dovecot - Jul 2018 - permissions of newly created mailboxes only with dovecot-lda and posix acls

Hi!

I am experiencing troubles concerning the inheritance of the setgid bit if a new
mailbox is created with dovecot-lda.
If it is created with dovecot/imap, everything works fine.

dovecot-lda is called from postfix like this:
----------
mailbox_command = /usr/local/sbin/postfix-lda.sh
----------
logger -p mail.info -t postfix-lda "H: $HOME, S: $SENDER, R: $RECIPIENT, U:
$(umask), id: $(/bin/id); $@"
dovecot-lda -f "$SENDER" -a "$RECIPIENT"
-onamespace/inbox/location=maildir:~/Maildir:LAYOUT=fs:FULLDIRNAME=__MAILBOX__
----------

If a mailbox is created with dovecot-lda (sieve), permissions look like that:

$ ls -ld Maildir Maildir/2018-q3 Maildir/2018-q3/__MAILBOX__
drwxrws---+ 49 leo leo   4096 Jul  1 09:53 Maildir
drwxrwx---+  3 leo leo     24 Jul  1 09:40 Maildir/2018-q3
drwxrwx---+  2 leo staff    6 Jul  1 09:40 Maildir/2018-q3/__MAILBOX__

-> The setguid bit of Maildir is not honored and dovecot complains:
Jul  1 09:40:42 strike postfix-lda: H: /home/leo, S: testerl at strike.wu.ac.at,
R: leo at strike.wu.ac.at, umask: 0077, id: uid=500(leo) gid=500(staff)
groups=500(staff);
Jul  1 09:40:42 strike dovecot: lda(leo): Error:
fchown(/home/leo/Maildir/2018-q3/__MAILBOX__/cur, group=501(leo)) failed:
Operation not permitted (egid=500(staff), group based on
/home/leo/Maildir/2018-q3 - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
Jul  1 09:40:42 strike dovecot: lda(leo): Error:
mkdir(/home/leo/Maildir/2018-q3/__MAILBOX__/cur) failed: Operation not permitted
Jul  1 09:40:42 strike dovecot: lda(leo): Error: sieve:
msgid=<20180701074042.1B1241CFB78 at strike.wu.ac.at>: failed to store
into mailbox '2018-q3': Internal error occurred. Refer to server log for
more information. [2018-07-01 09:40:42]


If I create a mailbox with imap, everything works as expected:
$ ls -ld Maildir/permtest Maildir/permtest/__MAILBOX__
drwxrws---+ 3 leo leo  24 Jul  1 09:51 Maildir/permtest
drwxrws---+ 5 leo leo 108 Jul  1 09:51 Maildir/permtest/__MAILBOX__

mkdir from a shell also works fine.


The problem seems to be connected to the Posix ACLs that are set on Maildir:

$ getfacl Maildir
# file: Maildir
# owner: leo
# group: leo
# flags: -s-
user::rwx
user:bergolth:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:bergolth:rwx
default:group::rwx
default:mask::rwx
default:other::--x


If I remove all Posix ACLs using setfacl -b Maildir, creation of new mailboxes
works fine also with dovecot-lda.

Why is dovecot-lda behaving differently if Posix-ACLs are set on Maildir? Any
why isn't dovecot imap affected?

Any help would be greatly appreciated, I am actually clueless!

Cheers,
--leo

dovecot-2.2.32-1leo.el7.centos.x86_64
dovecot-pigeonhole-2.2.32-1leo.el7.centos.x86_64
postfix-2.10.1-6.el7.x86_64
# uname -r    
4.4.138-1.el7.elrepo.x86_64

-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at   
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria