dovecot - Dec 2014 - Sieve permissions issue following update

It has been running flawlessly for quite some time until the update.  

Global scripts were compiled:

/usr/local/etc/dovecot/sieve # ls
10-move-spam.sieve      10-move-spam.svbin

However, I ran sievec again and tried saving a modified script and got the same:

shiofuki dovecot: lda(gessel at blackrosetech.com): Error: sieve: binary save:
failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.shiofuki.blackrosetech.com.96421.)
failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6
mode=0775)
Dec  9 11:30:39 shiofuki dovecot: lda(gessel at blackrosetech.com): Error:
sieve: The LDA Sieve plugin does not have permission to save global Sieve script
binaries; global Sieve scripts like
`/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled
using the sievec tool


I use Thomas Schmid's Sieve 0.2.3d add on to Thunderbird, if that might have
any significance.

Compiling with sievec shouldn't change the permission error, which I still
don't understand.




-------- Original Message --------
Subject: Re: Sieve permissions issue following update
From: Pascal Volk <user+dovecot at localhost.localdomain.org>
To: Dovecot Mailing List <dovecot at dovecot.org>
Date: Tue Dec 09 2014 20:45:00 GMT+0300 (Arabic Standard Time)
> On 12/09/2014 05:35 PM, David Gessel wrote:
>> I recently updated dovecot and my sieve filters stopped working. 
Checking the logs I see:
>>
>> Dec  9 00:09:59 mailhost dovecot: lda(gessel at domain.com): Error:
sieve: binary save: failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.mailhost.domain.com.114.)
failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6
mode=0775)
>>
>> Dec  9 00:09:59 mailhost dovecot: lda(gessel at domain.com): Error:
sieve: The LDA Sieve plugin does not have permission to save global Sieve script
binaries; global Sieve scripts like
`/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled
using the sievec tool
>>
>>
> 
> As mentioned in the error message from your logs and in the wiki
>
<http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#Manually_Compiling_Sieve_Scripts>:
> 
> 	To mitigate this problem, the administrator must manually
> 	pre-compile global scripts using the sievec command line tool.
> 
> 
> Regards,
> Pascal
>

On 12/09/2014 07:50 PM, David Gessel wrote:
> It has been running flawlessly for quite some time until the update.  
> 
> Global scripts were compiled:
> 
> /usr/local/etc/dovecot/sieve # ls
> 10-move-spam.sieve      10-move-spam.svbin
> 
> However, I ran sievec again and tried saving a modified script and got the
same:
> 
> shiofuki dovecot: lda(gessel at blackrosetech.com): Error: sieve: binary
save: failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.shiofuki.blackrosetech.com.96421.)
failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6
mode=0775)
> Dec  9 11:30:39 shiofuki dovecot: lda(gessel at blackrosetech.com): Error:
sieve: The LDA Sieve plugin does not have permission to save global Sieve script
binaries; global Sieve scripts like
`/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled
using the sievec tool
> 
> 
> I use Thomas Schmid's Sieve 0.2.3d add on to Thunderbird, if that might
have any significance.
> 
> Compiling with sievec shouldn't change the permission error, which I
still don't understand.
> 
> 
>> [TOFU snipped}
/usr/local/etc/dovecot/sieve is not the user's sieve_dir; see
<http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration>.

The GLOBAL sieve scripts (see your error message above) is manged by the
system administrator. Adnmins are using their favorite $EDITOR, the
chmod(1) and chown(1) commands. They don't need a ManageSieve client.


Regards,
Pascal
-- 
The trapper recommends today: fabaceae.1434321 at localdomain.org

