Larry Rosenman
2015-Nov-03 20:13 UTC
dovecot-lda can't create /var/mail dotlocks on debian
and, are you SURE that dovecot-lda has mail in it's group list when it is executing? On Tue, Nov 3, 2015 at 2:12 PM, Larry Rosenman <larryrtx at gmail.com> wrote:> Hrm. if you turn up the debug on lda, do you get any more of a clue? > > Those permissions look fine to me. > > > On Tue, Nov 3, 2015 at 2:10 PM, John Clements <johnbclements at gmail.com> > wrote: > >> clements at desmond:/var/log$ ls -lda /var/mail >> drwxrwsr-x 2 root mail 4096 Nov 2 22:07 /var/mail >> >> >> Best, >> >> John Clements >> >> On Tue, Nov 3, 2015 at 11:52 AM, Larry Rosenman <larryrtx at gmail.com> >> wrote: >> >>> what is the full permissions of /var/mail? >>> >>> >>> ls -lda /var/mail >>> >>> On Tue, Nov 3, 2015 at 1:49 PM, John Clements <johnbclements at gmail.com> >>> wrote: >>> >>>> I've been using dovecot+postfix happily for many years, and I'm now >>>> configuring it for a new machine. However, I'm running into an old >>>> problem >>>> again, and thinking that there must be a better solution. >>>> >>>> The problem is that dovecot-lda is unable to create dotlock files in the >>>> /var/mail directory. >>>> >>>> Dovecot version: 1:2.2.13-12~deb8u1 (I'm guessing this is upstream >>>> version >>>> 2.2.13) >>>> OS: Debian Jessie >>>> >>>> Currently, my mail directory has these permissions: >>>> >>>> clements at desmond:~$ ls -ld /var/mail >>>> drwxrwsr-x 2 root mail 4096 Nov 2 22:07 /var/mail >>>> clements at desmond:~$ ls -l /var/mail >>>> total 8 >>>> -rw------- 1 clements mail 1382 Nov 2 21:59 clements >>>> -rw------- 1 granitemon mail 530 Nov 2 22:07 granitemon >>>> >>>> I've added >>>> mail_privileged_group = mail >>>> to allow creation of the dotlock files. >>>> >>>> When I configure postfix to deliver using dovecot-lda, I get logs that >>>> look >>>> like this: >>>> >>>> Nov 3 11:12:20 desmond dovecot: lda(granitemon): Error: >>>> setegid(privileged) failed: Operation not permitted >>>> Nov 3 11:12:20 desmond dovecot: lda(granitemon): msgid=< >>>> 20151103181306.A4B5B5FF32 at desmond.XXXDOMAIN.org>: save failed to INBOX: >>>> BUG: Unknown internal error >>>> >>>> In order to isolate the error, I took postfix out of the equation, and >>>> called dovecot-lda directly: >>>> >>>> clements at desmond:/tmp$ cat bogusmail >>>> From: clements at XXXDOMAIN.org >>>> To: granitemon at localhost >>>> Date: November 3 2015 >>>> Subject: graaaah >>>> >>>> this is the body >>>> clements at desmond:/tmp$ /usr/lib/dovecot/dovecot-lda -e -d clements < >>>> bogusmail >>>> BUG: Unknown internal error >>>> clements at desmond:/tmp$ >>>> >>>> In response to this, mail.log now contains this similar error: >>>> >>>> Nov 3 11:34:57 desmond dovecot: lda(clements): msgid=unspecified: save >>>> failed to INBOX: BUG: Unknown internal error >>>> Nov 3 11:34:57 desmond dovecot: lda(clements): Error: >>>> setegid(privileged) >>>> failed: Operation not permitted >>>> >>>> >>>> I've tried a number of "random internet search" solutions, including >>>> - changing perms on mail files from 660 to 600 >>>> - enabling 'mail_access_groups=mail' in 10-mail.conf >>>> - adding individual users to the mail group. >>>> >>>> I guess I'm pretty confident that if dovecot is writing "BUG: Unknown >>>> internal error" in the logs, that this is is actually a bug in dovecot. >>>> >>>> OBresearch: I read through the release notes of 2.2.14 -- 2.2.19 to see >>>> if >>>> a relevant-looking bug had been fixed, but nothing jumped out at me. >>>> OBresearch: searching the dovecot mailing list, I found one *extremely* >>>> relevant thread called "Re: [Dovecot] started with dovecot sieve >>>> <http://dovecot.markmail.org/message/kgd34wberxuvmrsa?q=setegid>", but >>>> there didn't seem to be a solution contained in the thread. >>>> >>>> Final note: this doesn't appear to be confined to debian jessie: I took >>>> a >>>> look at my existing installation, and I