I have an issue that surfaced when I tried to start using the new metrics
service, but it looks like it may be a more generic issue.
When I enabled stats and started dovecot, I got the following error in the log:
Error: stats: open(/var/run/dovecot/stats-mail) failed: Permission denied
/var/run/dovecot/stats-mail did not exist. /var/run/dovecot/ existed, owned by
root, which apparently was preventing dovecot from creating stats-mail. On
advice from another list subscriber, I changed the ownership of
/var/run/dovecot to the dovecot user. This doesn?t help.
Apparently /var/run/dovecot is deleted by dovecot when it shuts down, and
recreated, with root ownership, when it restarts. stats-mail is created, with
root ownership. Is there something I need to change to prevent dovecot from
creating this directory owned by root? I was unaware of any problems before
trying to enable stats, but the ownership of files in that directory is a mixed
bag
$ ls -l /var/run/dovecot
total 20
srw------- 1 root wheel 0 Aug 17 09:05 anvil
srw------- 1 root wheel 0 Aug 17 09:05 anvil-auth-penalty
srw------- 1 dovecot wheel 0 Aug 17 09:05 auth-client
srw------- 1 dovecot wheel 0 Aug 17 09:05 auth-login
srw-rw---- 1 alias qnofiles 0 Aug 17 09:05 auth-master
-rw------- 1 root wheel 32 Aug 17 09:05 auth-token-secret.dat
srw-rw-rw- 1 dovecot wheel 0 Aug 17 09:05 auth-userdb
srw------- 1 dovecot wheel 0 Aug 17 09:05 auth-worker
srw------- 1 root wheel 0 Aug 17 09:05 config
srw------- 1 root wheel 0 Aug 17 09:05 dict
srw------- 1 root wheel 0 Aug 17 09:05 dict-async
srw------- 1 root wheel 0 Aug 17 09:05 director-admin
srw-rw-rw- 1 root wheel 0 Aug 17 09:05 dns-client
srw------- 1 root wheel 0 Aug 17 09:05 doveadm-server
lrwx------ 1 root wheel 35 Aug 17 09:05 dovecot.conf ->
/usr/local/etc/dovecot/dovecot.conf
drwxr-xr-x 2 root wheel 512 Aug 17 09:05 empty
srw------- 1 root wheel 0 Aug 17 09:05 imap-hibernate
srw------- 1 root wheel 0 Aug 17 09:05 imap-master
srw-rw-rw- 1 root wheel 0 Aug 17 09:05 imap-urlauth
srw------- 1 dovecot wheel 0 Aug 17 09:05 imap-urlauth-worker
srw-rw-rw- 1 root wheel 0 Aug 17 09:05 indexer
srw------- 1 dovecot wheel 0 Aug 17 09:05 indexer-worker
srw------- 1 root wheel 0 Aug 17 09:05 ipc
srw------- 1 root wheel 0 Aug 17 09:05 log-errors
drwxr-x--- 2 root dovenull 512 Aug 17 09:05 login
srw------- 1 root wheel 0 Aug 17 09:05 master
-rw------- 1 root wheel 6 Aug 17 09:05 master.pid
srw------- 1 root wheel 0 Aug 17 09:05 replication-notify
prw------- 1 root wheel 0 Aug 17 09:05 replication-notify-fifo
srw------- 1 dovecot wheel 0 Aug 17 09:05 replicator
srw-rw-rw- 1 root wheel 0 Aug 17 09:05 ssl-params
srw------- 1 root wheel 0 Aug 17 09:05 stats
prw------- 1 root wheel 0 Aug 17 09:05 stats-mail
prw------- 1 root wheel 0 Aug 17 09:05 stats-user
drwxr-x--- 2 root dovenull 512 Aug 17 09:05 token-login
$ doveconf -n
# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: FreeBSD 11.0-RELEASE-p9 amd64
auth_stats = yes
auth_verbose = yes
default_vsz_limit = 128 M
lock_method = flock
mail_location = maildir:~/Maildir
mail_plugins = " stats"
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext vnd.dovecot.pipe vnd.dovecot.execute
namespace inbox {
inbox = yes
location prefix }
passdb {
args = imap
driver = pam
}
plugin {
recipient_delimiter = -
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve-pipe
sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve-pipe
sieve_pipe_exec_timeout = 10s
sieve_plugins = sieve_extprograms
stats_refresh = 30s
}
protocols = imap
service auth {
unix_listener auth-master {
group = qnofiles
mode = 0660
user = alias
}
user = root
}
service imap-login {
process_min_avail = 3
vsz_limit = 94 M
}
ssl_cert = </usr/local/etc/letsencrypt/live/dummy.redhorse.me/fullchain.pem
