Martin Kuchta
2022-Jul-17 10:20 UTC
Dovecot sync stopped working since 2.3.18-r1 when .maildir has 700 permissions
Hello,
Since upgrading to dovecot 2.3.18-r1 my sync setup using replicator
plugin stopped working. It seems there is a problem accessing a .maildir
with 700 permissions, only accessible by the owner. Everything worked
fine prior to this version and I made no configuration changes.
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 5.10.74-gentoo x86_64 Gentoo Base System release 2.8
# Hostname: www.example.com
auth_mechanisms = plain login
auth_username_format = %Ln
doveadm_password = # hidden, use -P to show it
hostname = www.example.xom
listen = *
login_greeting = Dovecot ready.
mail_location = maildir:~/.maildir
mail_plugins = notify replication
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapflags notify vnd.dovecot.pipe
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = *
driver = pam
}
plugin {
mail_replica = tcps:www.example.com:8000
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_extensions = +notify +imapflags +vnd.dovecot.pipe
sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
sieve_plugins = sieve_extprograms
}
postmaster_address = postmaster at example.com
protocols = imap lmtp sieve
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
}
unix_listener replication-notify {
mode = 0666
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service doveadm {
inet_listener {
port = 8000
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
}
}
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_cipher_list
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = notify replication sieve
postmaster_address = postmaster at example.com
}
protocol lda {
mail_plugins = notify replication sieve
}
local_name mail.example.com {
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = # hidden, use -P to show it
}
local_name example.com {
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = # hidden, use -P to show it
}
--
roughgrain.com - Mastering Mentoring
+447780565902
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220717/7c372520/attachment.htm>
Martin Kuchta
2022-Jul-23 07:54 UTC
Dovecot sync stopped working since 2.3.18-r1 when .maildir has 700 permissions
Hello, Please accept my apologies for not giving all the details in the original bug report. After further testing, I need to add that it is not the permissions of .mailder that cause doveadm to fail. It fails because the .maildir is a FUSE mount with access to all other users, including potentially untrusted root, restricted. This configuration worked fine until 2.3.18-r1. Has the context under which doveadm runs changed? Is there a way to make it run as the user? --- roughgrain.com - Mastering Mentoring +447780565902 On 17/07/2022 11:20, Martin Kuchta wrote:> Hello, > > Since upgrading to dovecot 2.3.18-r1 my sync setup using replicator plugin stopped working. It seems there is a problem accessing a .maildir with 700 permissions, only accessible by the owner. Everything worked fine prior to this version and I made no configuration changes. > > # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.19 (4eae2f79) > # OS: Linux 5.10.74-gentoo x86_64 Gentoo Base System release 2.8 > # Hostname: www.example.com > auth_mechanisms = plain login > auth_username_format = %Ln > doveadm_password = # hidden, use -P to show it > hostname = www.example.xom > listen = * > login_greeting = Dovecot ready. > mail_location = maildir:~/.maildir > mail_plugins = notify replication > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify vnd.dovecot.pipe > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > args = * > driver = pam > } > plugin { > mail_replica = tcps:www.example.com:8000 > sieve = file:~/sieve;active=~/.dovecot.sieve > sieve_extensions = +notify +imapflags +vnd.dovecot.pipe > sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe > sieve_plugins = sieve_extprograms > } > postmaster_address = postmaster at example.com > protocols = imap lmtp sieve > service aggregator { > fifo_listener replication-notify-fifo { > mode = 0666 > } > unix_listener replication-notify { > mode = 0666 > } > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0666 > user = postfix > } > } > service doveadm { > inet_listener { > port = 8000 > ssl = yes > } > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > service replicator { > process_min_avail = 1 > unix_listener replicator-doveadm { > mode = 0600 > } > } > ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem > ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > ssl_client_ca_dir = /etc/ssl/certs > ssl_dh = # hidden, use -P to show it > ssl_key = # hidden, use -P to show it > userdb { > driver = passwd > } > protocol lmtp { > mail_plugins = notify replication sieve > postmaster_address = postmaster at example.com > } > protocol lda { > mail_plugins = notify replication sieve > } > local_name mail.example.com { > ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem > ssl_key = # hidden, use -P to show it > } > local_name example.com { > ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem > ssl_key = # hidden, use -P to show it > } > > -- > roughgrain.com - Mastering Mentoring > +447780565902-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220723/2c6d52a3/attachment.htm>