see that in fact I just went >>>> ahead >>>> and made /var/mail world-writeable, which seems... sub-optimal. I'm >>>> sure I >>>> could do that here, too, but I'd certainly rather not. >>>> >>>> Thanks in advance, and let me know if I've left out relevant crucial >>>> information. >>>> >>>> Best, >>>> >>>> John Clements >>>> >>> >>> >>> >>> -- >>> Larry Rosenman http://www.lerctr.org/~ler >>> Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com >>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >>> >> >> > > > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com > US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
Well, first, here are the logs I generated: Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Effective uid=1003, gid=1003, home=/home/granitemon Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mbox:~/mail:INBOX=/var/mail/granitemon Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: fs: root=/home/granitemon/mail, index=, indexpvt=, control=, inbox=/var/mail/granitemon, altNov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: userdb lookup skipped, username taken from USER environment Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: none: root=, index=, indexpvt=, control=, inbox=, altNov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Destination address: granitemon at desmond.brinckerhoff.org (source: user at hostname) Nov 3 12:23:05 desmond dovecot: lda(granitemon): Error: setegid(privileged) failed: Operation not permitted Nov 3 12:23:05 desmond dovecot: lda(granitemon): msgid=< 20151103202305.88BE05FF39 at desmond.brinckerhoff.org>: save failed to INBOX: BUG: Unknown internal error Nov 3 12:23:05 desmond dovecot: lda(granitemon): Error: setegid(privileged) failed: Operation not permitted Nov 3 12:23:05 desmond postfix/local[26490]: 88BE05FF39: to=<granitemon at localhost>, relay=local, delay=0.04, delays=0.01/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure) At this point... well, I don't understand why dovecot signals an "Unknown internal error," but I think I understand that even if I *do* get this working, I'm pretty much throwing in the towel, because since postfix invokes the lda as the user receiving the mail, then this only works if all users receiving mail are in the mail group, which means any of them can mess up any other's mbox. So, it looks like even if this bug is fixed, I'm left with two obvious choices: - make /var/mail writeable by all users that receive mail, or - use LMTP instead. Many thanks for your help, John Clements On Tue, Nov 3, 2015 at 12:13 PM, Larry Rosenman <larryrtx at gmail.com> wrote:> and, are you SURE that dovecot-lda has mail in it's group list when it is > executing? > > On Tue, Nov 3, 2015 at 2:12 PM, Larry Rosenman <larryrtx at gmail.com> wrote: > >> Hrm. if you turn up the debug on lda, do you get any more of a clue? >> >> Those permissions look fine to me. >> >> >> On Tue, Nov 3, 2015 at 2:10 PM, John Clements <johnbclements at gmail.com> >> wrote: >> >>> clements at desmond:/var/log$ ls -lda /var/mail >>> drwxrwsr-x 2 root mail 4096 Nov 2 22:07 /var/mail >>> >>> >>> Best, >>> >>> John Clements >>> >>> On Tue, Nov 3, 2015 at 11:52 AM, Larry Rosenman <larryrtx at gmail.com> >>> wrote: >>> >>>> what is the full permissions of /var/mail? >>>> >>>> >>>> ls -lda /var/mail >>>> >>>> On Tue, Nov 3, 2015 at 1:49 PM, John Clements <johnbclements at gmail.com> >>>> wrote: >>>> >>>>> I've been using dovecot+postfix happily for many years, and I'm now >>>>> configuring it for a new machine. However, I'm running into an old >>>>> problem >>>>> again, and thinking that there must be a better solution. >>>>> >>>>> The problem is that dovecot-lda is unable to create dotlock files in >>>>> the >>>>> /var/mail directory. >>>>> >>>>> Dovecot version: 1:2.2.13-12~deb8u1 (I'm guessing this is upstream >>>>> version >>>>> 2.2.13) >>>>> OS: Debian Jessie >>>>> >>>>> Currently, my mail directory