Postfix +dovecot +permissions hell

Hallo,
I have setup a postfix/dovecot email service for my home (so, no virtual hosts, only system users and local domain). The initial setup was on a 10.3 and after the upgrade I had some issues with IPv6. Other than that, the combination worked fine.
However, during the last weeks, email is not delivered to the mailboxes. The /var/log/mail is full of those messages:


Apr 26 10:08:17 server postfix/local[30791]: 53EAA70667: to=<tpe@server.home>, relay=local, delay=2119, delays=2119/0.04/0/0.14, dsn=4.3.0, status=deferred (temporary failure. Command output: Can't open log file /var/log/mails/dovecot-deliver-errors.log: Permission denied )

The files are:


drwxr-xr-x+ 2 root root 4096 Mar 25 07:58 mails


-rwxr-x---+ 1 root root      1 Apr 26 08:53 dovecot-deliver-errors.log

I tried to add ACL to the directory and the log file, (postfix user/group and dovecot user/group) but nothing changed. I even chmoded to 777.

Again nothing. What could possibly be wrong?
Follows the postconf -n and dovecot.conf files

Main.cf


alias_maps = hash:/etc/aliases                                                                                                                              
biff = no                                                                                                                                                   
canonical_maps = hash:/etc/postfix/canonical                                                                                                                
command_directory = /usr/sbin                                                                                                                               
config_directory = /etc/postfix                                                                                                                             
daemon_directory = /usr/lib/postfix                                                                                                                         
debug_peer_level = 2                                                                                                                                        
defer_transports =                                                                                                                                          
disable_mime_output_conversion = no                                                                                                                         
disable_vrfy_command = yes                                                                                                                                  
home_mailbox = Mail/                                                                                                                                        
html_directory = /usr/share/doc/packages/postfix/html                                                                                                       
inet_interfaces = all                                                                                                                                       
inet_protocols = ipv4                                                                                                                                       
mail_owner = postfix                                                                                                                                        
mail_spool_directory = /var/mail                                                                                                                            
mailbox_command = /usr/lib/dovecot/deliver                                                                                                                  
mailbox_size_limit = 0                                                                                                                                      
mailbox_transport =                                                                                                                                         
mailq_path = /usr/bin/mailq                                                                                                                                 
manpage_directory = /usr/share/man                                                                                                                          
message_size_limit = 104857600                                                                                                                              
mydestination = $myhostname localhost.$mydomain localhost $mydomain                                                                                         
mydomain = home                                                                                                                                             
myhostname = server.home                                                                                                                                    
mynetworks = 127.0.0.0/8, 192.168.0.0/16                                                                                                                    
mynetworks_style = subnet                                                                                                                                   
newaliases_path = /usr/bin/newaliases                                                                                                                       
queue_directory = /var/spool/postfix                                                                                                                        
readme_directory = /usr/share/doc/packages/postfix/README_FILES                                                                                             
relayhost = smtp.tellas.gr                                                                                                                                  
relocated_maps = hash:/etc/postfix/relocated                                                                                                                
sample_directory = /usr/share/doc/packages/postfix/samples                                                                                                  
sender_canonical_maps = hash:/etc/postfix/sender_canonical                                                                                                  
sendmail_path = /usr/sbin/sendmail                                                                                                                          
setgid_group = maildrop                                                                                                                                     
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd                                                                                                     
smtp_sasl_security_options =                                                                                                                                
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem                                                                                                               
smtp_tls_cert_file = /etc/postfix/ssl/postfix-cert.pem
smtp_tls_key_file = /etc/postfix/ssl/postfix-key.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_client_restrictions = permit_mynetworks,  permit_inet_interfaces, reject_plaintext_session
smtpd_data_restrictions = reject_unauth_pipelining,     permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    reject_invalid_helo_hostname,   reject_unknown_helo_hostname,   reject_non_fqdn_helo_hostname,  reject_non_fqdn_hostname,    reject_invalid_hostname,        permit
smtpd_policy_service_max_idle = 30s
smtpd_recipient_restrictions = permit_mynetworks,       reject_invalid_hostname,        reject_non_fqdn_hostname,       reject_non_fqdn_sender, reject_non_fqdn_recipient,   reject_unknown_sender_domain,   reject_unknown_recipient_domain,        reject_unauth_destination,      reject_rbl_client list.dsbl.org,    reject_rbl_client zen.spamhaus.org       reject_rbl_client cbl.abuseat.org,      reject_rbl_client dul.dnsbl.sorbs.net,  reject_rbl_client bl.spamcop.net    permit
smtpd_sasl_auth_enable = no
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/postfix-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
strict_8bitmime = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

