dovecot - May 2013 - AuthenticationFailedException: [IN-USE] Couldn't open INBOX: Permission denied

I've been pouring over the documentation for dovecot, but can't find a
solution to this problem.  I recently took over administration of the dovecot
email service at the University where I work, and things were going smoothly. 
We've been creating email accounts for use with JIRA, a bug
reporting/tracking system, and one day recently, when I tried to add a new
account to JIRA, I got this error returned from dovecot:

"AuthenticationFailedException: [IN-USE] Couldn't open INBOX:
Permission denied"

I got help from Atlassian, the creators of JIRA, and they sent me links to some
forum posts that said that changing the permissions of that user's
/var/mail/ directory to 0600 would solve the problem.  I changed that and no
longer got the error.

Being satisfied that this was a solution, I created a bunch of new email
accounts today to replace exchange accounts, and then changed the permissions on
all the /var/mail/ directories to 0600.  Now I'm getting that error again,
even for pre-existing email addresses, including the one that I had previously
fixed by changing the permissions the same way.  I tried changing some of the
older accounts back to 0660, which is what they had before, and I still get the
error even after restarting dovecot.

JIRA uses POP, port 110, to connect to the dovecot mail server.  I've also
had the same problem trying to connect from Mac Mail.

Our JIRA application is used for tracking issues for the UBC Libraries, and
those email addresses are critical for the creation of tickets and adding
comments to tickets.  I am at a loss for what to do.

Can anyone help?  Thank you very much for your time.

# dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-131.0.15.el6.x86_64 x86_64 Red Hat Enterprise Linux Server
release 6.4 (Santiago)
auth_debug = yes
auth_debug_passwords = yes
disable_plaintext_auth = no
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
  driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/server.crt
ssl_key = </etc/pki/dovecot/private/server.key
userdb {
  driver = passwd
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}

Here's an except of the maillog from a recent attempt:

May  8 17:46:49 moose dovecot: auth: Debug: pam(lib.sysadmin,{ip removed}):
lookup service=dovecot
May  8 17:46:49 moose dovecot: auth: Debug: pam(lib.sysadmin,{ip removed}): #1/1
style=1 msg=Password:
May  8 17:46:49 moose dovecot: auth: Debug: client out:
OK#0111#011user=lib.sysadmin
May  8 17:46:49 moose dovecot: auth: Debug: master in:
REQUEST#0111028653057#01128298#0111#011a60ed90501af39d7e353a14e027255cd
May  8 17:46:49 moose dovecot: auth: Debug: passwd(lib.sysadmin,{ip removed}):
lookup
May  8 17:46:49 moose dovecot: auth: Debug: master out:
USER#0111028653057#011lib.sysadmin#011system_groups_user=lib.sysadmin#011uid=523#011gid=524#011home=/home/lib.sysadmin
May  8 17:46:49 moose dovecot: pop3-login: Login: user=<lib.sysadmin>,
method=PLAIN, rip={ip removed}, lip={ip removed}, mpid=28302
May  8 17:46:49 moose dovecot: pop3(lib.sysadmin): Error:
stat(/var/spool/mail/lib.sysadmin) failed: Permission denied
May  8 17:46:49 moose dovecot: pop3(lib.sysadmin): Error:
stat(/var/spool/mail/lib.sysadmin) failed: Permission denied
May  8 17:46:49 moose dovecot: pop3(lib.sysadmin): Error: Couldn't open
INBOX: Permission denied
May  8 17:46:49 moose dovecot: pop3(lib.sysadmin): Couldn't open INBOX
top=0/0, retr=0/0, del=0/0, size=0
May  8 17:46:50 moose dovecot: auth: Debug: auth client connected (pid=28303)
May  8 17:46:50 moose dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=pop3#011lip={ip removed}#011rip={ip
removed}#011lport=110#011rport=64420#011resp=AGJ2YXV3LnJlbGFpcwByM2xAaXMuYnZAdXc=

At 12AM +0000 on  9/05/13 you (Earles, Jill) wrote:
> I've been pouring over the documentation for dovecot, but can't
find a
> solution to this problem.  I recently took over administration of the
> dovecot email service at the University where I work, and things were
> going smoothly.  We've been creating email accounts for use with JIRA,
> a bug reporting/tracking system, and one day recently, when I tried to
> add a new account to JIRA, I got this error returned from dovecot:
> 
> "AuthenticationFailedException: [IN-USE] Couldn't open INBOX:
> Permission denied"
This is not a dovecot message: presumably it's from JIRA?
> I got help from Atlassian, the creators of JIRA, and they sent me
> links to some forum posts that said that changing the permissions of
> that user's /var/mail/ directory to 0600 would solve the problem.  I
> changed that and no longer got the error.  
You say '/var/mail directory' but your dovecot.conf suggests you mean a
file in /var/spool/mail. You need to be clear about which you mean.

Dovecot changes down to the user's uid to access the mail folders, so
assuming the owners are correct either 0600 or 0660 should be fine.
(Which you choose depends on how paranoid you are about users reading
each others' mail, and what the group ownership is.)
> Being satisfied that this was a solution, I created a bunch of new
> email accounts today to replace exchange accounts, and then changed
> the permissions on all the /var/mail/ directories to 0600.  Now I'm
> getting that error again, even for pre-existing email addresses,
> including the one that I had previously fixed by changing the
> permissions the same way.  I tried changing some of the older accounts
> back to 0660, which is what they had before, and I still get the error
> even after restarting dovecot.
[...]
> # dovecot -n
> # 2.0.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-131.0.15.el6.x86_64 x86_64 Red Hat Enterprise Linux
Server release 6.4 (Santiago)
> auth_debug = yes
> auth_debug_passwords = yes
Careful with this. You end up with passwords in the logs.

[...]
> Here's an except of the maillog from a recent attempt:
[...]
> 
> May  8 17:46:49 moose dovecot: pop3(lib.sysadmin): Error:
> stat(/var/spool/mail/lib.sysadmin) failed: Permission denied
This is interesting: normally stat only fails if the permissions on the
directory (that is, /var/spool/mail itself) are wrong. Check you haven't
changed them by mistake.
> May  8 17:46:50 moose dovecot: auth: Debug: client in:
> AUTH#0111#011PLAIN#011service=pop3#011lip={ip removed}#011rip={ip
> removed}#011lport=110#011rport=64420#011resp=XXXXXXXXXXXXXXXXXXXX
See? You've just posted the password for 'bvauw.relais'. Change it,
now.

Ben