading.co.uk

Note that the user ID is my own and the mode restricts all other access. 
When I perform a second delivery to different mailbox under that domain, 
one mapped to a different UID, the delivery fails because that user 
cannot access the parent folder in order to create the new maildir.

I've read on the Wiki that Dovecot copies permissions from the parent 
directory when adding new messages to a mailbox. That would suit my 
situation, but it doesn't happen here. Maybe there is there a reason why 
this is the case?

I've had a look at the code and it it works in the opposite direction, 
starting from the full path (with its associated mode, uid & gid) and 
working by removing a section from the right-hand side each time. For 
me, at least, it would be better if it started from the bottom and 
worked upwards, inheriting the parent uid, gid and mode until the 
mailbox directory, where the existing behaviour would be retained, 
looking like:

 >> ls -dl insidetrading.co.uk/dm
total 2
drwx------  5 dm  hmgp  512 17 Jun 15:56 dm

I know I could hold all our mail under a single uid/gid or I could fix 
the mode manually, but I'd rather not do either. Am I missing some key 
configuration detail or should I work on a patch for this?

Thanks,
Dominic

 >> dovecot -n
# 2.0.12: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.2-RELEASE amd64
auth_debug = yes
listen = *
mail_debug = yes
mail_plugins = acl
namespace {
   inbox = yes
   location = maildir:/var/dovecot/mail/%d/%n:INDEX=/var/dovecot/index/%d/%n
   prefix    separator = /
   type = private
}
namespace {
   list = children
   location = 
maildir:/var/dovecot/mail/%%d/%%n:INDEX=/var/dovecot/index/%%d/shared/%%n
   prefix = shared/%%n
   separator = /
   subscriptions = no
   type = shared
}
passdb {
   args = /usr/local/etc/dovecot/ldap.conf
   driver = ldap
}
plugin {
   acl = vfile
   acl_shared_dict = file:/var/dovecot/acl/%d/%n-shared.db
}
protocols = lmtp imap
service auth {
   unix_listener /var/spool/postfix/private/auth {
     mode = 0666
   }
}
service imap-login {
   inet_listener imap {
     port = 0
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
     mode = 0660
     user = postfix
   }
}
ssl = required
ssl_ca = </usr/local/etc/ssl/cert/geotrust-all.pem
ssl_cert = </usr/local/etc/ssl/cert/mail.helenmarks.co.uk.pem
ssl_cipher_list = AES+HIGH
ssl_key = </usr/local/etc/ssl/private/mail.helenmarks.co.uk.key
userdb {
   args = /usr/local/etc/dovecot/ldap.conf
   driver = ldap
}
verbose_proctitle = yes
protocol imap {
   mail_plugins = acl imap_acl
}

On 17.06.2011 18:35, wrote Dominic Marks:

Hi Dominic,
> Initially, /var/dovecot consists of acl, index and mail, all empty. The
> permissions on these are:
>
>  >> ls -l
> total 6
> drwxrwxr-x 2 hmgp hmgp 512 17 Jun 12:23 acl
> drwxrwxr-x 3 hmgp hmgp 512 17 Jun 15:56 index
> drwxrwxr-x 3 hmgp hmgp 512 17 Jun 15:56 mail
>
> If I perform a mail delivery to my mailbox, the mailbox parent directory
> is created with the following permissions:
>
>  >> ls -l
> total 2
> drwx------ 3 dm hmgp 512 17 Jun 15:56 insidetrading.co.uk
>
Blind guess:
You are delivering the mail via postfix local and not via dovecot-lda or 
lmtp?

> Note that the user ID is my own and the mode restricts all other access.
> When I perform a second delivery to different mailbox under that domain,
> one mapped to a different UID, the delivery fails because that user
> cannot access the parent folder in order to create the new maildir.
>

On Fri, 2011-06-17 at 17:35 +0100, Dominic Marks wrote:
> My issue is with the automatic creation of parent directories above new 
> maildirs. It seems to be that they're being set with incorrect (or 
> unhelpful) permissions, applying the permissions of the mailbox down the 
> path towards the mailbox root, as opposed to taking the permissions of 
> the mailbox root up towards the mailbox.
> 
> Our mail is stored under the scheme:
> 
>    location =
maildir:/var/dovecot/mail/%d/%n:INDEX=/var/dovecot/index/%d/%n
See if chmod g+s /var/dovecot/mail solves your troubles. The same for
index dir.