[Dovecot] mail_privileged_group not working for dotlock files (1.1.6)

Rob Mangiafico rmang at lexiconn.com
Sat Nov 22 03:42:08 EET 2008 

> On Fri, 2008-11-21 at 15:45 -0500, Rob Mangiafico wrote:
>>> Running dovecot 1.1.6 on centOS 5 and RHEL 5.
>>>
>>> With the settings:
>>> pop3_lock_session = yes
>>> mail_privileged_group = mail
>>> mail_location = mbox:~/:INBOX=/var/spool/mail/%u
>
> What does ~/ expand to? What does mail_debug=yes show? The privileged
> locking isn't used if INBOX appears under the mail root directory. So if
> ~/ expands to /, /var, /var/spool or /var/spool/mail, the privileged
> locking isn't done.

>From the log file:
---
Nov 21 20:29:43 ssy dovecot: auth(default): new auth connection: pid=23472
Nov 21 20:29:46 ssy dovecot: auth(default): client in: AUTH     1 
PLAIN   service=pop3    secured lip=127.0.0.1   rip=127.0.0.1 
lport=110       rport=44480     resp=<hidden>
Nov 21 20:29:46 ssy dovecot: auth(default): shadow(rlm,127.0.0.1): lookup
Nov 21 20:29:46 ssy dovecot: auth(default): client out: OK      1 
user=rlm
Nov 21 20:29:46 ssy dovecot: auth(default): master in: REQUEST  2 
23349   1
Nov 21 20:29:46 ssy dovecot: auth(default): passwd(rlm,127.0.0.1): lookup
Nov 21 20:29:46 ssy dovecot: auth(default): master out: USER    2 
rlm     system_user=rlm uid=500 gid=500 home=/home/rlm
Nov 21 20:29:46 ssy dovecot: child 23475 (pop3) killed with signal 11
Nov 21 20:29:46 ssy dovecot: POP3(rlm): Effective uid=500, gid=500
Nov 21 20:29:46 ssy dovecot: POP3(rlm): mbox: 
data=~/mail:INBOX=/var/spool/mail/rlm
Nov 21 20:29:46 ssy dovecot: POP3(rlm): fs: root=/home/rlm/mail, index=, 
control=, inbox=/var/spool/mail/rlm
Nov 21 20:29:46 ssy dovecot: POP3(rlm): file_lock_dotlock() failed with 
mbox file /var/spool/mail/rlm: Permission denied
Nov 21 20:29:46 ssy dovecot: pop3-login: Login: user=<rlm>, method=PLAIN, 
rip=127.0.0.1, lip=127.0.0.1, secured
----

ls -al /var/spool/mail/
drwxrwx--x   2 root      mail 4096 Nov 21 19:58 ./

dovecot -n
# 1.1.6: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.20.1 i686 CentOS release 4.7 (Final)
protocols: imap imaps pop3 pop3s
ssl_cert_file: /usr/share/ssl/certs/sendmail.pem
ssl_key_file: /usr/share/ssl/certs/sendmail.pem
ssl_cipher_list: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
disable_plaintext_auth: no
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
mail_privileged_group: mail
mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u
mail_debug: yes
mail_full_filesystem_access: yes
mmap_disable: yes
fsync_disable: yes
mail_drop_priv_before_exec: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
pop3_lock_session(default): no
pop3_lock_session(imap): no
pop3_lock_session(pop3): yes
pop3_uidl_format(default): %08Xu%08Xv
pop3_uidl_format(imap): %08Xu%08Xv
pop3_uidl_format(pop3): %08Xv%08Xu
auth default:
   mechanisms: plain login
   verbose: yes
   debug: yes
   passdb:
     driver: shadow
   userdb:
     driver: passwd


> Could you get gdb backtrace of this crash? See
> http://dovecot.org/bugreport.html

I do not think it is crashing, as no matter what I do, I cannot get core 
dumps (in /tmp, home dir, etc...):
ulimit -c
unlimited

cat /proc/sys/kernel/core_pattern
/tmp/%p

>>> The reason we have dotlock as the primary format is due to procmail LDA from
>>> sendmail:
>>> ---
>>> procmail -v 2>&1|grep Locking
>>> Locking strategies:     dotlocking, fcntl()
>>> ---
>>>
>>> I assume we have to make the "mbox_write_locks" match the procmail locking...
>
> Actually it's not necessary. You'll need to have at least one common
> locking mechanism. Using only fcntl Dovecot would be enough if procmail
> also uses fcntl.

Ah, ok. I thought the docs implied they had to match exactly. Since we use 
procmail as an LDA, and occasionally pine (from uw-imap) which I believe 
supports fcntl, and openwebmail (not sure if fcntl is supported), I think 
we'll be safe with fcntl locking. Correct?

If you need me to test anything else, please let me know. Thanks!

Rob

More information about the dovecot mailing list