Hi, I am trying to get sieve working on a new OpenSuse leap 42.2 install. On my 'old' OpenSuse 13.2 machine it worked fine. The problem is that Managesieve can't access the script store and won't let me create any script. It says permission denied on ~/sieve directory. See log below. I 've activated debug logging, but that doesn't give any clues to me. Also, I've set the directory accessible to all, but Managesieve still complains.> cd ~ > ls -ldrwx------ 1 rogier users 8340 5 feb 16:54 Maildir drwxrwxrwx 1 rogier users 24 5 feb 18:38 sieve To rule out client issues (kmail) I tested also with Manual TLS Login as described in: http://wiki2.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting Same result. I am puzzled. I can't find anything wrong in the dovecot configuration. The output of dovecot -n is shown below. Hope someone has a solution. A lot of mail is waiting to get sorted... Best Regards, Rogier The log: feb 05 20:22:18 p150 dovecot[12120]: managesieve-login: Login: user=<rogier>, method=PLAIN, rip=192.168.0.18, lip=192.168.0.20, mpid=12135, TLS, session=<gmb0bs1H5q/AqAAS> feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: Effective uid=1000, gid=100, home=/home/rogier feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: maildir++: root=/home/rogier/Maildir, index=, indexpvt=, control=, inbox=/home/rogier/Maildir, altfeb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: Pigeonhole version 0.4.15 (97b3da0) initializing feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts. feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: file storage: Using active Sieve script path: /home/rogier/.dovecot.sieve feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: file storage: Using script storage path: /home/rogier/sieve/ feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: file storage: Using permissions from /home/rogier/sieve/: mode=0777 gid=-1 feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: file storage: Relative path to sieve storage in active link: sieve/ feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: sieve: file storage: sync: Synchronization active feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Error: sieve: file storage: Failed to list scripts: opendir(/home/rogier/sieve) failed: Permission denied Output of dovecot -n: # 2.2.25 (7be1766): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.15 (97b3da0) # OS: Linux 4.4.36-8-default x86_64 openSUSE 42.2 (x86_64) auth_username_format = %Ln base_dir = /var/run/dovecot/ mail_debug = yes mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { driver = pam } plugin { sieve = file:~/sieve/;active=~/.dovecot.sieve sieve_trace_debug = yes } protocols = imap lmtp sieve service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = </etc/ssl/private/dovecot.crt ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } verbose_ssl = yes protocol lmtp { mail_plugins = sieve postmaster_address = postmaster at xxxxxxxxxxxxxx }
Op 2/5/2017 om 8:53 PM schreef dovelist:> Hi, > > I am trying to get sieve working on a new OpenSuse leap 42.2 install. > On my 'old' OpenSuse 13.2 machine it worked fine. > > The problem is that Managesieve can't access the script store and > won't let me create any script. It says permission denied on ~/sieve > directory. See log below. I 've activated debug logging, but that > doesn't give any clues to me. Also, I've set the directory accessible > to all, but Managesieve still complains. > >> cd ~ >> ls -l > drwx------ 1 rogier users 8340 5 feb 16:54 Maildir > drwxrwxrwx 1 rogier users 24 5 feb 18:38 sieve > > To rule out client issues (kmail) I tested also with Manual TLS Login > as described in: > http://wiki2.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting > > Same result. > > I am puzzled. I can't find anything wrong in the dovecot > configuration. The output of dovecot -n is shown below. > Hope someone has a solution. A lot of mail is waiting to get sorted... > > Best Regards, > Rogier > > > The log: > > feb 05 20:22:18 p150 dovecot[12120]: managesieve-login: Login: > user=<rogier>, method=PLAIN, rip=192.168.0.18, lip=192.168.0.20, > mpid=12135, TLS, session=<gmb0bs1H5q/AqAAS> > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > Effective uid=1000, gid=100, home=/home/rogier > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, > list=yes, subscriptions=yes location=maildir:~/Maildir > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > maildir++: root=/home/rogier/Maildir, index=, indexpvt=, control=, > inbox=/home/rogier/Maildir, alt> feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: Pigeonhole version 0.4.15 (97b3da0) initializing > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: include: sieve_global is not set; it is currently not possible > to include `:global' scripts. > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: file storage: Using active Sieve script path: > /home/rogier/.dovecot.sieve > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: file storage: Using script storage path: /home/rogier/sieve/ > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: file storage: Using permissions from /home/rogier/sieve/: > mode=0777 gid=-1 > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: file storage: Relative path to sieve storage in active link: > sieve/ > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Debug: > sieve: file storage: sync: Synchronization active > feb 05 20:22:18 p150 dovecot[12120]: managesieve(rogier): Error: > sieve: file storage: Failed to list scripts: > opendir(/home/rogier/sieve) failed: Permission deniedNormally, Dovecot permission errors are more helpful than that. So, this error message in itself is a bit of a bug: https://github.com/dovecot/pigeonhole/commit/51e4ff296987781e1ce93cb1c0ccc14e863bf8d6 About the cause of this error: keep in mind that the whole directory path needs read/execute permission, not only the leaf directory. You could try a command other than LISTSCRIPTS in your manual debugging efforts. That should take a different code path that provides a more detailed error. Regards, Stephan.