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_dh_parameters_length = 2048
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
stats_carbon_name = RedHorseMail
stats_carbon_server = [2a04:3542:1000:910:acc1:5bff:fe5e:8c2]
syslog_facility = local0
userdb {
driver = passwd
}
verbose_proctitle = yes
protocol lda {
mail_plugins = " stats sieve"
}
> On Aug 17, 2017, at 9:19 AM, Matt Simpson <dclist at list.jmatt.net> wrote: > > I have an issue that surfaced when I tried to start using the new metrics service, but it looks like it may be a more generic issue. >When I took a closer look at this, it might be a problem with the FreeBSD packaging of dovecot, and not in dovecot itself. I?m running FreeBSD 11, and installed dovecot as a package using standard FreeBSD package utilities. The install process creates a start/stop script, and that script is creating the /var/run/dovecot directory at startup and removing it at shutdown. The command which creates the directory is /usr/bin/install -o root -g wheel -m 0755 -d ${base_dir} which apparently just creates a directory with the specified owner and group. At this point, I?m a little confused about the best way to proceed. Any other FreeBSD dovecot users here? Currently, it looks like the startup script is creating /var/run/dovecot, owned by root. Then dovecot creates /var/run/dovecot/stats-mail, also owned by root. I could possibly alter the startup script to create /var/run/dovecot owned by dovecot instead of root, but I don?t think that will change the ownership of stats-mail, which seems to be created by dovecot running as root, and then attempted to write by dovecot running as a different user. Does anybody know what?s going on here?
In /usr/local/etc/dovecot/conf.d/90-plugin.conf:
service stats {
chroot = empty
client_limit = 0
drop_priv_before_exec = no
executable = stats
extra_groups fifo_listener stats-mail {
group mode = 0666
user }
fifo_listener stats-user {
group mode = 0666
user }
group idle_kill = 4294967295 secs
privileged_group process_limit = 1
process_min_avail = 0
protocol service_count = 0
type unix_listener stats {
group mode = 0666
user }
user = $default_internal_user
vsz_limit = 18446744073709551615 B
}
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: larryrtx at gmail.com
US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
On 8/17/17, 11:04 AM, "dovecot on behalf of Matt Simpson"
<dovecot-bounces at dovecot.org on behalf of dclist at list.jmatt.net>
wrote:
> On Aug 17, 2017, at 9:19 AM, Matt Simpson <dclist at
list.jmatt.net> wrote:
>
> I have an issue that surfaced when I tried to start using the new
metrics service, but it looks like it may be a more generic issue.
>
When I took a closer look at this, it might be a problem with the FreeBSD
packaging of dovecot, and not in dovecot itself.
I?m running FreeBSD 11, and installed dovecot as a package using standard
FreeBSD package utilities. The install process creates a start/stop script,
and that script is creating the /var/run/dovecot directory at startup and
removing it at shutdown.
The command which creates the directory is
/usr/bin/install -o root -g wheel -m 0755 -d ${base_dir}
which apparently just creates a directory with the specified owner and
group.
At this point, I?m a little confused about the best way to proceed. Any
other FreeBSD dovecot users here? Currently, it looks like the startup script
is creating /var/run/dovecot, owned by root. Then dovecot creates
/var/run/dovecot/stats-mail, also owned by root. I could possibly alter the
startup script to create /var/run/dovecot owned by dovecot instead of root, but
I don?t think that will change the ownership of stats-mail, which seems to be
created by dovecot running as root, and then attempted to write by dovecot
running as a different user. Does anybody know what?s going on here?