[Dovecot] imap auto create mailbox: we're not in group 8(mail)
Dear List
Somehow I don't understand the intended work flow to have new mailboxes auto created. On login of a new user with no mailbox, I get
2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)
The imap process runs as the user the login performed and thus it has only the privileges of that user. This is good and desired, when a mailbox already exists. I do not want to allow all users to write to /var/mail, only they should write to their dirs inside /var/mail.
Same story for LMTP, if no mailbox exists yet: 2014-01-09 13:01:47 lmtp(20416, tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)
How can I configure the auto create mailbox feature that it works and let run LMTP and IMAP process as user %u and group mail and let create the mailboxes in /var/mail as (example user tester) with the following permissions:
/var/mail:
drwxrwx--x root mail 3072 Dec 18 01:43 . drwx------ tester tester 1024 Jan 09 12:53 tester
...or do I need a different approach?
Thank you for helping me.
Best regards, Adrian.
My setup:
- Exim delivers to LMTP socket as user %u, group mail
- maildir storage in /var/mail
doveconf -n:
2.1.7: /etc/dovecot/dovecot.conf
OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.3 ext3
auth_cache_negative_ttl = 0 auth_cache_size = 5 M auth_cache_ttl = 4 hours auth_failure_delay = 3 secs auth_mechanisms = plain login digest-md5 cram-md5 apop rpa auth_username_format = %n auth_verbose = yes auth_worker_max_count = 128 first_valid_gid = 1000 first_valid_uid = 1000 last_valid_gid = 60000 last_valid_uid = 60000 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_location = maildir:/var/mail/./%u/:INDEX=MEMORY mail_prefetch_count = 1024 maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave vacation-seconds namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = type = private } passdb { args = scheme=SHA512-CRYPT username_format=%u /etc/cram-md5.pwd driver = passwd-file } plugin { sieve = /var/mail/%u/sieve/.dovecot.sieve sieve_before = /var/mail/%u/sieve/vacation.sieve sieve_dir = /var/mail/%u/sieve sieve_extensions = +vacation +vacation-seconds sieve_max_actions = 1024 sieve_vacation_default_period = 12d sieve_vacation_max_period = 0 sieve_vacation_min_period = 1d } postmaster_address = postmaster@XXXX protocols = " imap lmtp sieve pop3" service auth-worker { user = $default_login_user } service auth { group = mail-security unix_listener auth-client { mode = 0660 user = Debian-exim } unix_listener auth-userdb { mode = 0666 } user = $default_internal_user } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_min_avail = 5 } service lmtp { process_min_avail = 10 unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } service_count = 1 vsz_limit = 64 M } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service pop3 { process_limit = 256 } ssl_cert = </etc/ssl/XXXX ssl_cipher_list = DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:+TLSv1:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!SSLv2:!3DES:!DSS ssl_key = </etc/ssl/XXXX ssl_parameters_regenerate = 128 hours userdb { args = blocking=no driver = passwd override_fields = home=/var/mail/%u mail=maildir:/var/mail/%u } protocol lmtp { mail_plugins = " sieve" } protocol lda { mail_plugins = " sieve" } protocol imap { mail_max_userip_connections = 64 } protocol pop3 { mail_max_userip_connections = 32 pop3_client_workarounds = oe-ns-eoh pop3_save_uidl = yes }
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 9 Jan 2014, Adrian Zaugg wrote:
The errors says all.
- See:
Group to enable temporarily for privileged operations. Currently this is
used only with INBOX when either its initial creation or dotlocking
fails.
Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group =
Grant access to these supplementary groups for mail processes. Typically
these are used to set up access to shared mailboxes. Note that it may be
dangerous to set these if users can create symlinks (e.g. if "mail"
group is
set here, ln -s /var/mail ~/mail/var could allow a user to delete
others'
mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading
it). #mail_access_groups =
chmod 1777 /var/mail
pre-create your user dirs
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUs6X0F3r2wJMiz2NAQJpBQf/QKVG5bMRpWC6U2X+IhTzN+QjIAonsVuY KMyyDkFSvDAr+8eBqek7/H/ijUhyaTQZsbZ7ftYYIqQs5ZgFSZNURhbcuJLd8Y6+ OwXX1uCshQg63hYUpsfJsQiAoQ6vxdw2wFgLFUGjASBcXtiI9BtzLObOZMgfhCzT pqsMOWoIjM9BBQt/u5r4JM/3LJccFnVP4yAn8Wmq73Yu3ozw5L+9eMGjm/NnpT3B 62wuhgqY9p3GxenWvnHN/BgfYsWNrBN9E2AKlDmFainUC7lNZD8YeB64oj0KWxz5 tlQiEKia5xMB2WsUPpEhOHOYTfh7vq0Qm0Sxw3DdhWIZnr/DVru84A== =Z2z1 -----END PGP SIGNATURE-----
Hi Steffen
Am 09.01.14 13:36 schrieb Steffen Kaiser:
The errors says all. Almost ...
If I understand you correctly, I can chose one of the three options you presented to me, right? If so, 3) I did until now. 2) no way. To 1): I now set mail_privileged_group = mail
drwxrwx--x 94 root mail 3072 Dec 18 01:43 /var/mail
But I still get the same error. The LMTP and the IMAP process do still get executed under group %u, when they try to create the mailbox. What's wrong?
Thank you for your help!
Best regards, Adrian.
participants (2)
-
Adrian Zaugg
-
Steffen Kaiser