dovecot - Aug 2011 - File Permissions and delivery

Hi

I'm very new to Dovecot (been using Courier for 5 years), but I've been
persuaded of the merits of Dovecot and since the server needs upgrading that
seems like the perfect time/excuse.

On a test server, I set up postfix and installed Dovecot (running 32-bit Debian
Squeeze, installed from apt-get).  I mirrored the mail store (Maildirs, for
historical reasons located under /var/spool/mail/virtual/domain.com/user).  Then
I ran the courier migration perl script and everything was fine and dandy.

However, when I can to do the production migration, things weren't as
smooth.  The new server is 64-bit (not that I think it makes a difference, but
if you're going to help me you should have all the information :)

Again, I installed Postfix and Dovecot
Took down the old server
Mirrored the Maildirs
Ran the migration script
Restarted everything

At this point everything looked like it was ok.  Mail was being received and
delivered to the Maildirs and the IMAP login was fine.  However, I noticed
errors in the logs when retreiving mail with the MUA along the lines of:

Aug 26 16:59:48 mail dovecot: IMAP(simon at lydiard.net):
open(/var/spool/mail/virtual/domain.net/simon/cur/1314328966.V801I166601bM756462.mail.net,S=2461:2,)
failed: Permission denied (euid=999(mailsystem) egid=115(mailsystem) missing +r
perm:
/var/spool/mail/virtual/domain.net/simon/cur/1314328966.V801I166601bM756462.mail.net,S=2461:2,)
  
After messing around with the chown and chmod (even though these were exactly
the same as the test server) I finally discovered the issue.

mail:~# ls /var/spool/mail/virtual/domain.net/simon/new/
-rwxrwx---  1 postfix mailsystem 2.5K Aug 26 03:33
1314326000.V801I1666018M803015.mail.net,S=2461:2,
-rwxrwx---  1 postfix mailsystem 2.5K Aug 26 03:36
1314326209.V801I1666019M447273.mail.net,S=2460:2,
-rw-rw----  1 postfix mailsystem 2.5K Aug 26 04:00
1314327630.V801I166601aM308173.mail.net,S=2477:2,
-rw-------  1 postfix mailsystem 2.5K Aug 26 04:22
1314328966.V801I166601bM756462.mail.net,S=2461:2,
-rw-------  1 postfix mailsystem 1.1K Aug 26 16:28
1314372534.V801I166601cM615258.mail.net,S=1097:2,
-rw-------  1 postfix mailsystem 1.1K Aug 26 16:31
1314372685.V801I166601dM264242.mail.net,S=1097:2,

Mails are being delivered with 0600 permissions and not 0660 (the mails from
courier seem to have all been 0770 as you can see).  If I manually change the
permission (to 0660) then I can see the mail in the MUA.

After thinking for a while it occurred to me that this is covered in the LDA
section.  But making changes to the config file (either permissions or UID/GID)
doesn't seem to make a difference.  (Yes, I did restart postfix and dovecot
after the changes).

Anyway, here is my dovecot -n:

mail:~# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.2 ext3
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s
ssl_ca_file: /etc/ssl/keys/ca.crt
ssl_cert_file: /etc/ssl/keys/mail.net.crt
ssl_key_file: /etc/ssl/private/mail.net.key
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_privileged_group: mailsystem
mail_location: maildir:/var/spool/mail/virtual/%d/%n
maildir_very_dirty_syncs: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
lda:
  postmaster_address: postmaster at net
  mail_plugins: quota
  log_path:
  info_log_path:
  deliver_log_format: msgid=%m: %f: %$
auth default:
  mechanisms: plain login
  user: mailsystem
  verbose: yes
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  userdb:
    driver: prefetch
  userdb:
    driver: static
    args: uid=999 gid=115 home=/var/spool/mail/virtual/%d/%n allow_all_users=yes
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: mailsystem
    master:
      path: /var/run/dovecot/auth-master
      mode: 432
      user: mailsystem
      group: mailsystem
plugin:
  quota: maildir

As you can see, I tried to go 0660 in both client and master.  

The portion of my master.cf
81 # SPB - Attempt to deliver with Dovecot LDA
 82 dovecot   unix  -       n       n       -       -       pipe
 83   flags=DRhu user=mailsystem argv=/usr/lib/dovecot/deliver -f ${sender} -d
${user}@${nexthop}

Is there anything else I should include?

I'm pretty sure it's an error on my part.  I'm just not clued up
enough to know where.