Dovecot


protocols = imaps managesieve                  
protocol managesieve {                         
  managesieve_logout_format = bytes ( in=%i : out=%o ) 
}                                                      
mail_debug=yes                                         

log_path = /var/log/mails/imap
info_log_path = /var/log/mails/imap.info

ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem

mail_location = maildir:~/Mail
protocol imap {               
  mail_plugin_dir = /usr/lib/dovecot/modules/imap
}                                                

protocol pop3 {
  mail_plugin_dir = /usr/lib/dovecot/modules/pop3
}

protocol lda {
  postmaster_address = postmaster@home
  mail_plugins = sieve
  mail_plugin_dir = /usr/lib/dovecot/modules/lda
  sendmail_path = /usr/sbin/sendmail
  log_path = /var/log/mails/dovecot-deliver-errors.log
  info_log_path = /var/log/mails/dovecot-deliver.log
}

auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  user = root
}

dict {
}

plugin {
  sieve_dir=~/Mail/.sieve
  sieve_storage=~/Mail/.sieve
}

You should either make postfix the owner of the file, or examine the ACL with getfacl to make sure that postfix really does have permission to open and write to the file.

Of course I have checked that! Even the directory has rwx for postfix. Remember, I tried the 777 as well!

Hmm, there seem to be some cautions about permissions for deliver which is what is used when you specify a LDA. It’s not clear to me from reading this document whether it runs as the user or as root (which apparently deliver refuses to do). So since I have to go have dinner, I’ll wish you good luck reading this:

LDA - Dovecot Wiki

Also I don’t understand why you seem to feed deliver back into sendmail (which is actually postfix). Why don’t you just let postfix do the delivery itself. Your config seems unnecessarily complicated. Anyway good luck.

I have spent the last few days reading that document but with no luck. The reason I use the Dovecot’s LDA is because I have to. According to dovecot wiki, you must use deliver if you want to use Sieve (like I do). Anyway, I hope that some one can help me.

You can use deliver from ~/.procmailrc. Then it runs as the user.

procmail is not an option. Anyway, I found the problem, not the solution. In brief, I setup an audit watch on the log file:


----
time->Wed Apr 28 15:19:58 2010
type=PATH msg=audit(1272457198.816:71): item=0 name="/var/log/mails/dovecot-deliver-errors.log" inode=294915 dev=fd:01 mode=0100777 ouid=51 ogid=51 rdev=00:00
type=CWD msg=audit(1272457198.816:71):  cwd="/var/spool/postfix"
type=SYSCALL msg=audit(1272457198.816:71): arch=40000003 syscall=5 success=yes exit=6 a0=b7744d51 a1=8441 a2=180 a3=b7744d53 items=1 ppid=8853 pid=8856 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=2995 comm="deliver" exe="/usr/lib/dovecot/deliver" key=(null)

So, I believe that deliver tries to open the log file as uid=1000.

That would be the first user account on the system, and probably the recipient of the email.

Yes, I know that :slight_smile:
It seems that deliver runs with suid. So, my options are really limited: Either I add an ACL for the users (since only system users recieve emails), or I drop the seperate log files.

Or log to syslog instead of a file.

That’s what I try to configure. I use syslog-ng, so, I believe that I can customize it and have 2 separate log files, one for postfix and one for dovecot. Anyway, if it’s possible, I will write the relative How-to :slight_smile: