dovecot - Jan 2008 - Virtual Users and permission denied on POP3 Authentication - cur directory

Hi,

I've been working on configuring a new Postfix+Dovecot+Cyrus-SASL 
+Postgres server to perform multi-domain virtual hosting with non-unix  
accounts.  I believe I have everything working correctly and have  
tested both the SASL portion and POP authentication through telnet and  
all works as expected, with one exception.

When I authenticate using POP3:

# telnet mail.host 110
Trying 192.168.XXX.XXX...
Connected to mail.host.
Escape character is '^]'.
+OK Dovecot ready.
user user1 at domain1.com
+OK
pass secret
+OK Logged in.
-ERR No INBOX for user.

And the maillog reports the following:

Jan 21 13:42:32 mail.host dovecot: pop3-login: Login: user=<user1>,  
method=PLAIN, rip=192.168.XXX.XXX, lip=192.168.XXX.XXX
Jan 21 13:42:32 mail.host dovecot: POP3(user1): mkdir(/var/spool/ 
virtual_mailbox/domain1.com/user1/cur) failed: Permission denied
Jan 21 13:42:32 mail.host dovecot: POP3(user1): mkdir(/var/spool/ 
virtual_mailbox/domain1.com/user1/cur) failed: Permission denied
Jan 21 13:42:32 mail.host dovecot: POP3(user1): Couldn't open INBOX:  
Internal error occurred. Refer to server log for more information.  
[2008-01-21 13:42:32]
Jan 21 13:42:32 mason dovecot: POP3(user1): No INBOX for user top=0/0,  
retr=0/0, del=0/0, size=0

The directory structures for the virtual mailboxes are:

/var/spool/virtual_mailbox/domain1.com/user1
/var/spool/virtual_mailbox/domain2.com/user1

And the entire tree from virtual_mailbox down is owned by  
vuser:vuser.  The directories have permissions 700.

What I believe is happening is that Dovecot is trying to use the uid  
and gid of user1, who doesn't have a system account, rather than  
vuser's when writing to the virtual_mailbox folders.  I'm not sure how  
I can configure Dovecot to use the vuser information.

Here is my dovecot.conf:

-------------------------------------------------------------------------
protocols = imap pop3
listen = [*]
disable_plaintext_auth = no
syslog_facility = mail

mail_location = maildir:/var/spool/virtual_mailbox/%h

# Default umask to use for mail files and directories.
#umask = 0077

protocol imap {
}

protocol pop3 {
}

protocol lda {
   postmaster_address = postmaster at example.com
}

auth_debug_passwords = yes
auth_debug = yes
auth_verbose = yes
auth default {
   # SQL database
   passdb sql {
     args = /etc/dovecot-sql.conf
   }

   userdb sql {
     args = /etc/dovecot-sql.conf
   }

   user = root
}
-------------------------------------------------------------------------

Any insight will be appreciated, I've been working on this non-stop  
for several days now and can't seem to figure it out.

Thanks,
John

John Dubchak wrote:
> Hi,
>
> I've been working on configuring a new 
> Postfix+Dovecot+Cyrus-SASL+Postgres server to perform multi-domain 
> virtual hosting with non-unix accounts.  I believe I have everything 
> working correctly and have tested both the SASL portion and POP 
> authentication through telnet and all works as expected, with one 
> exception.
>
> When I authenticate using POP3:
>
> # telnet mail.host 110
> Trying 192.168.XXX.XXX...
> Connected to mail.host.
> Escape character is '^]'.
> +OK Dovecot ready.
> user user1 at domain1.com
> +OK
> pass secret
> +OK Logged in.
> -ERR No INBOX for user.
>
> And the maillog reports the following:
>
> Jan 21 13:42:32 mail.host dovecot: pop3-login: Login: user=<user1>, 
> method=PLAIN, rip=192.168.XXX.XXX, lip=192.168.XXX.XXX
> Jan 21 13:42:32 mail.host dovecot: POP3(user1): 
> mkdir(/var/spool/virtual_mailbox/domain1.com/user1/cur) failed: 
> Permission denied
> Jan 21 13:42:32 mail.host dovecot: POP3(user1): 
> mkdir(/var/spool/virtual_mailbox/domain1.com/user1/cur) failed: 
> Permission denied
> Jan 21 13:42:32 mail.host dovecot: POP3(user1): Couldn't open INBOX: 
> Internal error occurred. Refer to server log for more information. 
> [2008-01-21 13:42:32]
> Jan 21 13:42:32 mason dovecot: POP3(user1): No INBOX for user top=0/0, 
> retr=0/0, del=0/0, size=0
>
> The directory structures for the virtual mailboxes are:
>
> /var/spool/virtual_mailbox/domain1.com/user1
> /var/spool/virtual_mailbox/domain2.com/user1
>
> And the entire tree from virtual_mailbox down is owned by 
> vuser:vuser.  The directories have permissions 700.
>
> What I believe is happening is that Dovecot is trying to use the uid 
> and gid of user1, who doesn't have a system account, rather than 
> vuser's when writing to the virtual_mailbox folders.  I'm not sure
how
> I can configure Dovecot to use the vuser information.
if vuser has uid and gid of 5000

