Austin Witmer
2022-Aug-23 11:52 UTC
Permission denied UNIX perms appear ok (ACL/MAC wrong?))
Here is the output of dovecot -n
austin at mail:~$ doveconf -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS
# Hostname: mail
auth_mechanisms = plain login
listen = *
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
sieve =
file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve
sieve_before = /var/lib/dovecot/sieve/
sieve_global_dir = /var/lib/dovecot/sieve/
sieve_global_path = /var/lib/dovecot/sieve/default.sieve
sieve_user_log =
file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log
}
protocols = imap lmtp pop3 imap lmtp sieve pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lmtp {
hostname = mail.mydomain.com
mail_plugins = " sieve"
postmaster_address = postmaster at mydomain.com
}
protocol lda {
mail_plugins = " sieve"
}
Austin Witmer
> On Aug 20, 2022, at 12:09 PM, Austin Witmer <austin96 at
emypeople.net> wrote:
>
> And no, I don?t think I am using ACL?s.
>
> getfacl austin /mnt/volume1/mailserver/plain/maildir/
> getfacl: austin: No such file or directory
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/volume1/mailserver/plain/maildir/
> # owner: austin
> # group: austin
> user::rwx
> group::rwx
> other::r--
>
> Austin Witmer
>
>> On Aug 20, 2022, at 11:15 AM, spi <spi at nurfuerspam.de> wrote:
>>
>> ?
>>> Am 20.08.22 um 16:52 schrieb Austin Witmer:
>>> Hello all!
>>>
>>> Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever
since
>>> then I am periodically getting some dovecot errors like the below
in
>>> my mail log. As far as I can tell, my unix perms are just fine.
What
>>> is ACL/MAC?
>>>
>>> Aug 20 14:41:58 mail dovecot:
>>> imap(user at domain.com)<56316><1NieGKPmuOdKwxVI>:
Error: Mailbox INBOX:
>>>
stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
>>> <http://domain.com/user/dovecot.index.log>) failed:
Permission denied
>>> (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC
>>> wrong?))
>>>
>>> And here is the listing showing the permissions for that file.
>>>
>>> *austin at mail*:*~*$ ls -la
>>>
/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
>>> <http://domain.com/user/dovecot.index.log>
>>> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41
>>>
*/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
>>> <http://domain.com/user/dovecot.index.log>*
>>>
>>> What in the world is causing these errors, and what can I do about
them?
>>>
>>> Thanks in advance!
>>>
>>> Austin Witmer
>>
>>
>> Do you use any ACLs? Is this just a block device mounted or do you use
>> any network file sharing like nfs?
>>
>> ACLs you can check by 'getfacl foo'.
>>
>> --
>> Cheers
>> spi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220823/ea1b3ce0/attachment-0001.htm>
There are a number of issues that can appear to be ACL issues when in fact its something else. As other's have mentioned, AppArmor profiles and SELinux contexts can be checked and are the most common. There are ACL permissions as well if you enabled ACL (they are not enabled by default on Ubuntu server). I've occasionally (rarely) seen some weird interactions with sockets between MDA and MTA if the permissions on the directory were not set correctly. Additionally, if a mount permission mask is being used, that can occasionally cause similar issues as well, as is often the case with using an NTFS backing filesystem for maildir that's been mounted with unix perms. There can also be some edge-cases with permissions in Ubuntu's flavored snap containers as well as docker containers and custom sieves. Its difficult to say with any accuracy what is causing your issue with the information provided. Have you increased the verbosity of the logging? If all of the normal culprits do not stand out, maybe some others will have an idea. As a final fallback you can always set a breakpoint and use a reverse debugger. Its not going to be performant but it will at least narrow down where the issue is coming from, and what the intermediate states were that led to the error so you can save/replicate them moving forward for resolution. Non-determinism can creep into code in a lot of different ways. Best Regards, N On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer <austin96 at emypeople.net> wrote:> Here is the output of dovecot -n > > *austin at mail*:*~*$ doveconf -n > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.16 (09c29328) > # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS > # Hostname: mail > auth_mechanisms = plain login > listen = * > mail_location = mbox:~/mail:INBOX=/var/mail/%u > mail_privileged_group = mail > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags > copy include variables body enotify environment mailbox date index ihave > duplicate mime foreverypart extracttext > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > auto = subscribe > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Spam { > auto = subscribe > } > mailbox Trash { > auto = subscribe > special_use = \Trash > } > prefix > } > passdb { > driver = pam > } > passdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > passdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > plugin { > sieve > file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve > sieve_before = /var/lib/dovecot/sieve/ > sieve_global_dir = /var/lib/dovecot/sieve/ > sieve_global_path = /var/lib/dovecot/sieve/default.sieve > sieve_user_log > file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log > } > protocols = imap lmtp pop3 imap lmtp sieve pop3 > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > service managesieve-login { > inet_listener sieve { > port = 4190 > } > service_count = 1 > } > ssl = required > ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > ssl_dh = # hidden, use -P to show it > ssl_key = # hidden, use -P to show it > ssl_prefer_server_ciphers = yes > userdb { > driver = passwd > } > userdb { > driver = prefetch > } > userdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > userdb { > driver = prefetch > } > userdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > protocol lmtp { > hostname = mail.mydomain.com > mail_plugins = " sieve" > postmaster_address = postmaster at mydomain.com > } > protocol lda { > mail_plugins = " sieve" > } > > > Austin Witmer > > > On Aug 20, 2022, at 12:09 PM, Austin Witmer <austin96 at emypeople.net> > wrote: > > And no, I don?t think I am using ACL?s. > > getfacl austin /mnt/volume1/mailserver/plain/maildir/ > getfacl: austin: No such file or directory > getfacl: Removing leading '/' from absolute path names > # file: mnt/volume1/mailserver/plain/maildir/ > # owner: austin > # group: austin > user::rwx > group::rwx > other::r-- > > Austin Witmer > > On Aug 20, 2022, at 11:15 AM, spi <spi at nurfuerspam.de> wrote: > > ? > > Am 20.08.22 um 16:52 schrieb Austin Witmer: > Hello all! > > Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since > then I am periodically getting some dovecot errors like the below in > my mail log. As far as I can tell, my unix perms are just fine. What > is ACL/MAC? > > Aug 20 14:41:58 mail dovecot: > imap(user at domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: > stat(/mnt/volume1/mailserver/plain/maildir/ > domain.com/user/dovecot.index.log > <http://domain.com/user/dovecot.index.log>) failed: Permission denied > (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC > wrong?)) > > And here is the listing showing the permissions for that file. > > *austin at mail*:*~*$ ls -la > /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log > <http://domain.com/user/dovecot.index.log> > -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 > */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log > <http://domain.com/user/dovecot.index.log>* > > What in the world is causing these errors, and what can I do about them? > > Thanks in advance! > > Austin Witmer > > > > Do you use any ACLs? Is this just a block device mounted or do you use > any network file sharing like nfs? > > ACLs you can check by 'getfacl foo'. > > -- > Cheers > spi > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220824/20028990/attachment-0001.htm>