Hello,
i want to configure a virtual mailsystem on an debian server with exim and
dovecot.
Because it is running on a V-Server, i want to store everythink in a LUKS
encrypted contrainer.
So i created a group crypt with the members Debian-exim (107), dovecot, (other
users with encrypted content)
All mails should be stored in /mail in the mounted container.
Dovecot has this configuration:
======================================passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
userdb {
driver = static
args = uid=Debian-exim gid=mail home=/mountpoint/mail/%d/%n
}
mail_uid = Debian-exim
first_valid_uid = 107
last_valid_uid = 107
first_valid_gid = 8
last_valid_gid = 9
mail_location = maildir:/mountpoint/mail/%d/%n
======================================
The /mountpoint has the following rights:
drwxrwx--- 5 root crypt 4,0K Dez 13 19:05 mountpoint
The subdirectories are all owned by Debian-exim:
drwxrwx--- 4 Debian-exim mail 4,0K Okt 23 17:05 mail
The group mail has id 8 and the group crypt has id 9
The Problem is that dovecot will not go into the directory with group crypt!
I always get the following error message:
Dec 15 18:03:25 pop3(karsten at server): Error: user karsten at server:
Initialization failed: Initializing mail storage from
mail_location setting failed: stat(/mountpoint/mail/server/karsten) failed:
Permission denied (euid=107(Debian-exim)
egid=8(mail) missing +x perm: /mnt, we're not in group 9(crypt), dir owned
by 0:9 mode=0770)
Dec 15 18:03:25 pop3(karsten at server): Error: Invalid user settings. Refer to
server log for more information.
But dovecot is definitely in the group crypt!
What i am doing wrong?
Regards
Karsten
Eduardo M KALINOWSKI
2016-Dec-15 17:22 UTC
Configuration problem for secure virtual server
On Qui, 15 Dez 2016, Karsten Malcher wrote:> Hello, > > mail_uid = Debian-eximThis will be important later> > Dec 15 18:03:25 pop3(karsten at server): Error: user karsten at server: > Initialization failed: Initializing mail storage from > mail_location setting failed: stat(/mountpoint/mail/server/karsten) > failed: Permission denied (euid=107(Debian-exim) > egid=8(mail) missing +x perm: /mnt, we're not in group 9(crypt), dir > owned by 0:9 mode=0770) > Dec 15 18:03:25 pop3(karsten at server): Error: Invalid user settings. > Refer to server log for more information. > > But dovecot is definitely in the group crypt!dovecot may be, but the process is not trying to access as user dovecot, but as Debian-exim (as shown in the log). And this happens because of the mail_uid line in your config. -- Eduardo M KALINOWSKI eduardo at kalinowski.com.br
Am 15.12.2016 um 18:22 schrieb Eduardo M KALINOWSKI:> On Qui, 15 Dez 2016, Karsten Malcher wrote: >> Hello, >> >> mail_uid = Debian-exim > This will be important laterIt does not run when i comment this out. Dovecot was running before i moved the mail-path from a non encrypted one to the encrypted path.>> >> Dec 15 18:03:25 pop3(karsten at server): Error: user karsten at server: Initialization failed: Initializing mail storage from >> mail_location setting failed: stat(/mountpoint/mail/server/karsten) failed: Permission denied (euid=107(Debian-exim) >> egid=8(mail) missing +x perm: /mnt, we're not in group 9(crypt), dir owned by 0:9 mode=0770) >> Dec 15 18:03:25 pop3(karsten at server): Error: Invalid user settings. Refer to server log for more information. >> >> But dovecot is definitely in the group crypt! > > dovecot may be, but the process is not trying to access as user dovecot, but as Debian-exim (as shown in the log). And > this happens because of the mail_uid line in your config. >Yes - the error message say it - but Debian-exim is in the group crypt too. Dovecot is rejecting the path of the mountpoint! Why?
I can only login when i alter the group to crypt. But then dovecot has the problem that it is not in group mail: Dec 15 18:33:39 imap(karsten at server): Error: fchown(/mountpoint/mail/server/karsten/dovecot-uidlist.tmp, group=8(mail)) failed: Operation not permitted (egid=9(crypt), group based on /mountpoint/mail/server/karsten - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm) So dovecot will not handle different groups in the path !?