[Dovecot] SSL cert problems.
I'm really racking my brain trying to figure this one out here. I am running a pop3 server for remote offices on CentOS 5.2. We purchased a SSL cert from Verisign and installed it on our dovecot server, but I continue to get failure problems with the cert and I don't know where to go from here. here is some info about our config: dovecot version: # dovecot --version 1.0.7 hostname: pop.x10.com dovecot.conf: # dovecot -n # 1.0.7: /etc/dovecot.conf base_dir: /var/run/dovecot/ log_path: /var/log/dovecot.log protocols: pop3 pop3s ssl_ca_file: /etc/pki/verisign/intermediate_ca.cer ssl_cert_file: /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file: /etc/pki/dovecot/private/pop.x10.com.key ssl_cipher_list: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 verbose_ssl: yes login_dir: /var/run/dovecot//login login_executable: /usr/libexec/dovecot/pop3-login mail_executable: /usr/libexec/dovecot/pop3 mail_plugin_dir: /usr/lib/dovecot/pop3 pop3_client_workarounds: outlook-no-nuls auth default: passdb: driver: pam userdb: driver: passwd and last but not least, here is my test from openssl. Mind you this fails as a "BAD" ssl cert in Evolution. :~$ openssl s_client -ssl2 -connect pop.x10.com:995 CONNECTED(0003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450: As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated. -G
Re: [Dovecot] SSL cert problems.
Ok so I downloaded the intermediate ca cert thing onto my local machine as intca.cer. Then I ran this command: :~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995 CONNECTED(0003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- Server certificate -BEGIN CERTIFICATE- MIIFVDCCBDygAwIBAgIQP9qDpsFNkAq3EZsq5A0jTjANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MTIxMTAwMDAw MFoXDTA5MTIxMTIzNTk1OVowgccxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo aW5ndG9uMQ8wDQYDVQQHFAZSZW50b24xJjAkBgNVBAoUHVgxMCBXaXJlbGVzcyBU ZWNobm9sb2d5LCBJbmMuMR8wHQYDVQQLFBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5 MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDUxFDASBgNVBAMUC3BvcC54MTAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJGXMMLkbyNDIVzNv4IB00qqEp8Pg5f2zWU8uzL52w37JHLmAzfExu HU+6vQqMip65QEEefqRh9rrsKWzMHC3ecQ1H3Ca6CDxwSbGLk1FjWafDLK2Ms1+w chOkym9RvURMGn8IKQag1KQ8mZtPGM5z+50O6A6YHaLQUNVGW1mJ8wIDAQABo4IB 0zCCAc8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYz aHR0cDovL1NWUlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUu Y3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwHwYDVR0jBBgwFoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYB BQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w QwYIKwYBBQUHMAKGN2h0dHA6Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9T VlJTZWN1cmUyMDA1LWFpYS5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB BQUAA4IBAQA70R4JDVgQF7Rz/l26G0smMR2qjj3iOfggXOiE1zHVtyzWb/Q2yrIV kTkC558w73rE0/ScqFKa2HDHm3d6OHWXNRgr+2MW8rtuwFPaPko6mYkWeRE4a3HP VFE2iNOYfx5n5yovQOUbKOKn9jBnJu8L7+mVjmtdLTMLo6yKynrxCMOXrmHI4AkK QZgySYbm4JqkTz8+CPnT75bXAJdsFmqMiq3wTKDI2GbEGdCLEupCEEMcDi2mb/zA UQbon3cgfDGfkCKd91SzJT86c1IGStHNiuwgOHsM/cAmTobICdBeooBBGQlGZPZ1 E6ehkR3x1HVzD53zpE/rH4ejjhHZ3I02 -END CERTIFICATE- subject=/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 1964 bytes and written 317 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher: DHE-RSA-AES256-SHA Session-ID: F5FDC92F3DFEE11EABFECEF9ACAEA69F6E34B18A0DAEC225EE6C18398E86B418 Session-ID-ctx: Master-Key: E81D48B88F493F4BD35353079B7A596993D42C3E711F2E4DB79305E69C9D0CF97ED4A88941FE42B3BE012A3D507827C8 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1230103587 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- +OK Dovecot ready. And I still get those errors. Any thoughts? -G On Tue, 2008-12-23 at 23:46 -0500, Sahil Tandon wrote: > Geoff Sweet wrote: > > > and last but not least, here is my test from openssl. Mind you this > > fails as a "BAD" ssl cert in Evolution. > > > > :~$ openssl s_client -ssl2 -connect pop.x10.com:995 > > Try -ssl3 here; you'll see more. > > > CONNECTED(0003) > > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, > > Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa > > (c)05/CN=pop.x10.com > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, > > Inc./OU=Information Technolog
Re: [Dovecot] SSL cert problems.
Oh, ok once I added the -CAfile change the cert verifies without issue. openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify return:1 +OK Dovecot ready. So does that mean I need to install the intermediate cert on all my clients that will be accessing this server? That's going to be a bit of a PITA... -Geoff On Wed, 2008-12-24 at 15:26 -0500, Sahil Tandon wrote: > Geoff Sweet wrote: > > > Ok so I downloaded the intermediate ca cert thing onto my local machine > > as intca.cer. Then I ran this command: > > > > :~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995 > > You're pointing to a *file* so you need -CAfile; not -CApath. But even > after making that change, there appears to be a problem with your cert. > To test, I downloaded common root certificates from the curl website and > placed them in ~/CA. Then, the gmail cert verifies just fine: > > % openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 > -quiet > depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > verify return:1 > depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com > verify return:1 > +OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17 > > However, your server cert still fails. This may be related to the > intermediate cert you define in dovecot.conf. I also noticed the zlib > compression is turned on, whereas it is disabled on my own and many > other POP and IMAP servers I tested. > > This does not appear to be a dovecot issue; perhaps try the OpenSSL > mailing list? >
Re: [Dovecot] SSL cert problems.
So my conf looks similar to yours: # Disable SSL/TLS support. #ssl_disable = no ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file = /etc/pki/dovecot/private/pop.x10.com.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password = # File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/verisign/intermediate_ca.cer # Request client to send a certificate. #ssl_verify_client_cert = no and the ssl_ca_file is a copy and past from this: http://www.verisign.com/support/verisign-intermediate-ca/extended-validation/index.html Yet the cert still doesn't work. And the OpenSSL people are telling me this is an issue with my application, dovecot. For reference this is all that is in my /etc/pki/verisign/intermediate_ca.cer: -BEGIN CERTIFICATE- MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7 A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9 MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9 BxxsCzAwxw== -END CERTIFICATE- Like I said, just a copy and paste from the Verisign site. Any thoughts? -Geoff
Re: [Dovecot] SSL cert problems.
Ok, how about from a little different approach. How do I get debugging out of this thing? I followed this: http://wiki.dovecot.org/Logging But I certainly don't consider what it produced in the way of output something I could consider "debug" logging. It never even once logged anything like directories it was looking in for SSL stuff, or acknowledged my connection with more then "TLS" in the connection line. How do I get more logging out? -G On Mon, 2008-12-29 at 16:54 -0500, Sahil Tandon wrote: > Egbert Jan van den Bussche wrote: > > > Still strange that Verisign is not already in your cert. store. Most > > browsers seem to have Verisign. I'm used to the fact that my CA (Cacert) is > > not included, being a small free CA. I often have to import class3 and root > > cert. which is not a big deal after all. > > The root verisign cert is likely in his cert store; however, the > *intermediate* cert is not; that is expected to be on the server. >
[Dovecot] Permissions errors while reading messages via IMAP
Greetings all, I have been trying to setup a new system using Postfix and Dovecot to manage email for a bunch of virtual domains. So far everything is great, and I am now at the point where I am trying to build a webmail interface for the system. I'm using RoundCube for now. The tutorial I have been working from is here: http://workaround.org/articles/ispmail-etch/ Which seems to be a decent enough read. At this point I can login without issue but I can't see any mail messages. When I login, dovecot throws errors like this: Dec 23 12:08:49 mail1 dovecot: auth(default): client out: OK1 user=geoff.sw...@test.com Dec 23 12:08:49 mail1 dovecot: auth(default): master in: REQUEST1 43121 Dec 23 12:08:49 mail1 dovecot: auth(default): master out: USER 1 geoff.sw...@test.comuid=5000gid=5000 home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): Effective uid=5000, gid=5000, home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): maildir: data=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): maildir++: root=/home/vmail/test.com/geoff.sweet/Maildir, index=, control=, inbox=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.20.11, lip=192.168.20.12 Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): Disconnected: Logged out bytes=39/431 Dec 23 12:08:49 mail1 dovecot: auth(default): new auth connection: pid=4315 Dec 23 12:08:49 mail1 dovecot: auth-worker(default): sql(geoff.sw...@test.com,192.168.20.11): query: SELECT email as user, password FROM view_mailboxes WHERE email='geoff.sw...@test.com'; Dec 23 12:08:49 mail1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imaplip=192.168.20.12 rip=192.168.20.11 lport=143 rport=43878 resp=AGdlb2ZmLnN3ZWV0QHdob290aXMuY29tAGJvYjEyMzQ1 Dec 23 12:08:49 mail1 dovecot: auth(default): client out: OK1 user=geoff.sw...@test.com Dec 23 12:08:49 mail1 dovecot: auth(default): master in: REQUEST2 43111 Dec 23 12:08:49 mail1 dovecot: auth(default): master out: USER 2 geoff.sw...@test.comuid=5000gid=5000 home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.20.11, lip=192.168.20.12 Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): Effective uid=5000, gid=5000, home=/home/vmail/test.com/geoff.sweet Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): maildir: data=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): maildir++: root=/home/vmail/test.com/geoff.sweet/Maildir, index=, control=, inbox=/home/vmail/test.com/geoff.sweet/Maildir Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): Namespace : Using permissions from /home/vmail/test.com/geoff.sweet/Maildir: mode=0700 gid=-1 Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com): open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot-uidlist) failed: Permission denied Dec 23 12:08:49 mail1 last message repeated 2 times There is some permission issue that allows dovecot to deliver email to the /home/vmail location (I dislike this location and want to change it) via the dovecot LDA process, but then not be able to read it when accessed via IMAP. I'm very confused lol. Dovecot version 1.2.9 dovecot -n: # 1.2.9: /etc/dovecot.conf # OS: Linux 2.6.18-164.6.1.el5 i686 CentOS release 5.4 (Final) ext3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_greeting: Dovecot ready. mail_location: maildir:/home/vmail/%d/%n/Maildir mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 lda: log_path: /home/vmail/dovecot-deliver.log auth_socket_path: /var/run/dovecot/auth-master postmaster_address: postmas...@test.com mail_plugins: global_script_path: /home/vmail/globalsieverc auth default: mechanisms: plain login debug: yes debug_passwords: yes passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: static args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes socket: type: listen c
Re: [Dovecot] Permissions errors while reading messages via IMAP
Delivery doesn't seem to be the issue. The issue appears to be reading the
mail later on.