Hi Stephan,> Normally, Dovecot permission errors are more helpful than that. So, > this > error message in itself is a bit of a bug:I'm glad to h've been able to help with this beta-test ;-)> About the cause of this error: keep in mind that the whole directory > path needs read/execute permission, not only the leaf directory.Have checked. They are...> You could try a command other than LISTSCRIPTS in your manual debugging > efforts. That should take a different code path that provides a more > detailed error.I tried: PUTSCRIPT "hutsefluts" {6+} keep; Gives the same result: Feb 10 15:43:26 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file storage: save: open(/home/rogier/sieve/tmp/hutsefluts_1486737806.M728733P6414.p150.sieve) failed: Permission denied I have put a script named "std.sieve" in the sieve directory manually. Then the GETSCRIPT command gives some more information: Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Debug: sieve: file script: Opened script `std' from `/home/rogier/sieve/std.sieve' Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file script: Failed to open sieve script: open(/home/rogier/sieve/std.sieve) failed: Permission denied (euid=1000(rogier) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?)) So the UNIX permissions seem not to be the problem. The mentioning of ACL made me look into the audit.log. There I found this: type=AVC msg=audit(1486738207.203:354): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/managesieve" name="/home/rogier/sieve/std.sieve" pid=6414 comm="managesieve" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1486738207.203:354): arch=c000003e syscall=2 success=no exit=-13 a0=55e8920917d8 a1=0 a2=7fff73b41a14 a3=65766569732f7265 items=0 ppid=1861 pid=6414 auid=429 4967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="managesieve" exe="/usr/lib/dovecot/managesieve" key=(null) type=UNKNOWN[1327] msg=audit(1486738207.203:354): proctitle="dovecot/managesieve" Looks like AppArmor says NO... Does the apparmor profile for managesieve account for this or any other script store location? Or is the user expected to tweak apparmor profiles in such cases? Then I have to figure out how... Regards, Rogier
Hello list,
I'm trying to setup sieve on a Debian 9 install with virtual users.
Perhaps I'm getting old, but I can't figure out why managesieve is
not working for virtual users. I have about 20 v users on this machine
and only one has also a real unix account. The sieve rules work for this
single unix account? but not for any other account.
I have read tried various HOWTO's found on the net like this :
https://forum.vestacp.com/viewtopic.php?t=11363
but nothing is working for my case, so something is wrong in my setup and I
hope you guys might shed some light .
