On 2/3/19 2:09 PM, Hegedüs Ervin wrote:

Hi John,

On Sun, Feb 03, 2019 at 09:56:38AM +0100, John Fawcett wrote:

...

On 01/02/2019 13:39, Ervin Hegedüs wrote:

...

I'ld try to set up the managesieve (for RoundCube) - the sieve is works as well with dovecot (I mean my filters works perfectly).

When I would try to connect to managesieve, I got an error, and mail.err contains:

dovecot: managesieve(airween@mydomain.hu): Error: user airween@madomain.hu: Couldn't drop privileges: getgrnam(vmail) failed: Permission denied (in mail_privileged_group setting)

Also I got it when I try to connect to port 4190 at localhost (with telnet), and send the generated AUTH string (with sieve-auth-command.pl). it can often help if you give versions of the dovecot and pigeonhole as well as posting the config (dovecot -n) since people may be able to spot configuration errors. sorry, you're right, I forgot it :(

2.2.13: /etc/dovecot/dovecot.conf

OS: Linux 3.16.0-4-amd64 x86_64 ext4

auth_mechanisms = plain login mail_location = maildir:/var/spool/postfix/virtual/%d/%n mail_privileged_group = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { args = /etc/dovecot/dovecot-sql.conf quota = maildir:User quota quota_rule = *:storage=500M quota_rule2 = Trash:storage=+50M quota_rule3 = spam:ignore sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 lmtp sieve service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = sieve } protocol lda { mail_plugins = quota sieve } protocol imap { mail_max_userip_connections = 20 mail_plugin_dir = /usr/lib/dovecot/modules mail_plugins = quota imap_quota } protocol pop3 { mail_plugins = quota }

...

It may be an obvious thing, but do you have a vmail group in /etc/group? sure,

getent group | grep vmail

daemon:x:1:vmail vmail:x:5000:vmail

thanks,

a.

Checking further, the managesieve-login process is chrooted by default. I wonder if it can then read /etc/group. Are you using mail_privileged_group because of the permissions on your mail storage directories would not otherwise allow them to be accessed? If not you could try to just set mail_privileged_group to blank and restart dovecot.

John

On 03/02/2019 18:51, Ervin Hegedüs wrote:

Hi John,

On Sun, Feb 03, 2019 at 04:44:44PM +0100, John wrote:

...

On 2/3/19 2:09 PM, Hegedüs Ervin wrote:

...

Hi John,

On Sun, Feb 03, 2019 at 09:56:38AM +0100, John Fawcett wrote:

...

On 01/02/2019 13:39, Ervin Hegedüs wrote:

...

I'ld try to set up the managesieve (for RoundCube) - the sieve is works as well with dovecot (I mean my filters works perfectly).

When I would try to connect to managesieve, I got an error, and mail.err contains:

dovecot: managesieve(airween@mydomain.hu): Error: user airween@madomain.hu: Couldn't drop privileges: getgrnam(vmail) failed: Permission denied (in mail_privileged_group setting)

Also I got it when I try to connect to port 4190 at localhost (with telnet), and send the generated AUTH string (with sieve-auth-command.pl). it can often help if you give versions of the dovecot and pigeonhole as well as posting the config (dovecot -n) since people may be able to spot configuration errors. sorry, you're right, I forgot it :(

2.2.13: /etc/dovecot/dovecot.conf

OS: Linux 3.16.0-4-amd64 x86_64 ext4

thanks for your detailed message,

...

Checking further, the managesieve-login process is chrooted by default. yes, I read it - but is there any way (and meaning) to configure it for not-chroot?

...

I wonder if it can then read /etc/group. Are you using mail_privileged_group because of the permissions on your mail storage directories would not otherwise allow them to be accessed? yes... I guess :)

...

If not you could try to just set mail_privileged_group to blank and restart dovecot. I leave it blank, restarted Dovecot, and now it works as well.

Thanks again for your help.

a.

So in your case, if everything including imap logins and operations are working fine without mail_privileged_group then I guess you don't really need it there. If you had needed it, I'm not 100% sure how the issue could have been resolved. You could have tried not to chroot by puttinig

chroot =

in the service managesieve-login section of your config, but even if it worked it's not a great solution.

I checked on dovecot 2.2.36 I don't have any issue with a non blank mail_privileged_group when logging into managesieve.

John