Ernest Deak
2015-Jul-03 12:12 UTC
Dovecot LMTP tries to access a directory of a different user, than the one it actually changed to.
Hello, I encountered a problem when trying to send an email to multiple
recipients.
=== LOG ==
... cut ...
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: none: root=, index=,
control=, inboxJul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Connect from local
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: Loading modules from
directory: /usr/lib64/dovecot
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: Module loaded:
/usr/lib64/dovecot/lib90_sieve_plugin.so
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: auth input: han.solo
system_groups_user=han.solo uid=805 gid=800 home=/home/han.solo
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: auth input: tester
system_groups_user=tester uid=802 gid=800 home=/home/tester
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Debug: auth input: vader
system_groups_user=vader uid=804 gid=800 home=/home/vader
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: Effective
uid=805, gid=800, home=/home/han.solo
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug: fs:
root=/home/han.solo/mail, index=, control=, inbox=/var/mail/han.solo
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: user's script path
/home/han.solo/.dovecot.sieve doesn't exist (using global script path in
stead)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: user has no valid personal script
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: no scripts to execute: reverting to
default delivery.
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, han.solo):
70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at
dhcp90.#####>: saved mail to INBOX
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: Effective
uid=802, gid=800, home=/home/tester
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug: fs:
root=/home/tester/mail, index=, control=, inbox=/var/mail/tester
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: user's script path
/home/tester/.dovecot.sieve doesn't exist (using global script path in
stead)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: user has no valid personal script
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: no scripts to execute: reverting to
default delivery.
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error:
stat(/home/han.solo/mail/.imap/INBOX/dovecot.index.log) failed:
Permission denied (euid=802(tester) egid=800(kerber) missing +x perm:
/home/han.solo, euid is not dir owner)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error:
open(/home/han.solo/mail/.imap/INBOX/dovecot.index) failed: Permission
denied (euid=802(tester) egid=800(kerber) missing +x perm:
/home/han.solo, euid is not dir owner)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester):
70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at
dhcp90.#####>: save failed to INBOX: BUG: Unknown internal error
Jul 3 12:34:57 dhcp90 sendmail[24121]: t63AYvn5024116: to=<tester at
dhcp90.#####>, ctladdr=<vader at dhcp90.#####> (804/800),
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=91062,
relay=localhost, dsn=4.2.0, stat=Deferred: 451 4.2.0 <tester> BUG:
Unknown internal error
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: Effective
uid=804, gid=800, home=/home/vader
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug: fs:
root=/home/vader/mail, index=, control=, inbox=/var/mail/vader
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: user's script path
/home/vader/.dovecot.sieve doesn't exist (using global script path in stead)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: user has no valid personal script
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Debug:
70NxN1FlllUqXgAA0vrzwA: sieve: no scripts to execute: reverting to
default delivery.
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Error:
stat(/home/han.solo/mail/.imap/INBOX/dovecot.index.log) failed:
Permission denied (euid=804(vader) egid=800(kerber) missing +x perm:
/home/han.solo, euid is not dir owner)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader): Error:
open(/home/han.solo/mail/.imap/INBOX/dovecot.index) failed: Permission
denied (euid=804(vader) egid=800(kerber) missing +x perm:
/home/han.solo, euid is not dir owner)
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, vader):
70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at
dhcp90.#####>: save failed to INBOX: BUG: Unknown internal error
Jul 3 12:34:57 dhcp90 sendmail[24121]: t63AYvn5024116: to=<vader at
dhcp90.#####>, ctladdr=<vader at dhcp90.#####> (804/800),
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=91062,
relay=localhost, dsn=4.2.0, stat=Deferred: 451 4.2.0 <vader> BUG:
Unknown internal error
Jul 3 12:34:57 dhcp90 sendmail[24121]: t63AYvn5024116: to=<han.solo at
dhcp90.#####>, ctladdr=<vader at dhcp90.#####> (804/800),
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=91062,
relay=localhost, dsn=2.0.0, stat=Sent
Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106): Disconnect from local:
Client quit
==========
The setup is as follows:
All users have /bin/false instead of a shell.
