Help! I have been using dovecot for some years with great success. A little while ago, I changed my mail server from Fedora to CentOS linux. I reinstalled dovecot, and *almost* everything seems to be working, but one thing. There's *one* user I can't get it to work on without a workaround. The user is "newuser" and the uid is 1111 (actual name and number changed to protect the innocent). The error I get in my maillog is: The error I get in may maillog is: Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Disconnected: Logged out bytes=108/669 Now, it looks to me like dovecot is saying that the user newuser can't get to the /home/newuser/mail/.imap directory because it doesn't have permission. However, the user newuser has all the permissions it needs: $ ls -la /home/newuser/mail total 20 drwxrw---- 3 newuser newuser 4096 Aug 29 15:01 . drwxrw---- 6 newuser newuser 4096 Aug 29 12:16 .. drwxrwx--- 2 newuser newuser 4096 Aug 29 16:05 .imap -rw-rw---- 1 newuser newuser 499 Aug 13 07:56 saved-messages -rw-rw---- 1 newuser newuser 1756 Aug 16 11:15 sent-mail newuser has the correct uid (1111) in /etc/dovecot/users newuser *is* the correct uid for that user, i.e.: $ id -u newuser 1111 the password is correct Both my web mail package (roundcube) and my android fail. Both work fine with all other accounts that are set up for imap services. The workaround, it turns out, is that if I make the directory /home/newuser/.imap/INBOX by hand as the user newuser, then things work. So, things seem to be working. However, I just don't understand why *this* user is having problems when none of the others are... The only thing that sets this user apart from any of the others is that it has administration privileges for the roundcube mailer MySQL database. Any explanations? Thanks! billo
On 8/29/2013 2:17 PM, Bill Oliver wrote:> > Help! > > The user is "newuser" and the uid is 1111 (actual name and > number changed to protect the innocent).Since you gave a fake UID, and no GID it is hard to tell. When posting, you can change the username, but leave the UID as is. If that number is so critically sensitive, then you should probably not ask your question in a public forum and instead seek assistance via more private communications. Special UIDs- Is the actual UID below a threshold so that the system thinks it is a system or admin user, subject to different restrictions? These thresholds vary, but 1000, 500 and 100 are common. SELinux- Are you running the SELinux extensions which would impose additional restrictions? ACLs- Do you have ACLs (filesystem or Dovecot) that would affect this user differently? Groups- You stated that the user is a Roundcube admin. Is the user in the same group as the rest of your normal mail users or a special group for the Roundcube functions? Do you need to manually add the user to the group for regular mail users? What are the group settings on your directories? Could it be the group permissions that is giving access to most users? Dem
Bill Oliver writes:> There's *one* user I can't get it to work on without a > workaround. The user is "newuser" and the uid is 1111 (actual name and > number changed to protect the innocent). The error I get in my maillog > is: > > The error I get in may maillog is: > Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) > Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted > Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) > Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted > Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser) > Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted > > Now, it looks to me like dovecot is saying that the user newuser can't > get to the /home/newuser/mail/.imap directory because it doesn't have > permission. However, the user newuser has all the permissions it needs: > > $ ls -la /home/newuser/mail > > total 20 > drwxrw---- 3 newuser newuser 4096 Aug 29 15:01 . > drwxrw---- 6 newuser newuser 4096 Aug 29 12:16 .. > drwxrwx--- 2 newuser newuser 4096 Aug 29 16:05 .imap > -rw-rw---- 1 newuser newuser 499 Aug 13 07:56 saved-messages > -rw-rw---- 1 newuser newuser 1756 Aug 16 11:15 sent-mailThe output of doveconf -n would have been useful, especially as it relates to your mail_location value, but I can make a pretty good guess at what is happening. Dovecot is trying to create indices with analogous permissions to your mailbox files. Your user's INBOX (/var/mail/newuser) has permission user:group:mode = 1111:12:0660 *but* newuser is not in group "mail" (GID 12), hence it cannot do the required chown operations. (Notice the mode of .imap/: the group write is on so the chmod worked.) Your INBOX ended up this way because some LDA's auto-create new INBOX's with these permissions (to allow access to other part of the mail sysyem that are set-gid "mail"). Options: 1) chmod g-rwx /var/mail/newuser - assumes you have no other parts of your mailsystem that needs access to all user INBOX by assuming group "mail". - dovecot is smart enough to figure out group membersip is irrelevant is groups access is nil. 2) chgrp newuser /var/mail/newuser 3) To avoid future problems: make sure new mailboxes are created with workable permissions. There are also dovecot configs that loosen up some group access, but you'll have to investigate that yourself. Joseph Tam <tam at math.ubc.ca>
Reasonably Related Threads
- Permissions problem on new installation
- Bug: Dovecot index loosing sync with FTS despite "fts_autoindex = yes"
- Bug: Dovecot index loosing sync with FTS despite "fts_autoindex = yes"
- Permission denied / missing +r perm
- Problem adding new users after upgrade to 3.4.0