-------- Original Message --------
Subject: Re: Sieve permissions issue following update
From: Pascal Volk <user+dovecot at localhost.localdomain.org>
To: Dovecot Mailing List <dovecot at dovecot.org>
Date: Wed Dec 10 2014 00:00:04 GMT+0300 (Arabic Standard Time)
> On 12/09/2014 07:50 PM, David Gessel wrote:
>> It has been running flawlessly for quite some time until the update.  
>>
>> Global scripts were compiled:
>>
>> /usr/local/etc/dovecot/sieve # ls
>> 10-move-spam.sieve      10-move-spam.svbin
>>
>> However, I ran sievec again and tried saving a modified script and got
the same:
>>
>> shiofuki dovecot: lda(gessel at blackrosetech.com): Error: sieve:
binary save: failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.shiofuki.blackrosetech.com.96421.)
failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6
mode=0775)
>> Dec  9 11:30:39 shiofuki dovecot: lda(gessel at blackrosetech.com):
Error: sieve: The LDA Sieve plugin does not have permission to save global Sieve
script binaries; global Sieve scripts like
`/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled
using the sievec tool
>>
>>
>> I use Thomas Schmid's Sieve 0.2.3d add on to Thunderbird, if that
might have any significance.
>>
>> Compiling with sievec shouldn't change the permission error, which
I still don't understand.
>>
>>
>>> [TOFU snipped}
> 
> /usr/local/etc/dovecot/sieve is not the user's sieve_dir; see
> <http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration>.
> 
> The GLOBAL sieve scripts (see your error message above) is manged by the
> system administrator. Adnmins are using their favorite $EDITOR, the
> chmod(1) and chown(1) commands. They don't need a ManageSieve client.
> 
Pascal, 

Thank you very much for your prompt assistance.  I apologize that I haven't
been able to use your advice to sort out the issues, but I'm either not
getting it or it is tangential to the problem I'm having.  I apologize if I
haven't provided enough information.

90-sieve.conf's specification of those file locations for global and user
scripts (relevant lines from the config below):

 sieve = ~/.dovecot.sieve
 sieve_dir = ~/sieve
 #sieve_global_dir  sieve_before = /usr/local/etc/dovecot/sieve/

I brought up the plugin only because only two things have touched any part of
the dovecot/sieve configuration between "working" and "not
working" states:

- An update using portmaster to dovecot2-2.2.15_1/dovecot-pigeonhole-0.4.6 and 
- an edit via the Sieve plugin/Managesieve.  

One of the two has broken sieve. Unfortunately I did take note of the last
working version of dovecot/dovecot-pigeonhole, but it could not be more than a
few months old as I update ports fairly regularly and my last buildworld
wasn't that long ago.

It is consistent with the errors and my understanding that user scripts are not
the likely culprit: I included the information for the sake of completeness,
which can now be dismissed.  Moving back to the logged warnings:

Error: sieve: binary save: failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.shiofuki.blackrosetech.com.96421.)
failed:

- this seems to me to indicate that sieve tried to write
"10-move-spam.svbin.shiofuki.blackrosetech.com.96421" in the directory
/usr/local/etc/dovecot/sieve/

Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve

- I read this as sieve determining that "vmail" is not permitted to
write to /usr/local/etc/dovecot/sieve

we're not in group 6(mail), dir owned by 143:6 mode=0775)

- and giving a very helpful bit of advice that "we're" not in
group 6(mail) - which I'm reading as "vmail" not being in group
"mail" - and that the target directory is owned by 143:6 0775.  The
latter is consistent with the OS's reporting of the directory:

drwxrwxr-x   2 dovecot  mail      4B Dec  9 11:27 sieve

from /etc/group
mail:*:6:postfix,clamav,vscan,dovecot,vmail,spamd
dovecot:*:143:

IF I'm reading "we're" as "vmail" correctly, this is
incorrect ("we're not in group 6(mail)).  vmail IS in group
"mail" and group "mail" does have write permissions to
/usr/local/etc/dovecot/sieve/
(group is rwx).  Perhaps "we're" now refers to another user?  I
see from top (I realize this is unlikely):

96387 dovenull       1  20    0 29120K  6080K kqread  7   0:00   0.00%
managesieve-login

As for the error 

dovecot: lda(gessel at blackrosetech.com): Error: sieve: The LDA Sieve plugin
does not have permission to save global Sieve script binaries; global Sieve
scripts like `/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be
pre-compiled using the sievec tool

The reported error is consistent with the previous - a newly minted permission
problem that seems to have come with the update.  In this case the advice given
about precompiling global scripts seems misplaced.  The script is compiled, as
reported by the error immediately preceding (10-move-spam.svbin, the svbin
suffix is added by the compilation process) and just to be sure I ran seivec
again and #service dovecot restart without changing the error.