Each user has a unique UID but they all have 1 GID (800)
My MTA is sendmail
I am using dovecot-lmtp for local delivery
Mailbox format is mbox
Configured managesieve plugin to listen on 4190. (not sure if this is
even related but it might)
The problem I see is that lmtp(user1) tries to access the home directory
/home/user2 and I cannot figure out the reason why.
This only happens when sending mails to multiple recipients.
I see the that lmtp complains that it doesn't have execute permissions.
But I don't want to place execute permissions for others on the entire
/home/* dir structure.
Also, 700 are the default creation permissions. So new users would have
to be chmod'ed manually. (unless there is a setting in dovecot)
I used "mailx" to send a test email to multiple recipients
`echo "test message" | mailx -s "subject" -r vader at
dhcp90.#####
han.solo at dhcp90.##### vader at dhcp90.##### tester at dhcp90.#####`
The only one who actually receives the message is han.solo at
dhcp90.##### and
The same happens with aliases in /etc/aliases.
`echo "group test" | mailx -s "subject" -r vader at
dhcp90.#####
grouplist at dhcp90.#####`
"grouplist" is defined in /etc/aliases and contains the same users as
in
the log
Any help with this is greatly appreciated.
Here is my dovecot configuration:
=== `dovecot -n` ==# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-504.12.2.el6.x86_64 x86_64 CentOS release 6.6 (Final)
auth_debug = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_full_filesystem_access = yes
mail_gid = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve
service lmtp {
client_limit = 1
executable = /usr/libexec/dovecot/lmtp -L
inet_listener lmtp {
address = 127.0.0.1 ::1
port = 24
}
process_min_avail = 1
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = " sieve"
postmaster_address = postmaster
}
==============`rpm -qa | grep dovecot`
dovecot-pigeonhole-2.0.9-8.el6_6.4.x86_64
dovecot-2.0.9-8.el6_6.4.x86_64
Thanks in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4249 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150703/7ad78227/attachment-0001.p7s>
Steffen Kaiser
2015-Jul-03 13:09 UTC
Dovecot LMTP tries to access a directory of a different user, than the one it actually changed to.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 3 Jul 2015, Ernest Deak wrote:> Hello, I encountered a problem when trying to send an email to multiple > recipients.> Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error: > stat(/home/han.solo/mail/.imap/INBOX/dovecot.index.log) failed: Permission > denied (euid=802(tester) egid=800(kerber) missing +x perm: /home/han.solo, > euid is not dir owner) > Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error: > open(/home/han.solo/mail/.imap/INBOX/dovecot.index) failed: Permission denied > (euid=802(tester) egid=800(kerber) missing +x perm: /home/han.solo, euid is > not dir owner) > Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): 70NxN1FlllUqXgAA0vrzwA: > msgid=<55966551.IfKOMu/T0WTB9M5x%vader at dhcp90.#####>: save failed to > INBOX: BUG: Unknown internal error> My MTA is sendmail > I am using dovecot-lmtp for local delivery > Mailbox format is mbox > Configured managesieve plugin to listen on 4190. (not sure if this is even > related but it might) > > The problem I see is that lmtp(user1) tries to access the home directory > /home/user2 and I cannot figure out the reason why. > This only happens when sending mails to multiple recipients.> I see the that lmtp complains that it doesn't have execute permissions. But I > don't want to place execute permissions for others on the entire /home/* dir > structure.as far as I remember there had been (or is) a bug in Dovecot, that privilegues are not changed correctly when delivering to another user. If that's the case, limit the number of recipients per LMTP message to 1, see r= field in mailer definition in op.me. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVZaJdHz1H7kL/d9rAQJrBAf/XYV/Pma3MEyZsyk90g/llcRbXK4kn84J IopHII8l82XPGZKBsaaEp3hkNn+hKkNxwPpLXD57Ny5rM9fAZkYrvW/ZPBZ6pFoQ htMF5VXkpZ9i99ftCMGo4KmpbJC1cpmnTluxJvKclgjzwRLWfCdhuRH51YnAhinM 8dItrRyrv/5H0T8HeIQi9QSQPdquCiuY8RVQvos+6dClb3XEKAjyRwmjs0SRgoI2 Zqewwls6UbaXbgDqA+2umySRjHh8lQsIWg4DFcSigH3vE7XuYdruphbsHdY7Ssib nT/l3WhrjjdXEoAzTPZgmorzP7/e/NM9rYZxNxgopht4YDBPX1/CYA==JYrh -----END PGP SIGNATURE-----
Arkadiusz MiĆkiewicz
2015-Jul-03 22:01 UTC
Dovecot LMTP tries to access a directory of a different user, than the one it actually changed to.
