dovecot - Jan 2014 - imap auto create mailbox: we're not in group 8(mail)

Dear List

Somehow I don't understand the intended work flow to have new mailboxes
auto created. On login of a new user with no mailbox, I get

2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization
failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied
(euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're
not in group 8(mail), dir owned by 0:8 mode=0771)

The imap process runs as the user the login performed and thus it has
only the privileges of that user. This is good and desired, when a
mailbox already exists. I do not want to allow all users to write to
/var/mail, only they should write to their dirs inside /var/mail.

Same story for LMTP, if no mailbox exists yet:
2014-01-09 13:01:47 lmtp(20416, tester): Error: user tester:
Initialization failed: Namespace '': mkdir(/var/mail/tester) failed:
Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm:
/var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)

How can I configure the auto create mailbox feature that it works and
let run LMTP and IMAP process as user %u and group mail and let create
the mailboxes in /var/mail as (example user tester) with the following
permissions:

/var/mail:

drwxrwx--x  root     mail        3072 Dec 18 01:43 .
drwx------  tester   tester      1024 Jan 09 12:53 tester


...or do I need a different approach?

Thank you for helping me.

Best regards, Adrian.


My setup:
=======* Exim delivers to LMTP socket as user %u, group mail
* maildir storage in /var/mail

doveconf -n:

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.3 ext3
auth_cache_negative_ttl = 0
auth_cache_size = 5 M
auth_cache_ttl = 4 hours
auth_failure_delay = 3 secs
auth_mechanisms = plain login digest-md5 cram-md5 apop rpa
auth_username_format = %n
auth_verbose = yes
auth_worker_max_count = 128
first_valid_gid = 1000
first_valid_uid = 1000
last_valid_gid = 60000
last_valid_uid = 60000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
%k
mail_location = maildir:/var/mail/./%u/:INDEX=MEMORY
mail_prefetch_count = 1024
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave vacation-seconds
namespace inbox {
  inbox = yes
  location   mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix   type = private
}
passdb {
  args = scheme=SHA512-CRYPT username_format=%u /etc/cram-md5.pwd
  driver = passwd-file
}
plugin {
  sieve = /var/mail/%u/sieve/.dovecot.sieve
  sieve_before = /var/mail/%u/sieve/vacation.sieve
  sieve_dir = /var/mail/%u/sieve
  sieve_extensions = +vacation +vacation-seconds
  sieve_max_actions = 1024
  sieve_vacation_default_period = 12d
  sieve_vacation_max_period = 0
  sieve_vacation_min_period = 1d
}
postmaster_address = postmaster at XXXX
protocols = " imap lmtp sieve pop3"
service auth-worker {
  user = $default_login_user
}
service auth {
  group = mail-security
  unix_listener auth-client {
    mode = 0660
    user = Debian-exim
  }
  unix_listener auth-userdb {
    mode = 0666
  }
  user = $default_internal_user
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 5
}
service lmtp {
  process_min_avail = 10
  unix_listener lmtp {
    mode = 0666
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
  service_count = 1
  vsz_limit = 64 M
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service pop3 {
  process_limit = 256
}
ssl_cert = </etc/ssl/XXXX
ssl_cipher_list
DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:+TLSv1:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!SSLv2:!3DES:!DSS
ssl_key = </etc/ssl/XXXX
ssl_parameters_regenerate = 128 hours
userdb {
  args = blocking=no
  driver = passwd
  override_fields = home=/var/mail/%u mail=maildir:/var/mail/%u
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"
}
protocol imap {
  mail_max_userip_connections = 64
}
protocol pop3 {
  mail_max_userip_connections = 32
  pop3_client_workarounds = oe-ns-eoh
  pop3_save_uidl = yes
}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 9 Jan 2014, Adrian Zaugg wrote:
> Somehow I don't understand the intended work flow to have new mailboxes
> auto created. On login of a new user with no mailbox, I get
>
> 2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization
> failed: Namespace '': mkdir(/var/mail/tester) failed: Permission
denied
> (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're
> not in group 8(mail), dir owned by 0:8 mode=0771)
The errors says all.

1) See:
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking 
fails.
# Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group 
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" 
group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete 
others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading 
it).
#mail_access_groups 
2) chmod 1777 /var/mail

3) pre-create your user dirs

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUs6X0F3r2wJMiz2NAQJpBQf/QKVG5bMRpWC6U2X+IhTzN+QjIAonsVuY
KMyyDkFSvDAr+8eBqek7/H/ijUhyaTQZsbZ7ftYYIqQs5ZgFSZNURhbcuJLd8Y6+
OwXX1uCshQg63hYUpsfJsQiAoQ6vxdw2wFgLFUGjASBcXtiI9BtzLObOZMgfhCzT
pqsMOWoIjM9BBQt/u5r4JM/3LJccFnVP4yAn8Wmq73Yu3ozw5L+9eMGjm/NnpT3B
62wuhgqY9p3GxenWvnHN/BgfYsWNrBN9E2AKlDmFainUC7lNZD8YeB64oj0KWxz5
tlQiEKia5xMB2WsUPpEhOHOYTfh7vq0Qm0Sxw3DdhWIZnr/DVru84A==Z2z1
-----END PGP SIGNATURE-----