My second problem is that I thought I had things back to where they were before
I messed with chown and chmod, but now I get this in the logs

dovecot: dovecot: Fatal: chdir(/var/spool/mail/virtual/domain.net/simon//)
failed: Permission denied (euid=999(mailsystem) egid=115(mailsystem) missing +x
perm: /var/spool/mail/virtual)

But the ls on that is exactly the same as on the test server:
ls /var/spool/mail/virtual/
total 44K
drwxrwS--- 11 postfix    mailsystem 4.0K Aug 25 23:07 ./
drwxrwsr-x  5 amavis     mailsystem 4.0K Oct 19  2009 ../
drwxrws---  5 mailsystem mailsystem 4.0K Aug 26 02:33 domain.net/

So, now I'm stumped.  I hope someone can spot the simple thing I've
missed!

Thanks.


Simon

My guess is your delivering email with postfix to the inbox, instead  
of using dovecot-lda. And something odd is going on with that postfix  
to get odd permissions like that.

You probably needed to edit the postfix virtual deliever transport, or  
maybe you just forget to active the dovecot-lda (deliever) transport.


Quoting Simon Brereton <simon.brereton at buongiorno.com>:
> Hi
>
> I'm very new to Dovecot (been using Courier for 5 years), but I've
> been persuaded of the merits of Dovecot and since the server needs  
> upgrading that seems like the perfect time/excuse.
>
> On a test server, I set up postfix and installed Dovecot (running  
> 32-bit Debian Squeeze, installed from apt-get).  I mirrored the mail  
> store (Maildirs, for historical reasons located under  
> /var/spool/mail/virtual/domain.com/user).  Then I ran the courier  
> migration perl script and everything was fine and dandy.
>
> However, when I can to do the production migration, things weren't  
> as smooth.  The new server is 64-bit (not that I think it makes a  
> difference, but if you're going to help me you should have all the  
> information :)
>
> Again, I installed Postfix and Dovecot
> Took down the old server
> Mirrored the Maildirs
> Ran the migration script
> Restarted everything
>
> At this point everything looked like it was ok.  Mail was being  
> received and delivered to the Maildirs and the IMAP login was fine.   
> However, I noticed errors in the logs when retreiving mail with the  
> MUA along the lines of:
>
> Aug 26 16:59:48 mail dovecot: IMAP(simon at lydiard.net):  
>
open(/var/spool/mail/virtual/domain.net/simon/cur/1314328966.V801I166601bM756462.mail.net,S=2461:2,)
failed: Permission denied (euid=999(mailsystem) egid=115(mailsystem) missing +r
perm:
>
/var/spool/mail/virtual/domain.net/simon/cur/1314328966.V801I166601bM756462.mail.net,S=2461:2,)
>
> After messing around with the chown and chmod (even though these  
> were exactly the same as the test server) I finally discovered the  
> issue.
>
> mail:~# ls /var/spool/mail/virtual/domain.net/simon/new/
> -rwxrwx---  1 postfix mailsystem 2.5K Aug 26 03:33  
> 1314326000.V801I1666018M803015.mail.net,S=2461:2,
> -rwxrwx---  1 postfix mailsystem 2.5K Aug 26 03:36  
> 1314326209.V801I1666019M447273.mail.net,S=2460:2,
> -rw-rw----  1 postfix mailsystem 2.5K Aug 26 04:00  
> 1314327630.V801I166601aM308173.mail.net,S=2477:2,
> -rw-------  1 postfix mailsystem 2.5K Aug 26 04:22  
> 1314328966.V801I166601bM756462.mail.net,S=2461:2,
> -rw-------  1 postfix mailsystem 1.1K Aug 26 16:28  
> 1314372534.V801I166601cM615258.mail.net,S=1097:2,
> -rw-------  1 postfix mailsystem 1.1K Aug 26 16:31  
> 1314372685.V801I166601dM264242.mail.net,S=1097:2,
>
> Mails are being delivered with 0600 permissions and not 0660 (the  
> mails from courier seem to have all been 0770 as you can see).  If I  
> manually change the permission (to 0660) then I can see the mail in  
> the MUA.
>
> After thinking for a while it occurred to me that this is covered in  
> the LDA section.  But making changes to the config file (either  
> permissions or UID/GID) doesn't seem to make a difference.  (Yes, I  
> did restart postfix and dovecot after the changes).
>
> Anyway, here is my dovecot -n:
>
> mail:~# dovecot -n
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.2 ext3
> log_timestamp: %Y-%m-%d %H:%M:%S
> protocols: imap imaps pop3 pop3s
> ssl_ca_file: /etc/ssl/keys/ca.crt
> ssl_cert_file: /etc/ssl/keys/mail.net.crt
> ssl_key_file: /etc/ssl/private/mail.net.key
> disable_plaintext_auth: no
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/lib/dovecot/imap-login
> login_executable(imap): /usr/lib/dovecot/imap-login
> login_executable(pop3): /usr/lib/dovecot/pop3-login
> mail_privileged_group: mailsystem
> mail_location: maildir:/var/spool/mail/virtual/%d/%n
> maildir_very_dirty_syncs: yes
> mbox_write_locks: fcntl dotlock
> mail_executable(default): /usr/lib/dovecot/imap
> mail_executable(imap): /usr/lib/dovecot/imap
> mail_executable(pop3): /usr/lib/dovecot/pop3
> mail_plugins(default): quota imap_quota
> mail_plugins(imap): quota imap_quota
> mail_plugins(pop3): quota
> mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
> imap_client_workarounds(default): outlook-idle delay-newmail
> imap_client_workarounds(imap): outlook-idle delay-newmail
> imap_client_workarounds(pop3):
> pop3_client_workarounds(default):
> pop3_client_workarounds(imap):
> pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
> lda:
>   postmaster_address: postmaster at net
>   mail_plugins: quota
>   log_path:
>   info_log_path:
>   deliver_log_format: msgid=%m: %f: %$
> auth default:
>   mechanisms: plain login
>   user: mailsystem
>   verbose: yes
>   passdb:
>     driver: sql
>     args: /etc/dovecot/dovecot-sql.conf
>   userdb:
>     driver: prefetch
>   userdb:
>     driver: static
>     args: uid=999 gid=115 home=/var/spool/mail/virtual/%d/%n  
> allow_all_users=yes
>   socket:
>     type: listen
>     client:
>       path: /var/spool/postfix/private/auth
>       mode: 432
>       user: postfix
>       group: mailsystem
>     master:
>       path: /var/run/dovecot/auth-master
>       mode: 432
>       user: mailsystem
>       group: mailsystem
> plugin:
>   quota: maildir
>
> As you can see, I tried to go 0660 in both client and master.
>
> The portion of my master.cf
> 81 # SPB - Attempt to deliver with Dovecot LDA
>  82 dovecot   unix  -       n       n       -       -       pipe
>  83   flags=DRhu user=mailsystem argv=/usr/lib/dovecot/deliver -f  
> ${sender} -d ${user}@${nexthop}
>
> Is there anything else I should include?
>
> I'm pretty sure it's an error on my part.  I'm just not clued
up
> enough to know where.
>
> My second problem is that I thought I had things back to where they  
> were before I messed with chown and chmod, but now I get this in the  
> logs
>
> dovecot: dovecot: Fatal:  
> chdir(/var/spool/mail/virtual/domain.net/simon//) failed: Permission  
> denied (euid=999(mailsystem) egid=115(mailsystem) missing +x perm:  
> /var/spool/mail/virtual)
>
> But the ls on that is exactly the same as on the test server:
> ls /var/spool/mail/virtual/
> total 44K
> drwxrwS--- 11 postfix    mailsystem 4.0K Aug 25 23:07 ./
> drwxrwsr-x  5 amavis     mailsystem 4.0K Oct 19  2009 ../
> drwxrws---  5 mailsystem mailsystem 4.0K Aug 26 02:33 domain.net/
>
> So, now I'm stumped.  I hope someone can spot the simple thing I've
missed!
>
> Thanks.
>
>
> Simon