On Friday 03 of July 2015, Ernest Deak wrote:> Hello, I encountered a problem when trying to send an email to multiple > recipients.That bug exists for some time http://www.dovecot.org/list/dovecot/2014-September/097688.html but no solution exists and I think no one actually tried to fix it. (no solution beside already mentioned ugly workaround with limiting to 1 recipient per lmtp session) -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
Ernest Deak
2015-Jul-06 07:20 UTC
Dovecot LMTP tries to access a directory of a different user, than the one it actually changed to.
Adding r= field into the Mlocal definition of sendmail.cf worked out. However, I dug around the documentation and found a macro one can define to achieve this without having to mess around with the .cf file. I am adding this here for anyone who might encounter the same problem. In an .mc file, you can write: define(`LOCAL_MAILER_MAXRCPTS',`1') To achieve the same effect. Thanks to all for the hints. On 03.07.2015 15:09, Steffen Kaiser wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 3 Jul 2015, Ernest Deak wrote: > >> Hello, I encountered a problem when trying to send an email to >> multiple recipients. > >> Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error: >> stat(/home/han.solo/mail/.imap/INBOX/dovecot.index.log) failed: >> Permission denied (euid=802(tester) egid=800(kerber) missing +x perm: >> /home/han.solo, euid is not dir owner) >> Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): Error: >> open(/home/han.solo/mail/.imap/INBOX/dovecot.index) failed: >> Permission denied (euid=802(tester) egid=800(kerber) missing +x perm: >> /home/han.solo, euid is not dir owner) >> Jul 3 12:34:57 dhcp90 dovecot: lmtp(24106, tester): >> 70NxN1FlllUqXgAA0vrzwA: msgid=<55966551.IfKOMu/T0WTB9M5x%vader at >> dhcp90.#####>: save failed to INBOX: BUG: Unknown internal error > >> My MTA is sendmail >> I am using dovecot-lmtp for local delivery >> Mailbox format is mbox >> Configured managesieve plugin to listen on 4190. (not sure if this is >> even related but it might) >> >> The problem I see is that lmtp(user1) tries to access the home >> directory /home/user2 and I cannot figure out the reason why. >> This only happens when sending mails to multiple recipients. > >> I see the that lmtp complains that it doesn't have execute >> permissions. But I don't want to place execute permissions for others >> on the entire /home/* dir structure. > > as far as I remember there had been (or is) a bug in Dovecot, that > privilegues are not changed correctly when delivering to another user. > If that's the case, limit the number of recipients per LMTP message to > 1, see r= field in mailer definition in op.me. > > - -- Steffen Kaiser > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEVAwUBVZaJdHz1H7kL/d9rAQJrBAf/XYV/Pma3MEyZsyk90g/llcRbXK4kn84J > IopHII8l82XPGZKBsaaEp3hkNn+hKkNxwPpLXD57Ny5rM9fAZkYrvW/ZPBZ6pFoQ > htMF5VXkpZ9i99ftCMGo4KmpbJC1cpmnTluxJvKclgjzwRLWfCdhuRH51YnAhinM > 8dItrRyrv/5H0T8HeIQi9QSQPdquCiuY8RVQvos+6dClb3XEKAjyRwmjs0SRgoI2 > Zqewwls6UbaXbgDqA+2umySRjHh8lQsIWg4DFcSigH3vE7XuYdruphbsHdY7Ssib > nT/l3WhrjjdXEoAzTPZgmorzP7/e/NM9rYZxNxgopht4YDBPX1/CYA=> =JYrh > -----END PGP SIGNATURE------------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4249 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150706/293f7179/attachment.p7s>