Hi, all.
I'm trying to set up Postfix with dovecot LTMP delivery
on a host where the user files (/var/spool/mail as well as
home directories) are on NFS filesystems, which are exported
root-squashed to the mail server. I definitely don't want to
give the mail server root permissions on the user files.
LMTP delivery fails with this logged message (e.g.):
Nov 16 17:51:36 lust dovecot:
lmtp(anne)<16830><mkkzEPg1lGG+QQAAs/mAJw>:
msgid=<202111162229.1AGMTfAO024765 at vindemiatrix.encs.concordia.ca>:
save failed to INBOX: Read-only mbox
I found this posting where someone else had a similar problem
and traced it in some detail back in 2019:
https://dovecot.org/list/dovecot/2019-February/114611.html
but apparently no one answered the fellow.
In order to check that this is indeed the same problem,
I temporarily changed the INBOX definition to make it write
into /var/tmp/ (on a local filesystem), and delivery worked.
I then temporarily changed the INBOX definition to make it
write into an NFS filesystem with root NOT squashed, and again
it worked (after I chmodded the directory to 1777 to allow
any user to create a file).
I believe that the person who wrote the above posting is
correct: at some point, file access is (incorrectly) checked
as root instead of as the target user.
This is a bit of a showstopper for me. Any plans to address this?
I attach the output of "dovecot -n", fwiw, but I don't think
that this is a configuration problem...
Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424
x2285
-------------- next part --------------
# 2.3.16 (7e2e900c1a): /local/pkg/dovecot-2.3.16/root/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 ()
# OS: Linux 3.10.0-1160.45.1.el7.x86_64 x86_64 Scientific Linux release 7.9
(Nitrogen)
# Hostname: lust.encs.concordia.ca
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /local/data/dovecot/this_host.d/imap.keytab
auth_mechanisms = plain login gssapi
auth_username_format = %Ln
auth_verbose = yes
default_login_user = nul-dove
first_valid_uid = 200
listen = *
lmtp_hdr_delivery_address = original
login_access_sockets = tcpwrap
mail_attachment_fs = posix
mail_fsync = always
mail_location =
mbox:~/mail:INBOX=/var/spool/mail/%1u/%u:INDEX=/local/data/dovecot/indexes/mail/%1u/%u
mail_plugin_dir = /local/lib/dovecot
mail_server_admin = mailto:servicedesk at encs.concordia.ca
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /local/pkg/dovecot-CURRENT/root/etc/dovecot/encs.d/ldap.EXTRA
driver = ldap
}
plugin {
mail_log_events = mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size
}
protocols = imap submission lmtp
service imap-postlogin {
executable = script-login /local/bin/imap-wrapper
user = $default_internal_user
}
service imap {
executable = imap imap-postlogin
process_limit = 8192
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
ssl_cert = </etc/pki/tls/certs/mail.encs.pem
ssl_key = # hidden, use -P to show it
submission_relay_host = smtp.encs.concordia.ca
submission_relay_trusted = yes
userdb {
driver = prefetch
}
userdb {
args = /local/pkg/dovecot-CURRENT/root/etc/dovecot/encs.d/ldap.EXTRA
driver = ldap
}
verbose_proctitle = yes
protocol imap {
mail_plugins = " mail_log notify"
}