has these permissions: >>>>> >>>>> clements at desmond:~$ ls -ld /var/mail >>>>> drwxrwsr-x 2 root mail 4096 Nov 2 22:07 /var/mail >>>>> clements at desmond:~$ ls -l /var/mail >>>>> total 8 >>>>> -rw------- 1 clements mail 1382 Nov 2 21:59 clements >>>>> -rw------- 1 granitemon mail 530 Nov 2 22:07 granitemon >>>>> >>>>> I've added >>>>> mail_privileged_group = mail >>>>> to allow creation of the dotlock files. >>>>> >>>>> When I configure postfix to deliver using dovecot-lda, I get logs that >>>>> look >>>>> like this: >>>>> >>>>> Nov 3 11:12:20 desmond dovecot: lda(granitemon): Error: >>>>> setegid(privileged) failed: Operation not permitted >>>>> Nov 3 11:12:20 desmond dovecot: lda(granitemon): msgid=< >>>>> 20151103181306.A4B5B5FF32 at desmond.XXXDOMAIN.org>: save failed to >>>>> INBOX: >>>>> BUG: Unknown internal error >>>>> >>>>> In order to isolate the error, I took postfix out of the equation, and >>>>> called dovecot-lda directly: >>>>> >>>>> clements at desmond:/tmp$ cat bogusmail >>>>> From: clements at XXXDOMAIN.org >>>>> To: granitemon at localhost >>>>> Date: November 3 2015 >>>>> Subject: graaaah >>>>> >>>>> this is the body >>>>> clements at desmond:/tmp$ /usr/lib/dovecot/dovecot-lda -e -d clements < >>>>> bogusmail >>>>> BUG: Unknown internal error >>>>> clements at desmond:/tmp$ >>>>> >>>>> In response to this, mail.log now contains this similar error: >>>>> >>>>> Nov 3 11:34:57 desmond dovecot: lda(clements): msgid=unspecified: save >>>>> failed to INBOX: BUG: Unknown internal error >>>>> Nov 3 11:34:57 desmond dovecot: lda(clements): Error: >>>>> setegid(privileged) >>>>> failed: Operation not permitted >>>>> >>>>> >>>>> I've tried a number of "random internet search" solutions, including >>>>> - changing perms on mail files from 660 to 600 >>>>> - enabling 'mail_access_groups=mail' in 10-mail.conf >>>>> - adding individual users to the mail group. >>>>> >>>>> I guess I'm pretty confident that if dovecot is writing "BUG: Unknown >>>>> internal error" in the logs, that this is is actually a bug in dovecot. >>>>> >>>>> OBresearch: I read through the release notes of 2.2.14 -- 2.2.19 to >>>>> see if >>>>> a relevant-looking bug had been fixed, but nothing jumped out at me. >>>>> OBresearch: searching the dovecot mailing list, I found one *extremely* >>>>> relevant thread called "Re: [Dovecot] started with dovecot sieve >>>>> <http://dovecot.markmail.org/message/kgd34wberxuvmrsa?q=setegid>", but >>>>> there didn't seem to be a solution contained in the thread. >>>>> >>>>> Final note: this doesn't appear to be confined to debian jessie: I >>>>> took a >>>>> look at my existing installation, and I see that in fact I just went >>>>> ahead >>>>> and made /var/mail world-writeable, which seems... sub-optimal. I'm >>>>> sure I >>>>> could do that here, too, but I'd certainly rather not. >>>>> >>>>> Thanks in advance, and let me know if I've left out relevant crucial >>>>> information. >>>>> >>>>> Best, >>>>> >>>>> John Clements >>>>> >>>> >>>> >>>> >>>> -- >>>> Larry Rosenman http://www.lerctr.org/~ler >>>> Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com >>>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >>>> >>> >>> >> >> >> -- >> Larry Rosenman http://www.lerctr.org/~ler >> Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com >> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >> > > > > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com > US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >
Larry Rosenman
2015-Nov-03 20:44 UTC
dovecot-lda can't create /var/mail dotlocks on debian
Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Effective uid=1003, gid=1003, home=/home/granitemon Nov 3 12:23:05 desmond dovecot: lda(granitemon): Error: setegid(privileged) failed: Operation not permitted so it's running as the normal user, and NOT with the mail group. I'm using exim with LMTP. LMTP is NOT a bad thing, and might make your life easier. It does allow you to add sieve scripting if you want to via pigeonhole. Sorry, I'm at a loss, as I do NOT run postfix. I'm not sure what it needs to invoke dovecot-lda with gid mail in the group list. On Tue, Nov 3, 2015 at 2:40 PM, John Clements <johnbclements at gmail.com> wrote:> Well, first, here are the logs I generated: > > Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Effective > uid=1003, gid=1003, home=/home/granitemon > Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Namespace inbox: > type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, > subscriptions=yes location=mbox:~/mail:INBOX=/var/mail/granitemon > Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: fs: > root=/home/granitemon/mail, index=, indexpvt=, control=, > inbox=/var/mail/granitemon, alt> Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: userdb lookup > skipped, username taken from USER environment > Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: none: root=, > index=, indexpvt=, control=, inbox=, alt> Nov 3 12:23:05 desmond dovecot: lda(granitemon): Debug: Destination > address: granitemon at desmond.brinckerhoff.org (source: user at hostname) > Nov 3 12:23:05 desmond dovecot: lda(granitemon): Error: > setegid(privileged) failed: Operation not permitted > Nov 3 12:23:05 desmond dovecot: lda(granitemon): msgid=< > 20151103202305.88BE05FF39 at desmond.brinckerhoff.org>: save failed to > INBOX: BUG: Unknown internal error > Nov 3 12:23:05 desmond dovecot: lda(granitemon): Error: > setegid(privileged) failed: Operation not permitted > Nov 3 12:23:05 desmond postfix/local[26490]: 88BE05FF39: > to=<granitemon at localhost>, relay=local, delay=0.04, > delays=0.01/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure) > > At this point... well, I don't understand why dovecot signals an "Unknown > internal error," but I think I understand that even if I *do* get this > working, I'm pretty much throwing in the towel, because since postfix > invokes the lda as the user receiving the mail, then this only works if all > users receiving mail are in the mail group, which means any of them can > mess up any other's mbox. > > So, it looks like even if this bug is fixed, I'm left with two obvious > choices: > - make /var/mail writeable by all users that receive mail, or > - use LMTP instead. > > Many thanks for your help, > > John Clements > > > On Tue, Nov 3, 2015 at 12:13 PM, Larry Rosenman <larryrtx at gmail.com> > wrote: > >> and, are you SURE that dovecot-lda has mail in it's group list when it is >> executing? >> >> On Tue, Nov 3, 2015 at 2:12 PM, Larry Rosenman <larryrtx at gmail.com> >> wrote: >> >>> Hrm. if you turn up the debug on lda, do you get any more of a clue? >>> >>> Those permissions look fine to me. >>> >>> >>> On Tue, Nov 3, 2015 at 2:10 PM, John Clements <johnbclements at gmail.com> >>> wrote: >>> >>>> clements at desmond:/var/log$ ls -lda /var/mail >>>> drwxrwsr-x 2 root mail 4096 Nov 2 22:07 /var/mail >>>> >>>> >>>> Best, >>>> >>>> John Clements >>>> >>>> On Tue, Nov 3, 2015 at 11:52 AM, Larry Rosenman <larryrtx at gmail.com> >>>> wrote: >>>> >>>>> what is the full permissions of /var/mail? >>>>> >>>>> >>>>> ls -lda /var/mail >>>>> >>>>> On Tue, Nov 3, 2015 at 1:49 PM, John Clements <johnbclements at gmail.com >>>>> > wrote: >>>>> >>>>>> I've been using dovecot+postfix happily for many years, and I'm now >>>>>> configuring it for a new machine. However, I'm running into an old >>>>>> problem >>>>>> again, and thinking that there must be a better solution. >>>>>> >>>>>> The problem is that dovecot-lda is unable to create dotlock files in >>>>>> the >>>>>> /var/mail directory. >>>>>> >>>>>> Dovecot version: 1:2.2.13-12~deb8u1 (I'm guessing this is upstream >>>>>> version >>>>>> 2.2.13) >>>>>> OS: Debian Jessie >>>>>> >>>>>> Currently, my mail directory has these permissions: >>>>>> >>>>>> clements at desmond:~$ ls -ld /var/mail >>>>>> drwxrwsr-x 2 root mail 