The setup is rather simple it's 20 v users with one public folder , I
have tried both
dovecot lda and lmtp .
doveconf -n? included
Thanks in advance for any help
-------------- next part --------------
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1 ext4
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
mail_location = maildir:/home/vmail/%d/%n/Maildir
mail_plugins = acl virtual
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace {
hidden = no
list = yes
location =
maildir:/home/vmail/%d/company:INDEXPVT=/home/vmail/%d/%n/Maildir/company
prefix = company/
separator = /
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location mailbox "Deleted Items" {
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox "Junk E-mail" {
special_use = \Junk
}
mailbox "Junk Email" {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Items" {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
plugin {
acl = vfile
acl_anyone = allow
sieve = file:/home/vmail/%d/%n/sieve;active=/home/vmail/%d/%n/.dovecot.sieve
sieve_user_log = file:/home/vmail/%d/%n/sieve/sieve_error.log
}
protocols = imap pop3 lmtp sieve
service auth-worker {
user = vmail
}
service auth {
inet_listener {
port = 12345
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 143
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/home/vmail/%d/%n/Maildir
driver = static
}
protocol lmtp {
mail_plugins = acl virtual sieve
}
protocol lda {
mail_plugins = acl virtual sieve
}
protocol imap {
mail_max_userip_connections = 30
mail_plugins = acl virtual imap_acl
}
On 11.01.2018 11:45, CP wrote:> Hello list, > > I'm trying to setup sieve on a Debian 9 install with virtual users. > Perhaps I'm getting old, but I can't figure out why managesieve is > not working for virtual users. I have about 20 v users on this machine > and only one has also a real unix account. The sieve rules work for this > single unix account? but not for any other account. > I have read tried various HOWTO's found on the net like this : > > https://forum.vestacp.com/viewtopic.php?t=11363 > > but nothing is working for my case, so something is wrong in my setup > and I > hope you guys might shed some light . > The setup is rather simple it's 20 v users with one public folder , I > have tried both > dovecot lda and lmtp . > > doveconf -n? included > > Thanks in advance for any helpHi! Can you enable mail_debug=yes in dovecot config and see what Sieve says for those rules. Also can you provide sieve rules. The sieve rules in your config file are per-user rules, managesieved does not actually do sieve processing, but provides ability to manage sieve rules remotely. Aki
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 11 Jan 2018, CP wrote:> I'm trying to setup sieve on a Debian 9 install with virtual users. > Perhaps I'm getting old, but I can't figure out why managesieve is > not working for virtual users. I have about 20 v users on this machine > and only one has also a real unix account. The sieve rules work for this > single unix account? but not for any other account.Hmm, your conf contains just one passdb and one userbd: mail_location = maildir:/home/vmail/%d/%n/Maildir sieve = file:/home/vmail/%d/%n/sieve;active=/home/vmail/%d/%n/.dovecot.sieve userdb { args = uid=vmail gid=vmail home=/home/vmail/%d/%n/Maildir driver = static } So, how does the real user authentificate? Second, you've violated: https://wiki2.dovecot.org/VirtualUsers/Home?highlight=%28home%29|%28mail%29 make home and mail_location distinct. I guess, above should read: home=/home/vmail/%d/%n/ You've wrote "managesieve" is not working. That means, sieve is working? So, has vmail write permission to : /home/vmail/%d/%n/sieve is it a directory? Does your users log into managesieve with domain, too?> but nothing is working for my case, so something is wrong in my setup and I > hope you guys might shed some light . > The setup is rather simple it's 20 v users with one public folder , I have > tried both > dovecot lda and lmtp . > > doveconf -n? included > > Thanks in advance for any help >- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWldLMMQnQQNheMxiAQLwjAf/enwWoeT5Phx1zuFPh3L0Cn2xemt+nJZU N1z0N6bkICBJKty7L8t/KNnA0a3L7suFKw3lCuQnP3O1FS6O9Kb8dtdynZgjkBeI xjdtVMjK1qtNmwdEtWfZ1LwAuPeMe/qNDDMBpsyqPAPN6RwMrFsEwvoGgq+PdVVX 1XQsQkSpJqjv2mzZfHRqS4c7vrUR/6l54+PY6NT8MEGtX4tZs/z7TVd0Oh75yTKn SpQT7cW/4Xmt06k4ddfB+WjR5MMaEtrc14Zr7RGCIuAyyaS3c/j9xCTYm/nRben8 GykXJS8VYY2xHT2Eq7q397EZKjtMISv07qunLaZjONAsIxMt6T6dBA==I8QQ -----END PGP SIGNATURE-----