My inexpert intuition is that the latest update introduced a bug that is
manifesting itself as a permission error.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Dec 2014, David Gessel wrote:
> Global scripts were compiled:
>
> /usr/local/etc/dovecot/sieve # ls
> 10-move-spam.sieve      10-move-spam.svbin
> However, I ran sievec again and tried saving a modified script and got the
same:
Actually this "ls" output and the last sentence does not indicate that
the
Sieve script had been compiled: a) after changing 10-move-spam.sieve _and_ 
b) after the upgrade with the new Sieve tools.

Did _you_ _manually_ run:

cd /usr/local/etc/dovecot/sieve
rm 10-move-spam.svbin
sievec -D 10-move-spam.sieve

? And, is the sievec command displaying the Pigeonhole version you have 
installed?
> -------- Original Message --------
> Subject: Re: Sieve permissions issue following update
> From: Pascal Volk <user+dovecot at localhost.localdomain.org>
> To: Dovecot Mailing List <dovecot at dovecot.org>
> Date: Tue Dec 09 2014 20:45:00 GMT+0300 (Arabic Standard Time)
>
>> On 12/09/2014 05:35 PM, David Gessel wrote:
>>> I recently updated dovecot and my sieve filters stopped working. 
Checking the logs I see:
>>>
>>> Dec  9 00:09:59 mailhost dovecot: lda(gessel at domain.com): Error:
sieve: binary save: failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.mailhost.domain.com.114.)
failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6
mode=0775)
>>>
>>> Dec  9 00:09:59 mailhost dovecot: lda(gessel at domain.com): Error:
sieve: The LDA Sieve plugin does not have permission to save global Sieve script
binaries; global Sieve scripts like
`/usr/local/etc/dovecot/sieve/10-move-spam.sieve' need to be pre-compiled
using the sievec tool
>>
>> As mentioned in the error message from your logs and in the wiki
>>
<http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#Manually_Compiling_Sieve_Scripts>:
>>
>> 	To mitigate this problem, the administrator must manually
>> 	pre-compile global scripts using the sievec command line tool.
- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVIftyXz1H7kL/d9rAQLoLwf/bA1r7DR5AVxBUYT2R54eM8yALRJL3PLJ
IfZzIAaqeoZj5JtKR84F3ApDpLRYaLw2juXeEAELV+2GJXThDIEyLzbkhA3xwPOb
TViaaN1Htz3H+Scz3MDC/fxGAiNGNENGNj1GP4VJGM7DibrDOcd/pxePJjBvdKFS
YzhYxAng94UZqy23CZRvsbZiHnsh1ph2C3yXhxES3Ycvgg/ETBIz98DVTfJ74b4J
AEEUVnKIefWGun+WxWNgyI+p/aOSE3PyrHhmZx5ttgHhqU8KnmiKpWMaTUlpUmVb
U5ddZndFIERBfuDaGUdMsW0sDORJ/XswF6O/Gp3UF4NbFmNGQv8MZg==k9Fz
-----END PGP SIGNATURE-----

-------- Original Message --------
Subject: Re: Sieve permissions issue following update
From: Steffen Kaiser <skdovecot at smail.inf.fh-brs.de>
To: David Gessel <gessel at blackrosetech.com>
Date: Wed Dec 10 2014 09:52:57 GMT+0300 (Arabic Standard Time)
> 
> Actually this "ls" output and the last sentence does not indicate
that the Sieve script had been compiled: a) after changing 10-move-spam.sieve
_and_ b) after the upgrade with the new Sieve tools.
Good point.
> 
> Did _you_ _manually_ run:
> 
> cd /usr/local/etc/dovecot/sieve
> rm 10-move-spam.svbin
Ut oh... I did not rm the existing svbin.  
> sievec -D 10-move-spam.sieve
> 
> ? And, is the sievec command displaying the Pigeonhole version you have
installed?
And the -D directive is very useful, thanks:

# rm 10-move-spam.svbin
# sievec -D 10-move-spam.sieve
sievec(gessel): Debug: sieve: Pigeonhole version 0.4.6 (3e924b1b6c5c+)
initializing
sievec(gessel): Debug: sieve: include: sieve_global is not set; it is currently
not possible to include `:global' scripts.
sievec(gessel): Debug: sieve: file storage: Using script storage path:
10-move-spam.sieve
sievec(gessel): Debug: sieve: file script: Opened script `10-move-spam' from
`10-move-spam.sieve'
sievec(gessel): Debug: sieve: Script `10-move-spam' from 10-move-spam.sieve
successfully compiled

and watching the logs:
 dovecot: lda(gessel at blackrosetech.com): sieve:
msgid=<CAFOe2y4kDushW=u6_cN1JmsP1FF63BzJ5O8=VjquHNaNAnskFw at
mail.gmail.com>: stored mail into mailbox 'INBOX'

Success!

