dovecot - Nov 2013 - Permissions problems

Hi,

I have dovecot 2.0.20 running (its an old version, I know, it came from the
stable archive at OpenCSW) with Solaris SMF integration working fine. It
enables and disables okay.

However, I cantt connect to it, it is allowing the connection, but spewing on
permissions:

Nov 24 17:34:20 proliant-1 dovecot: [ID 583609 mail.info] master: Dovecot
v2.0.20 starting up
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=<mark>, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18816
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=<mark>, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18818
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=<mark>, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18820
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap(mark):
Connection closed bytes=17/340
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=<mark>, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18822
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot.index.log.newlock,
/mpool/mail/mark/dovecot.index.log) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied

If I actually try to copy mail to the inbox of the account it core-dumps and
does, and the SMF service drops into maintenance mode which requires
re-enabling.

The output from doveconf -n (this is changes from the default settings I
think?) is:

root at proliant-1:~# doveconf -n
# 2.0.20: /etc/opt/csw/dovecot/dovecot.conf
# OS: SunOS 5.11 i86pc  zfs
auth_first_valid_uid = 101
disable_plaintext_auth = no
first_valid_uid = 101
mail_location = maildir:/mpool/mail/%u
passdb {
 driver = pam
}
ssl_cert = </opt/csw/ssl/certs/dovecot.pem
ssl_key = </opt/csw/ssl/private/dovecot.pem
userdb {
 driver = passwd
}

The mail_location is in a ZFS filesystem on my RAIDz array. I couldnt think
of any other way of creating user-specific folders in the location. As the value
suggests, each user gets their own directory on the filesystem for mail.

Is this still a ?safe? way to do things or would I be better off relocating each
user?s ?home? directory to the pool somehow?

This is what the directory currently looks like:

mark at proliant-1:~$ ls -la /mpool/mail
total 6
drwxrwxrwx+ 3 root root  3 2013-11-24 17:17 .
drwxr-xr-x+ 5 root root  5 2013-11-24 13:50 ..
drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark

mark at proliant-1:~$ ls -la /mpool/mail/mark/
total 14
drwxrwxrwx+ 5 mark staff  9 2013-11-24 22:20 .
drwxrwxrwx+ 3 root root   3 2013-11-24 17:17 ..
drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 cur
-rwxrwxrwx+ 1 mark staff 51 2013-11-24 22:20 dovecot-uidlist.tmp
-rwxrwxrwx+ 1 mark staff  8 2013-11-24 22:20 dovecot-uidvalidity
-rwxrwxrwx+ 1 mark staff  0 2013-11-24 17:17 dovecot-uidvalidity.529234ad
-rwxrwxrwx+ 1 mark staff 40 2013-11-24 22:20 dovecot.index.log.newlock
drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 new
drwxrwxrwx+ 2 mark staff  3 2013-11-24 17:21 tmp

Any ideas?

-- 

Mark Benson

http://DECtec.info
Twitter: @DECtecInfo
HECnet: STAR69::MARK

Online Resource & Mailing List for DEC Enthusiasts.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Nov 2013, Google wrote:
> Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark):
Error:
> rename(/mpool/mail/mark/dovecot.index.log.newlock,
> /mpool/mail/mark/dovecot.index.log) failed: Permission denied
That's a filesystem problem.
> The output from doveconf -n (this is changes from the default settings I
> think?) is:
>
> root at proliant-1:~# doveconf -n
> # 2.0.20: /etc/opt/csw/dovecot/dovecot.conf
> # OS: SunOS 5.11 i86pc  zfs
> auth_first_valid_uid = 101
> disable_plaintext_auth = no
> first_valid_uid = 101
> mail_location = maildir:/mpool/mail/%u
> passdb {
> driver = pam
> }
> ssl_cert = </opt/csw/ssl/certs/dovecot.pem
> ssl_key = </opt/csw/ssl/private/dovecot.pem
> userdb {
> driver = passwd
> }
>
> The mail_location is in a ZFS filesystem on my RAIDz array. I couldnt think
> of any other way of creating user-specific folders in the location. As the
value
> suggests, each user gets their own directory on the filesystem for mail.
The users do have distinct home directories (from passwd) separated from 
the mail location?
> Is this still a ?safe? way to do things or would I be better off relocating
each
> user?s ?home? directory to the pool somehow?
>
> This is what the directory currently looks like:
>
> mark at proliant-1:~$ ls -la /mpool/mail
> total 6
> drwxrwxrwx+ 3 root root  3 2013-11-24 17:17 .
> drwxr-xr-x+ 5 root root  5 2013-11-24 13:50 ..
> drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark
>
> mark at proliant-1:~$ ls -la /mpool/mail/mark/
> total 14
> drwxrwxrwx+ 5 mark staff  9 2013-11-24 22:20 .
> drwxrwxrwx+ 3 root root   3 2013-11-24 17:17 ..
> drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 cur
> -rwxrwxrwx+ 1 mark staff 51 2013-11-24 22:20 dovecot-uidlist.tmp
> -rwxrwxrwx+ 1 mark staff  8 2013-11-24 22:20 dovecot-uidvalidity
> -rwxrwxrwx+ 1 mark staff  0 2013-11-24 17:17 dovecot-uidvalidity.529234ad
> -rwxrwxrwx+ 1 mark staff 40 2013-11-24 22:20 dovecot.index.log.newlock
> drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 new
> drwxrwxrwx+ 2 mark staff  3 2013-11-24 17:21 tmp
>
> Any ideas?
is it possible that two Dovecot instances try to access the same storage ? 
Or is there some hardening (SELinux/AppArmor) in action? Or are there some 
special ACLs in ZFS that prevent that rename() operation on file system 
level? Does the user mark has the permission at all?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUpW1n13r2wJMiz2NAQL6+wf/UdkI0kKZKwRT1+VgSxE2QJqVwrDr0GN2
IK5fljL3Hnx4PDjnofEJ6yXT7xJGTveaZ9yQahQbx0oakBBTKsEgZsNxBB+TOyjE
MsYBzYbQKK+JqR7yUt3YwnJXmPrCATOhd0WKqgX4xb94X4nn3id2/l3bjqNnQUtm
QPB2r+gVT2AtisB5Onzaocf7wdkPoMD1vMaW+Z9VqSBvzWzezoxoEXDbButWkrQf
C1K0r+eK+IU3KxXboZ2ceu4QqlFth8GlOX9F9e2zFfRJ747qJcmEI9wxfbqCkBKs
ic+A//km4mv6Y6erObBOj/jtT82jm7P0RBWBKkmKnO6Fg7AI/GIvQg==qGop
-----END PGP SIGNATURE-----

<md.benson at gmail.com> wrote:
> Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark):
Error:
> rename(/mpool/mail/mark/dovecot.index.log.newlock,
> /mpool/mail/mark/dovecot.index.log) failed: Permission denied
> ...
> This is what the directory currently looks like:
>
> mark at proliant-1:~$ ls -la /mpool/mail
> total 6
> drwxrwxrwx+ 3 root root  3 2013-11-24 17:17 .
> drwxr-xr-x+ 5 root root  5 2013-11-24 13:50 ..
> drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark
I'm think the "+" is the problem: you have, in the words of the
manpage for ls,

 	... this character is a plus sign (+) character if a non-trivial
 	ACL is associated with the file ...

Try

 	ls -alv /mpool/mail

I don't use ACLs, so I can help you how to modify them.

Joseph Tam <jtam.home at gmail.com>