Hi,
I have a Debian/Buster system with Postfix and Dovecot from the Debian
repo, and with virtual users only (ie, no system users). These virtual
users are having all of their uids, gids, homes and mail quota in an
PostgreSQL database. The intent is to have postfix deliver the email via
dovecot's LDA, so I can set quota on a per-user basis.
But for some odd reason, Dovecot's LDA can't find the user data from the
userdb, and then complains about not being able to write to /var/mail.
The following example shows how things fail when delivering a message
from Postfix's queue (therefore, the passdb failure is expected):
In /etc/dovecot.conf, I have this, amongst other things:
mail_location = maildir:~/Maildir:INBOX=~/Maildir
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = prefetch
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
protocol lda {
mail_plugins = autocreate quota mail_log trash virtual notify
}
16:04:16 postfix/qmgr[4970]: 8CD6CE072E: from=<user at example.com>,
size=880, nrcpt=1 (queue active)
16:04:16 dovecot: auth: Debug: master in: USER#0111#011user at
example.com#011service=lda
16:04:16 dovecot: auth: Debug: prefetch(user at example.com): passdb didn't
return userdb entries, trying the next userdb
16:04:16 dovecot: auth: Debug: sql(user at example.com): SELECT
'/path-to-mailboxen/' || virtual_users.home AS home, uid , gid , quota
as quota_rule FROM virtual_users WHERE email = 'user at example.com' AND
status = 'A'
16:04:16 dovecot: auth: Debug: userdb out: USER#0111#011user at
example.com#011home=/path-to-mailboxen/example.com/user#011uid=12345#011gid=12345#011quota_rule=*:storage=0
^^^^^^^^^^^^^^^^^^^^^^
This shows that the database lookup works. The intended effect should be
that the message is delivered to
/path-to-mailboxen/example.com/user/Maidir/new
16:04:16 dovecot: lda(user at
example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error:
setegid(privileged) failed: Operation not permitted
16:04:16 dovecot: lda(user at
example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX:
open(/var/mail/user at example.com) failed: Permission denied
(euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're
not in group 8(mail), dir owned by 0:8 mode=0775)
^^^^^^^^^^^^^^^^^^^^^^
And this shows that dovecot-lda just ignores the result.
16:04:16 dovecot: lda(user at
example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX:
Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com)
failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w
perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)
16:04:16 dovecot: lda(user at
example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>:
msgid=<20201226224933.014608 at laptop.example.com>: save failed to open
mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX:
open(/var/mail/user at example.com) failed: Permission denied
(euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're
not in group 8(mail), dir owned by 0:8 mode=0775)
16:04:16 postfix/pipe[5284]: 8CD6CE072E: to=<user at example.com>,
orig_to=<userA at example2.com>, relay=dovecot, delay=62083,
delays=62083/0.04/0/0.04, dsn=4.3.0, status=deferred (temporary failure)
In /etc/postfix/master.cf, I have this to call it:
dovecot unix - n n - - pipe
flags=DRhu user=_mailbox argv=/usr/lib/dovecot/deliver -f ${sender} -d
${user}@${domain} -a ${recipient}
I've tried strace-ing dovecot-lda, but it didn't really help me to
understand why it discards the result of the userdb lookup.
Can anyone please provide a cluebat, please?
Thanks,
Toni
> On 27/12/2020 18:19 Toni Mueller <support at oeko.net> wrote: > > > Hi, > > I have a Debian/Buster system with Postfix and Dovecot from the Debian > repo, and with virtual users only (ie, no system users). These virtual > users are having all of their uids, gids, homes and mail quota in an > PostgreSQL database. The intent is to have postfix deliver the email via > dovecot's LDA, so I can set quota on a per-user basis. > > But for some odd reason, Dovecot's LDA can't find the user data from the > userdb, and then complains about not being able to write to /var/mail. > The following example shows how things fail when delivering a message > from Postfix's queue (therefore, the passdb failure is expected): > > In /etc/dovecot.conf, I have this, amongst other things: > > > mail_location = maildir:~/Maildir:INBOX=~/Maildir > passdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf.ext > } > userdb { > driver = prefetch > } > userdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf.ext > } > protocol lda { > mail_plugins = autocreate quota mail_log trash virtual notify > } > > > > > 16:04:16 postfix/qmgr[4970]: 8CD6CE072E: from=<user at example.com>, size=880, nrcpt=1 (queue active) > 16:04:16 dovecot: auth: Debug: master in: USER#0111#011user at example.com#011service=lda > 16:04:16 dovecot: auth: Debug: prefetch(user at example.com): passdb didn't return userdb entries, trying the next userdb > 16:04:16 dovecot: auth: Debug: sql(user at example.com): SELECT '/path-to-mailboxen/' || virtual_users.home AS home, uid , gid , quota as quota_rule FROM virtual_users WHERE email = 'user at example.com' AND status = 'A' > 16:04:16 dovecot: auth: Debug: userdb out: USER#0111#011user at example.com#011home=/path-to-mailboxen/example.com/user#011uid=12345#011gid=12345#011quota_rule=*:storage=0 > > ^^^^^^^^^^^^^^^^^^^^^^ > > This shows that the database lookup works. The intended effect should be > that the message is delivered to > > /path-to-mailboxen/example.com/user/Maidir/new > > > 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: setegid(privileged) failed: Operation not permitted > 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) > > ^^^^^^^^^^^^^^^^^^^^^^ > > And this shows that dovecot-lda just ignores the result. > > > 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) > 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: msgid=<20201226224933.014608 at laptop.example.com>: save failed to open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) > 16:04:16 postfix/pipe[5284]: 8CD6CE072E: to=<user at example.com>, orig_to=<userA at example2.com>, relay=dovecot, delay=62083, delays=62083/0.04/0/0.04, dsn=4.3.0, status=deferred (temporary failure) > > > In /etc/postfix/master.cf, I have this to call it: > > dovecot unix - n n - - pipe > flags=DRhu user=_mailbox argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -a ${recipient} > > > I've tried strace-ing dovecot-lda, but it didn't really help me to > understand why it discards the result of the userdb lookup. > > > Can anyone please provide a cluebat, please? > > > > Thanks, > ToniTry adding mail_privileged_group = mail to your dovecot.conf. See https://doc.dovecot.org/settings/core/#mail-privileged-group Aki
Hi, Toni Mueller, 27.12.20:> 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) > 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: msgid=<20201226224933.014608 at laptop.example.com>: save failed to open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) > 16:04:16 postfix/pipe[5284]: 8CD6CE072E: to=<user at example.com>, orig_to=<userA at example2.com>, relay=dovecot, delay=62083, delays=62083/0.04/0/0.04, dsn=4.3.0, status=deferred (temporary failure) > > > In /etc/postfix/master.cf, I have this to call it: > > dovecot unix - n n - - pipe > flags=DRhu user=_mailbox argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -a ${recipient} > > > I've tried strace-ing dovecot-lda, but it didn't really help me to > understand why it discards the result of the userdb lookup. > > > Can anyone please provide a cluebat, please?I'd change the setup towards postfix handing over the messages to dovecot via lmtp. You can easily achive this by setting relay_domains = btree:/etc/postfix/relay-transport in your postfix configuration and creating a file /etc/postfix/relay-transport: your_mail_domain lmtp:unix:private/lmtp-dovecot Mit freundlichen Gr??en Christian Schmidt -- No signature available.
Hi, thanks to all the people who tried to help me. I have made one more step into the right direction and wanted to share my findings. To recap, LDA pulls the right data from userdb, then ignores it and tries to deliver to the system default maibox location at /var/mail: On Sun, Dec 27, 2020 at 04:19:35PM +0000, Toni Mueller wrote:> 16:04:16 dovecot: auth: Debug: userdb out: USER#0111#011user at example.com#011home=/path-to-mailboxen/example.com/user#011uid=12345#011gid=12345#011quota_rule=*:storage=0 > > ^^^^^^^^^^^^^^^^^^^^^^ > > This shows that the database lookup works. The intended effect should be > that the message is delivered to > > /path-to-mailboxen/example.com/user/Maidir/new > > > 16:04:16 dovecot: lda(user at example.com)<5291><DDxBHYCw6F+rFAAApiCoHg>: Error: Mailbox INBOX: open(/var/mail/user at example.com) failed: Permission denied (euid=12345(mailbox) egid=12345(mailbox) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) > > ^^^^^^^^^^^^^^^^^^^^^^ > > And this shows that dovecot-lda just ignores the result.1. Directive merging: I found that there may be a problem in merging configuration directives. In Debian, the main config file is /etc/dovecot/dovecot.conf. This includes some snippets in /etc/dovecot/conf.d, and, at last, includes /etc/dovecot/local.conf. In /etc/dovecot/conf.d/10-mail.conf, there are these two statements: mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail In local.conf, I have different values for that, but only if I comment them out in 10-mail.conf, I get LDA to try to deliver to the directory where it should deliver. Therefore, I assume that later directives are not overwriting earlier directives, but "first wins" is an uncommon strategy - usually, it's "last wins". I'm not sure whether this is a bug or not, though, but a quick search did not reveal how things are supposed to be. 2. Wrong mailbox settings: I want to deliver to maildir and have these settings: Globally, ie, outside of all "blocks" (<token> [<name>] { ... }), I have mail_location = maildir:~/Maildir:INBOX=maildir:~/Maildir In addition to that, I have this: namespace inbox { inbox = yes location = maildir:~/Maildir } But Dovecot wrote the mail to a file in mbox format, and the file being at ~/mail/inbox, with ~ being the home dir as taken from the SQL database. 3. Autocreate fails: I now have this for LDA and IMAP: -------- cut protocol imap { mail_plugins = autocreate quota imap_quota mail_log trash virtual notify mail_max_userip_connections = 10 } protocol lda { mail_plugins = autocreate quota virtual mail_log trash notify ... } -------- cut In the first instance, the home from the database was created by Dovecot, but then I moved it aside, so as to have Dovecot create a new one. But now I get this, even after lifting the plugin settings of LDA to the global scope: Jan 1 15:07:52 dovecot: lda(user at example.com)<13951><FVyCAMg6719/NgAApiCoHg>: Fatal: Namespace '': Mail storage autodetection failed with home=/path-to-mailboxen/example.com/user Setting 'mail_location', as was suggested numerous times on the Internet, does not seem to have the desired effect, and I only have the 'inbox' namespace, anyway. Any ideas, please? TIA! Cheers, Toni