Getting permission denied lmtp/sieve error

Question

I set up sieve for the first time on a Debian machine running postfix/dovecot/lmtp. It works, however I want to clear up an error I've been getting:

lmtp(joeblow)<17980><GG5KL91cf188RgAAajKqBA>: Error: sieve: binary save: failed to create temporary file: open(/var/lib/dovecot/sieve/default.svbin.) failed: Permission denied (euid=1008(joeblow) egid=1009(joeblow) missing +w perm: /var/lib/dovecot/sieve, dir owned by 0:0 mode=0755)

lmtp(joeblow)<17980><GG5KL91cf188RgAAajKqBA>: Error: sieve: The LDA Sieve plugin does not have permission to save global Sieve script binaries; global Sieve scripts like '/var/lib/dovecot/sieve/default.sieve' need to be pre-compiled using the sievec tool

AFAICT, it's coming in when an email is received. I'm not entirely sure I need the lda if I have lmtp but I really don't know what I'm doing so not sure what to do at all. It took me a while to figure this configuration out and I did it several days ago.

My 90-sieve.conf file:

plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/sieve/default.sieve
  sieve_default_name = Defaults
  sieve_global = /var/lib/dovecot/sieve
  sieve_user_log = ~/.dovecot.sieve.log
}

# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-11-cloud-amd64 x86_64 Debian 10.6
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/sieve/default.sieve
  sieve_default_name = Defaults
  sieve_global = /var/lib/dovecot/sieve
  sieve_user_log = ~/.dovecot.sieve.log
}
protocols = " imap lmtp sieve pop3 sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0666
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  service_count = 1
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 1
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service pop3 {
  process_limit = 1024
}
service submission {
  process_limit = 1024
}
ssl_cert = </opt/bitnami/letsencrypt/certificates/email.example.org.crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"

anx · Answer 1 · 2020-10-09T13:59:36.583

0

Lets unpack this error message

lmtp(joeblow)<17980>:

This is the LMTP service talking to you

error: sieve: The LDA Sieve plugin does not have permission to save global Sieve script binaries;

You are applying some sieve filtering globally, and the LMTP service (more specifically, the delivery part, hence the LDA term) is configured to call sieve filtering, which in turn is currently unable to write binary caches of the global scripts.

global Sieve scripts like '/var/lib/dovecot/sieve/default.sieve' need to be pre-compiled using the sievec tool

This is precisely what you can do to resolve this - compile your file:

sievec /var/lib/dovecot/sieve/default.sieve

That will create a binary cache of that file in /var/lib/dovecot/sieve/default.svbin that can be used by the sieve plugin.

Dovecot could have called this automatically, but your file permissions prohibit it (rightfully so in your setup, as authentication via PAM means users login as themselves, as indicated in the euid= hint above). Hence just have to call sievec manually.

edited Oct 09 '20 at 13:59

answered Oct 09 '20 at 13:46

anx

8,963
5
24
48

1

I had already run sievec manually and the default.svbin file already exists. I want those sieve rules to be automatically applied to the user's incoming email. – StevieD Oct 10 '20 at 16:06
1

I think probably what I should be doing is setting up a default sieve file in the user's directory that is copied over from /etc/skel. – StevieD Oct 10 '20 at 16:13
1

Interestingly, in my case, I got that cryptic message too but was baffled at _why_ `sievec` had to be run again on a file that allegedly had been compiled quite a while ago. As it turns out, the `xxx.sieve` file that was the source of complaints was _corrupted_ beyond repair — I must have overwritten it by mistake. It turns out that Dovecot noticed that, tried to re-compile the file, but failed due to the read-only filesystem restrictions... So neither the filesystem, nor Dovecot, nor `sievec`, nor even `systemd` were to blame — just me! – Gwyneth Llewelyn Oct 27 '21 at 19:00

Getting permission denied lmtp/sieve error

1 Answers1