On Thu, Apr 3, 2014 at 9:12 AM, /dev/rob0 <r...@gmx.co.uk> wrote: > On Thu, Apr 03, 2014 at 07:26:09AM -0400, Jeffrey Walton wrote: >> I've been suffering a permission problem in Postfix/Dovecot for a >> couple of days now. The setup is using virtual domains and users, >> so the path to user's `home` is `/var/mail/<domain>/<user>`; and >> the path to `MailDir` is `/var/mail/<domain>/<user>/MailDir` >> >> The mail logs continue to show a *Permission Denied*: >> >> Apr 3 05:44:16 debian-x2 postfix/virtual[5670]: D6DDD1780100: >> to=<j...@deltoid.com>, >> relay=virtual, delay=0.15, delays=0.1/0.01/0/0.04, dsn=4.2.0, >> status=deferred >> (maildir delivery failed: create maildir file >> /var/mail/deltoid.com/jeff/Maildir/tmp/1396518256.P5670.debian-x2: >> Permission denied) >> >> Permissions are as follows: >> >> # ls -l /var/mail/ > > Also "ls -ld /var/mail" and same for /var; either parent directory > could block permission. > > Another thing: /var/mail is traditionally used for system mail, > making it a bad choice for virtual mail. I would suggest "vmail", > whether under /var or /home, depending on your resources. OK, thanks. Naively, its all mail so it all goes in /var/mail. I'll get that fixed.
... >> -rw-rw---- 1 nobody mail 80586 Apr 2 07:45 nobody > > See, there you have a local(8) mbox. Keep those separate. Perhaps > also virtually alias your system mail to virtual mailboxes. Less > secure to have everything under one UID/GID, but it's simpler to > maintain. I don't even use that feature. I look for trouble in log files, not within a computer's local email. They could go away for all I care :) ... >> `postfix` and `dovecot` are both in the `vmail` group: >> >> # members vmail >> vmail postfix dovecot > > BAD idea. The "postfix" user should not share any groups. As for > "dovecot", I think the same is true, but check the Dovecot wiki for > definitive answers. OK, this is a trouble spot for me. There's a shared resource (/var/vmail and friends), and four different programs need access to it (Postifx, Dovecot, Clam, and Spam Assassin). I don't know how to do it any other way (unless I am supposed to use Linux ACLs via setfacl(1)). This is where the lack of guidance on integration becomes a pain point. (And the reason I am trolling blogs and mini-HowTos looking for information). ... >> Two questions: >> >> 1. What is wrong with the current permissions? >> >> 2. What are the permissions supposed to be? > > The virtual_uid_maps user or virtual_gid_maps group needs to have > "rwx" on virtual_mailbox_base, in the most common use case of > "static:" maps for virtual_?id_maps. > > Better answer: this is basic Unix. You know the UID and GID of > virtual(8) as it delivers. Permit rwx for the virtual process. Agreed, but I don't claim expertise on Linux permissions (my apologies). I do know how to keep others out of my home directory, but that's about it. (Windows is a different story, and the programs I write set the ACL and ACEs at startup to save the Admin and User from these problems ;) >> My apologies for the basic question. Many of the blog posts, >> tutorials and Mini-HowTos are just not working as advertised. > > Of course not. Why would they? Well, I guess I don't understand why someone would publish something that is wrong or broken. Unfortunately, I don't know enough about the *nix email components and their integration to know who is BS'ing me. > If you want to know how to configure > any given software package, consult its documentation. > > http://www.postfix.org/VIRTUAL_README.html OK, thanks. I did buy a book from Amazon, but it has not arrived. The really sad thing is I know a couple of ISP that are using something like 0777 in an effort to avoid the problems I'm experiencing (permission problems during integration). When I got a shell on a couple of those systems, I could move among other mailboxes. Hence the reason I want to begin hosting my own stuff. Thanks again for the help. Jeff
