dovecot - Oct 2010 - 2.0.5: quota warning failing

>From the log:
Oct  6 09:54:10 postamt dovecot: imap(hkunte): Error: quota:
connect(/usr/local/scripts/quota-warning2) failed: Permission denied
>From the config:
quota = maildir
quota_rule = INBOX.Trash:storage=+2048M
quota_warning = storage=99%% /usr/local/scripts/quota-warning2 99 %u
quota_warning2 = storage=95%% /usr/local/scripts/quota-warning2 95 %u
quota_warning3 = storage=90%% /usr/local/scripts/quota-warning2 90 %u
quota_warning4 = storage=85%% /usr/local/scripts/quota-warning2 85 %u
  
service quota-warning {
  executable = script /usr/local/scripts/quota-warning2
  # use some unprivileged user for executing the quota warnings
  user = vmail
  unix_listener quota-warning {
  }
}

But how exactly does this work? the user vmail cannot write to the
users' mailboxes, so I'd have to run /usr/local/scripts/quota-warning2
as root, don't I?

-- 
Ralf Hildebrandt
  Gesch?ftsbereich IT | Abteilung Netzwerk
  Charit? - Universit?tsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de

Ralf Hildebrandt wrote on 06.10.2010:
>>From the log:
> Oct  6 09:54:10 postamt dovecot: imap(hkunte): Error: quota:
> connect(/usr/local/scripts/quota-warning2) failed: Permission denied
>>From the config:
> quota = maildir
> quota_rule = INBOX.Trash:storage=+2048M
> quota_warning = storage=99%% /usr/local/scripts/quota-warning2 99 %u
> quota_warning2 = storage=95%% /usr/local/scripts/quota-warning2 95 %u
> quota_warning3 = storage=90%% /usr/local/scripts/quota-warning2 90 %u
> quota_warning4 = storage=85%% /usr/local/scripts/quota-warning2 85 %u
>   
> service quota-warning {
>   executable = script /usr/local/scripts/quota-warning2
>   # use some unprivileged user for executing the quota warnings
>   user = vmail
>   unix_listener quota-warning {
>   }
> }
> But how exactly does this work? the user vmail cannot write to the
> users' mailboxes, so I'd have to run
/usr/local/scripts/quota-warning2
> as root, don't I?
Personally I use this:

service quota-warning {
  executable = script /usr/bin/quota-warning.sh
  user = vmail
  unix_listener quota-warning {
    mode = 0660
    user = vmail
    group = vmail
  }
}

Same for some other sockets like "dict"...

--
Daniel

* Daniel Luttermann <daniel at dlutt.de>:
> Personally I use this:
> 
> service quota-warning {
>   executable = script /usr/bin/quota-warning.sh
>   user = vmail
>   unix_listener quota-warning {
>     mode = 0660
>     user = vmail
>     group = vmail
>   }
> }
What is the meaning of the "unix_listener"?
Can I run the script as user root or will dovecot deny this?
Why do I need to specify the user twice?

-- 
Ralf Hildebrandt
  Gesch?ftsbereich IT | Abteilung Netzwerk
  Charit? - Universit?tsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de

On Wed, 2010-10-06 at 15:33 +0200, Ralf Hildebrandt
wrote:
> > service quota-warning {
> >   executable = script /usr/bin/quota-warning.sh
> >   user = vmail
The process is run as this user.
> >   unix_listener quota-warning {
> >     mode = 0660
> >     user = vmail
> >     group = vmail
This is the socket permissions, i.e. specifying what other processes can
connect to it.
> Can I run the script as user root or will dovecot deny this?
Yeah, you can make the service user=root, but give only vmail user
permission to it so only processes running as vmail can connect to it.

Do you use multiple UIDs for users? An alternative to running as root
would be to use LMTP to deliver the "over quota" mail to user and use
some trick to disable quota for this. Maybe something like:

protocol lmtp {
  local_ip 127.0.0.1 {
    plugin {
      quota = maildir:user:noenforcing
    }
  }
}