Hi,
On 2015-09-19 16:17, Olaf Marzocchi wrote:
Dear Dovecot users, hello.
I will merge two issues I have into a single email because they may be
related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS
r151014) with the following configuration (it shows 2.2.18 because I
recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf
# OS: SunOS 5.11 i86pc zfs
mail_location = maildir:/tank/home/%u/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = imap
ssl = required
ssl_cert = </etc/dovecot/certs/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
You can see that I set the Maildir folder inside the shared home
folders of my server (it is only one user, anyway).
It always worked perfectly, but one-two months ago I changed the
permissions of my whole home folder, recursively, to add proper ACLs.
I needed them because the clients started using illumos kernel SMB
(relying on ACLs) instead of Netatalk/AFP (relying on Unix perms
only).
I didn't realise I applied the ACLs also to the Maildir folder.
Dovecot worked for several weeks fine, I noticed the issue only
yesterday when a mailbox (see below) appeared in Thunderbird
completely empty even if the "cur" subfolder on the server still
contains all the mails.
Dovecot was throwing some errors like:
dovecot: [ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/.&A6k- Mailing
Lists.Log/dovecot.index.cache) failed: Permission denied
(euid=501(olaf) egid=501(olaf) UNIX perms appear ok (ACL/MAC wrong?))
dovecot: [ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/.&A6k- Mailing
Lists.Log/dovecot.index.tmp, /tank/home/olaf/Maildir/.&A6k- Mailing
Lists.Log/dovecot.index) failed: Permission denied
dovecot: [ID 583609 mail.error] imap(olaf): Error:
unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed: Permission
denied
dovecot: [ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/subscriptions.lock,
/tank/home/olaf/Maildir/subscriptions) failed: Permission denied
I will post here the current permissions of the folder containing
Maildir, of the Maildir itself, of its contents, and of the folder
that appears empty when browsed with a client (Thunderbird).
/tank/home/olaf $ ls -lV ..
drwx------+ 16 olaf olaf 17 Sep 19 01:52 olaf
user:olaf:rwxpdDaARWcCos:fd-----:allow
group:2147483648:rwxpdDaARWcCos:fd-----:allow
everyone@:rwxpdDaARWcCos:fd-----:deny
/tank/home/olaf $ ls -lV
drwxrwx--- 348 olaf olaf 359 Sep 19 01:51 Maildir
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
/tank/home/olaf $ ls -lV Maildir/
drwxrwx--- 2 olaf olaf 2 Jan 30 2014 cur
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
-rwxrwx--- 1 olaf olaf 21 Jan 30 2014 dovecot-keywords
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
(ALL THE SAME PERMISSIONS FOR THE OTHER FILES EXCEPT...)
-rwxrwx--- 1 olaf olaf 13735 Jan 24 2015 subscriptions
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
-rw-rw---- 1 olaf olaf 13709 Sep 19 01:51
subscriptions.lock
owner@:rw-p--aARWcCos:-------:allow
group@:rw-p--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
The folder that appears empty:
/tank/home/olaf $ ls -lV Maildir/.Generiche/
total 513
drwxrwx--- 2 olaf olaf 949 Sep 18 01:42 cur
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
-rwxrwx--- 1 olaf olaf 46 May 18 2014 dovecot-keywords
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
(ALL THE SAME PERMISSIONS FOR THE OTHER FILES)
I really hope you will have the time to help me because I already
applied the permissions recursively and I removed the ACLs, almost as
it was before my mistake.
I specified "almost" because originally (I checked the backups) the
Maildir folder had an ACL that gave access permissions also to the
group "mail":
drwxrwx---+349 olaf olaf 359 Feb 16 2014 Maildir
group:mail:rwxpdDaARWcCos:fd-----:allow
owner@:rwxpdDaARWcCos:fd----I:allow
group@:rwxpdDaARWcCos:fd----I:allow
everyone@:rwxpdDaARWcCos:fd----I:deny
Yesterday I haven't replicated it because from the documentation I
understood it was not necessary.
From my view the permissions seem to be set correctly, i have to admin,
its been a while since i moved to virtual users so i may be wrong
here...
The log output also seems to support that permissions are correct.
Have you tried adding the group:mail:.... ACLs back?
Have you set mail_debug=yes or other more verbose logging settings?
http://wiki2.dovecot.org/Logging
My questions, in short:
- what are the permissions I need to give to the Maildir folder? I
understood from the documentation it's 700, with my user/group (the
one of the user accessing the mail). What about ACLs? and what about
group "mail"?
- the (only!) subfolder which appears empty in Thunderbird, may it
depend on the permissions? maybe due to them the index was not updated
and UIDs don't match. If after applying the correct permissions I
still cannot see its contents, is there a way to recover the mails?
the files are all still there.
Sorry for the long email, but after several tries yesterday I
exhausted my ideas.
Regards,
Olaf
Regards,
Christian