Have the userdb part of the dovecot config set to

userdb static {

    args = uid=5000 gid=5000 home=/var/spool/virtual_mailbox/%d/%n 
allow_all_users=yes

}

instead of using the

userdb sql {

}

That should see you right. However, beware there may be security issues 
allowing one user to write to all mailboxes.

regards

Iain
>
> Here is my dovecot.conf:
>
> -------------------------------------------------------------------------
> protocols = imap pop3
> listen = [*]
> disable_plaintext_auth = no
> syslog_facility = mail
>
> mail_location = maildir:/var/spool/virtual_mailbox/%h
>
> # Default umask to use for mail files and directories.
> #umask = 0077
>
> protocol imap {
> }
>
> protocol pop3 {
> }
>
> protocol lda {
>   postmaster_address = postmaster at example.com
> }
>
> auth_debug_passwords = yes
> auth_debug = yes
> auth_verbose = yes
> auth default {
>   # SQL database
>   passdb sql {
>     args = /etc/dovecot-sql.conf
>   }
>
>   userdb sql {
>     args = /etc/dovecot-sql.conf
>   }
>
>   user = root
> }
> -------------------------------------------------------------------------
>
> Any insight will be appreciated, I've been working on this non-stop 
> for several days now and can't seem to figure it out.
>
> Thanks,
> John
>
>

On Jan 22, 2008, at 4:34 AM, Iain M Conochie wrote:
>>
> if vuser has uid and gid of 5000
>
> Have the userdb part of the dovecot config set to
>
> userdb static {
>
>   args = uid=5000 gid=5000 home=/var/spool/virtual_mailbox/%d/%n  
> allow_all_users=yes
>
> }
>
> instead of using the
>
> userdb sql {
>
> }
>
> That should see you right. However, beware there may be security  
> issues allowing one user to write to all mailboxes.
>
Ian,

Thanks for the reply.  However, when I make the change, %d (domain) is  
not getting populated.  I am expecting:

/var/spool/virtual_mailbox/domain1.com/user1

But I get:

/var/spool/virtual_mailbox//user1

And the query I use in the logs returns:

client out: OK	1	user=user1 domain=domain1.com

Where does Dovecot get the %d value when it tries to expand it?

Thanks,
John

John Dubchak wrote:
>
> On Jan 22, 2008, at 4:34 AM, Iain M Conochie wrote:
>
>>>
>> if vuser has uid and gid of 5000
>>
>> Have the userdb part of the dovecot config set to
>>
>> userdb static {
>>
>>   args = uid=5000 gid=5000 home=/var/spool/virtual_mailbox/%d/%n 
>> allow_all_users=yes
>>
>> }
>>
>> instead of using the
>>
>> userdb sql {
>>
>> }
>>
>> That should see you right. However, beware there may be security 
>> issues allowing one user to write to all mailboxes.
>>
>
> Ian,
>
> Thanks for the reply.  However, when I make the change, %d (domain) is 
> not getting populated.  I am expecting:
>
> /var/spool/virtual_mailbox/domain1.com/user1
>
> But I get:
>
> /var/spool/virtual_mailbox//user1
In the sql auth file what is

pass_attrs

set to?

Iain
>
> And the query I use in the logs returns:
>
> client out: OK    1    user=user1 domain=domain1.com
>
> Where does Dovecot get the %d value when it tries to expand it?
>
> Thanks,
> John

John Dubchak wrote:
>
> On Jan 23, 2008, at 4:27 AM, Iain M Conochie wrote:
>
>> Then I am a bit stuck. That was how I got it working for LDAP to be 
>> honest.
>>
>> What kind of usernames are your users using to login with? Is it 
>> user at domain or just user?
>
> user at domain
>
> Thanks,
> John
What do you have as your user_query then? You may need to use

WHERE userid = '%n' AND domain = '%d'

instead of

WHERE userid = '%u'

perhaps?

Iain