On Fri, 2011-08-26 at 13:10 -0400, Simon Brereton wrote:
> mail:~# ls /var/spool/mail/virtual/domain.net/simon/new/
> -rwxrwx---  1 postfix mailsystem 2.5K Aug 26 03:33
1314326000.V801I1666018M803015.mail.net,S=2461:2,
> -rwxrwx---  1 postfix mailsystem 2.5K Aug 26 03:36
1314326209.V801I1666019M447273.mail.net,S=2460:2,
> -rw-rw----  1 postfix mailsystem 2.5K Aug 26 04:00
1314327630.V801I166601aM308173.mail.net,S=2477:2,
> -rw-------  1 postfix mailsystem 2.5K Aug 26 04:22
1314328966.V801I166601bM756462.mail.net,S=2461:2,
> -rw-------  1 postfix mailsystem 1.1K Aug 26 16:28
1314372534.V801I166601cM615258.mail.net,S=1097:2,
> -rw-------  1 postfix mailsystem 1.1K Aug 26 16:31
1314372685.V801I166601dM264242.mail.net,S=1097:2,
> 
> Mails are being delivered with 0600 permissions and not 0660 (the mails
from courier seem to have all been 0770 as you can see).  If I manually change
the permission (to 0660) then I can see the mail in the MUA.
If /var/spool/mail/virtual/domain.net/simon has 0770 permissions, the
new mails should be delivered with 0660 permissions. (I don't remember
if having g+s makes any difference in the directory like you have in the
domain dir.)

In any case, it would be better if mails were delivered as
mailsystem:mailsystem 0600 since that's what you're reading them as.
Unless you have some other good reason for requiring mailsystem group to
be able to read them.