4096 Nov 2 22:07 /var/mail >>>>>> clements at desmond:~$ ls -l /var/mail >>>>>> total 8 >>>>>> -rw------- 1 clements mail 1382 Nov 2 21:59 clements >>>>>> -rw------- 1 granitemon mail 530 Nov 2 22:07 granitemon >>>>>> >>>>>> I've added >>>>>> mail_privileged_group = mail >>>>>> to allow creation of the dotlock files. >>>>>> >>>>>> When I configure postfix to deliver using dovecot-lda, I get logs >>>>>> that look >>>>>> like this: >>>>>> >>>>>> Nov 3 11:12:20 desmond dovecot: lda(granitemon): Error: >>>>>> setegid(privileged) failed: Operation not permitted >>>>>> Nov 3 11:12:20 desmond dovecot: lda(granitemon): msgid=< >>>>>> 20151103181306.A4B5B5FF32 at desmond.XXXDOMAIN.org>: save failed to >>>>>> INBOX: >>>>>> BUG: Unknown internal error >>>>>> >>>>>> In order to isolate the error, I took postfix out of the equation, and >>>>>> called dovecot-lda directly: >>>>>> >>>>>> clements at desmond:/tmp$ cat bogusmail >>>>>> From: clements at XXXDOMAIN.org >>>>>> To: granitemon at localhost >>>>>> Date: November 3 2015 >>>>>> Subject: graaaah >>>>>> >>>>>> this is the body >>>>>> clements at desmond:/tmp$ /usr/lib/dovecot/dovecot-lda -e -d clements < >>>>>> bogusmail >>>>>> BUG: Unknown internal error >>>>>> clements at desmond:/tmp$ >>>>>> >>>>>> In response to this, mail.log now contains this similar error: >>>>>> >>>>>> Nov 3 11:34:57 desmond dovecot: lda(clements): msgid=unspecified: >>>>>> save >>>>>> failed to INBOX: BUG: Unknown internal error >>>>>> Nov 3 11:34:57 desmond dovecot: lda(clements): Error: >>>>>> setegid(privileged) >>>>>> failed: Operation not permitted >>>>>> >>>>>> >>>>>> I've tried a number of "random internet search" solutions, including >>>>>> - changing perms on mail files from 660 to 600 >>>>>> - enabling 'mail_access_groups=mail' in 10-mail.conf >>>>>> - adding individual users to the mail group. >>>>>> >>>>>> I guess I'm pretty confident that if dovecot is writing "BUG: Unknown >>>>>> internal error" in the logs, that this is is actually a bug in >>>>>> dovecot. >>>>>> >>>>>> OBresearch: I read through the release notes of 2.2.14 -- 2.2.19 to >>>>>> see if >>>>>> a relevant-looking bug had been fixed, but nothing jumped out at me. >>>>>> OBresearch: searching the dovecot mailing list, I found one >>>>>> *extremely* >>>>>> relevant thread called "Re: [Dovecot] started with dovecot sieve >>>>>> <http://dovecot.markmail.org/message/kgd34wberxuvmrsa?q=setegid>", >>>>>> but >>>>>> there didn't seem to be a solution contained in the thread. >>>>>> >>>>>> Final note: this doesn't appear to be confined to debian jessie: I >>>>>> took a >>>>>> look at my existing installation, and I see that in fact I just went >>>>>> ahead >>>>>> and made /var/mail world-writeable, which seems... sub-optimal. I'm >>>>>> sure I >>>>>> could do that here, too, but I'd certainly rather not. >>>>>> >>>>>> Thanks in advance, and let me know if I've left out relevant crucial >>>>>> information. >>>>>> >>>>>> Best, >>>>>> >>>>>> John Clements >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Larry Rosenman http://www.lerctr.org/~ler >>>>> Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com >>>>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >>>>> >>>> >>>> >>> >>> >>> -- >>> Larry Rosenman http://www.lerctr.org/~ler >>> Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com >>> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >>> >> >> >> >> -- >> Larry Rosenman http://www.lerctr.org/~ler >> Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com >> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961 >> > >-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
Possibly Parallel Threads
- dovecot-lda can't create /var/mail dotlocks on debian
- dovecot-lda can't create /var/mail dotlocks on debian
- dovecot-lda can't create /var/mail dotlocks on debian
- dovecot-lda can't create /var/mail dotlocks on debian
- dovecot-lda can't create /var/mail dotlocks on debian