Here is my master.cf line for dovecot:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d
${recipient}
and as you can see, the files in the delivery location have the correct
permissions for being delivered by user "vmail":
# ls -la
total 64
drwx-- 5 vmail vmail 4096 Dec 23 12:11 .
drwx-- 3 vmail vmail 4096 Dec 21 17:41 ..
drwx-- 2 vmail vmail 4096 Dec 21 17:41 cur
-rw--- 1 vmail vmail 224 Dec 22 00:01 dovecot.index
-rw--- 1 vmail vmail 572 Dec 23 11:51 dovecot.index.log
-rw--- 1 vmail vmail 472 Dec 23 11:51 dovecot-uidlist
drwx-- 2 vmail vmail 4096 Dec 23 11:51 new
drwx-- 2 vmail vmail 4096 Dec 23 11:51 tmp
The errors appear when I login via IMAP and try to read the messages.
-Geoff
From: Timo Sirainen [...@iki.fi]
Sent: Wednesday, December 23, 2009 1:03 PM
To: Geoff Sweet
Cc: dovecot@dovecot.org
Subject: Re: [Dovecot] Permissions errors while reading messages via IMAP
On Wed, 2009-12-23 at 12:18 -0800, Geoff Sweet wrote:
> Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com):
> open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log) failed:
> Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm:
> /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
..
> There is some permission issue that allows dovecot to deliver email to the
> /home/vmail location (I dislike this location and want to change it) via the
> dovecot LDA process, but then not be able to read it when accessed via IMAP.
> I'm very confused lol.
Apparently you want the emails to be owned by vmail:vmail, but you're
running deliver as something else than vmail and the resulting files
won't be owned by vmail:vmail..
So you're calling deliver wrong from Postfix. Your master.cf probably
has dovecot pipe, it should have user=vmail:vmail.
Re: [Dovecot] Permissions errors while reading messages via IMAP
Appears to be an SELinux issue. I checked it out with audit2allow and
discovered several items that needed tweaking. Here is the result of my te
file:
# cat DovecotDelivery.te
module DovecotDelivery 1.0;
require {
type sysadm_passwd_t;
type postfix_spool_t;
type user_home_dir_t;
type dovecot_auth_t;
type user_home_t;
type var_spool_t;
type dovecot_t;
type mysqld_etc_t;
type dovecot_var_run_t;
type mysqld_port_t;
type system_mail_t;
class process setcap;
class tcp_socket name_connect;
class dir { search setattr };
class file { rename execute read lock write getattr unlink };
}
#= dovecot_auth_t ==
allow dovecot_auth_t mysqld_etc_t:file { read getattr };
allow dovecot_auth_t mysqld_port_t:tcp_socket name_connect;
#= dovecot_t ==
allow dovecot_t dovecot_var_run_t:dir setattr;
allow dovecot_t self:process setcap;
allow dovecot_t user_home_dir_t:file { rename write getattr read lock unlink };
#= sysadm_passwd_t ==
allow sysadm_passwd_t postfix_spool_t:dir search;
allow sysadm_passwd_t var_spool_t:dir search;
#= system_mail_t ==
allow system_mail_t user_home_t:file execute;
Some of that is left over from a previous attempt to get this working. It all
seems to be fine once I load that module.
-Geoff
From: Timo Sirainen [...@iki.fi]
Sent: Wednesday, December 23, 2009 1:26 PM
To: Geoff Sweet
Cc: dovecot@dovecot.org
Subject: Re: [Dovecot] Permissions errors while reading messages via IMAP
On Wed, 2009-12-23 at 13:13 -0800, Geoff Sweet wrote:
> and as you can see, the files in the delivery location have the correct
> permissions for being delivered by user "vmail":
> # ls -la
> total 64
> -rw--- 1 vmail vmail 572 Dec 23 11:51 dovecot.index.log
What about this:
> Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sw...@test.com):
> open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
> failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing
> +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
Is that file also owned by vmail:vmail? The error message shows that
vmail user doesn't have read access to the file. If that file is also
owned by vmail, I have only two ideas:
a) You have multiple vmail users. See that ls -ln shows the uids to be
actually 5000 and not something else.
b) SELinux or something similar is preventing the access to the files.