The permissions correction portion of the error below still seems wrong though,
isn't it? And if so, a little misleading.

 Dec  9 00:09:59 mailhost dovecot: lda(gessel at domain.com): Error: sieve:
binary save: failed to create temporary file:
open(/usr/local/etc/dovecot/sieve/10-move-spam.svbin.mailhost.domain.com.114.)
failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/usr/local/etc/dovecot/sieve, we're not in group 6(mail), dir owned by 143:6
mode=0775)

Does it seem reasonable to let the port maintainer know to submit a request to
include instructions in /usr/ports/UPDATING for recompiling global scripts when
necessary (and how to do it)?  I checked before posting to the list and the last
entry for sieve is this one:

20090828:
  AFFECTS: users of mail/dovecot and mail/dovecot-sieve
  AUTHOR: yds at CoolRat.org

  dovecot-sieve has been updated to a new implementation compatible with
  dovecot 1.2.x.  For details of what this means please refer to:

    http://wiki.dovecot.org/LDA/Sieve/Dovecot#Migration_from_CMUSieve

On Dec 10, 2014, at 1:52 AM, Steffen Kaiser <skdovecot at
smail.inf.fh-brs.de> wrote:
> 
>> Global scripts were compiled:
>> 
>> /usr/local/etc/dovecot/sieve # ls
>> 10-move-spam.sieve      10-move-spam.svbin
> 
>> However, I ran sievec again and tried saving a modified script and got
the same:
> 
> Actually this "ls" output and the last sentence does not indicate
that the Sieve script had been compiled: a) after changing 10-move-spam.sieve
_and_ b) after the upgrade with the new Sieve tools.
> 
> Did _you_ _manually_ run:
> 
> cd /usr/local/etc/dovecot/sieve
> rm 10-move-spam.svbin
> sievec -D 10-move-spam.sieve
> 
> ? And, is the sievec command displaying the Pigeonhole version you have
installed?

I've been following this thread and have been seeing a similar problem. 
Dovecot 2.2.5 and pigeonhole-0.4.6

The problem I'm having is with "sieve_default" script that's
in a directory users have no permission to:

  sieve = ~/.dovecot.sieve
  sieve_dir = ~/.sieve.d
  sieve_default = /etc/dovecot/sieve/default.sieve


My sieve.default only has "keep;" and I manually removed and compiled
it.

sievec(root): Debug: sieve: Pigeonhole version 0.4.6 (3e924b1b6c5c+)
initializing
sievec(root): Debug: sieve: include: sieve_global is not set; it is currently
not possible to include `:global' scripts.
sievec(root): Debug: sieve: file storage: Using script storage path:
default.sieve
sievec(root): Debug: sieve: file script: Opened script `default' from
`default.sieve'
sievec(root): Debug: sieve: Script `default' from default.sieve successfully
compiled


ls -l
-rw-r--r--  1 root      wheel    6 Dec 31 15:54 default.sieve
-rw-r--r--  1 root      wheel  142 Dec 31 15:54 default.svbin


Yet, dovecot still tries to compile it under the user in that path.


Dec 31 15:55:11 dovecot: lda(fred): Error: sieve: binary save: failed to create
temporary file: open(/etc/dovecot/sieve/default.svbin.localhost.87581.) failed:
Permission denied (euid=1002(fred) egid=1002(fred) missing +w perm:
/etc/dovecot/sieve, dir owned by 26:0 mode=0755)
Dec 31 15:55:11 dovecot: lda(fred): Error: sieve: The LDA Sieve plugin does not
have permission to save global Sieve script binaries; global Sieve scripts like
`/etc/dovecot/sieve/default.sieve' need to be pre-compiled using the sievec
tool
Dec 31 15:55:11 dovecot: lda(fred): sieve:
msgid=<63706CEA-E77F-45BE-B848-1E664773EBDE at inoc.net>: stored mail into
mailbox 'INBOX'


Ideas?