Postfix/Dovecot permissions on new files in a mailbox

Question

When creating new files inside a mailbox, Dovecot copies the read/write permissions from the mailbox's directory.

I'm not seeing this. Here is what I'm seeing:

andrewsav@hroon-precis:~$ dovecot --version
2.0.19
andrewsav@hroon-precis:~$ sudo ls -al /var/mail/vhosts/myhost.com/andrews
total 76
d-wxrws--- 6 vmail vmail  4096 May 15 19:53 .
drwxrwsr-x 4 vmail vmail  4096 Mar  8 07:27 ..
drwxrws--- 2 vmail vmail  4096 May 15 19:53 cur
-rw-rwS--- 1 vmail vmail   288 May 12 20:49 dovecot.index
-rw-rwS--- 1 vmail vmail 31316 May 15 19:53 dovecot.index.log
-rw-rwS--- 1 vmail vmail    24 Dec 13 14:27 dovecot.mailbox.log
-rw-rw---- 1 vmail vmail    54 May 15 19:53 dovecot-uidlist
-rw-rwS--- 1 vmail vmail     8 Dec 13 14:32 dovecot-uidvalidity
-r--rwSr-- 1 vmail vmail     0 Dec 12 22:34 dovecot-uidvalidity.50c84fbc
drwxrws--- 2 vmail vmail  4096 May 15 21:15 new
-rw-rwS--- 1 vmail vmail     6 Dec 13 14:27 subscriptions
drwxrws--- 2 vmail vmail  4096 May 15 21:15 tmp
drwxrws--- 5 vmail vmail  4096 Dec 13 14:32 .Trash
andrewsav@hroon-precis:~$ sudo ls -al /var/mail/vhosts/myhost.com/andrews/new
total 24
drwxrws--- 2 vmail vmail 4096 May 15 21:15 .
d-wxrws--- 6 vmail vmail 4096 May 15 19:53 ..
-rw------- 1 vmail vmail 3435 May 15 19:54 1368604473.Vca02I500e0M443155.hroon-precis
-rw------- 1 vmail vmail 4028 May 15 20:42 1368607343.Vca02I500e1M96785.hroon-precis
-rw------- 1 vmail vmail 4623 May 15 21:15 1368609338.Vca02I500fcM737208.hroon-precis
andrewsav@hroon-precis:~$

The mail directory has rw for the group and the individual files in the new directory for some reason do NOT have rw. Because of this they can't be accessed by people/processes they are desired to be accessed. What am I missing?

I'm running ubuntu 12.04LTS

Update 1

To give a bit of background: I've been running postfix+dovecot for quite some time now. It was installed with small deviations according to this document. Normally mailboxes are not accessed locally, the I accessed via POP/IMAP by remote client.

However I find it useful to run mutt occasionally on the server. I can do it alright if I run it as

sudo mutt -f /var/mail/vhosts/myhost.com/andrews

however I wanted to be able to run it without sudo, and that's where the trouble started. I added myslef into vmail group and I added the following lines into .muttrc:

set spoolfile = '/var/mail/vhosts/myhost.com/andrews/'
alternates myhost.com
set reverse_name = yes
set from = 'andrews@myhost.com'

But this does not work unless I explicitly do chmod g+rw on new and cur. And it works only until new mail arrived, because the new mail does not have that rw.

Is there anyway I can solve this?

Update 2

After discussing this issue with NickW in chat, we came to the conclusion that it's actually Postfix that are writing these files, and not Dovecot. The LDA is most likely Postfix virtual. Here is Postfix configuration.

main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/apache2/ssl/my.crt
smtpd_tls_key_file=/etc/apache2/ssl/my.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = myhost.myhost.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = myhost.com, hroon-precis, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#smtpd_tls_wrappermode=yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_auth_only = no
#smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_tls_security_level=may

virtual_mailbox_domains = myhost.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/virtual
mydomain = myhost.com

transport_maps = hash:/etc/postfix/transport

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

transport:

info@myhost.com discard:
sales@myhost.com discard:
webmaster@myhost.com discard:

vmailbox:

user1@myhost.com myhost.com/user1/
user2@myhost.com myhost.com/user2/
... etc
andrews@myhost.com myhost.com/andrews/
@myhost.com myhost.com/andrews/

I searched Postfix documentation and I was not able to find a way to specify permissions to Postfix for newly created mail message files inside a mailbox.

My thinking is that it could be impossible, and then there must be another way of setting up mutt so that it can access the maildirs without need to do sudo/be root.

Any hints are appreciated.

@NickW: I did. In attempt to get *something* working. It did not make any difference. — Andrew Savinykh, May 15 '13 at 10:32
@NickW, yes they are. As for LDA, I'm not sure of I *have* one. I'll add more info into the question momentarily. — Andrew Savinykh, May 15 '13 at 11:10
If you are using postfix, you should have a line `mailbox_command=` that's going to be your LDA. — NickW, May 15 '13 at 11:18
@NickW added more info to the question. My /etc/postfix/main.cf does not have `mailbox_command=`. — Andrew Savinykh, May 15 '13 at 11:21
Yeah, I just read through that document, that's a pretty different way of setting up postfix. It seems you're using postfix to deliver directly.. I've always used different LDAs. This may take a little while. — NickW, May 15 '13 at 11:33
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/8775/discussion-between-nickw-and-zespri) — NickW, May 15 '13 at 11:34
I'm not aware of any postfix setting about the permissions set by 'virtual'. As i see on my similar boxes, the files are create with 600.Why don't you switch to dovecot LDA, especially since you have dovecot already? — Sandor Marton, May 16 '13 at 00:59
@SandorMarton mainly because I don't know how to set it up, preserving the existing functionality. — Andrew Savinykh, May 16 '13 at 01:41
Dangit, I didn't want to be a jerk yesterday, and have you change your whole setup.. glad you got a working solution in the end! — NickW, May 16 '13 at 15:12
@NickW, thank you for you help. It was a long road, but I think we (mostly Sandor) finally got it working now. — Andrew Savinykh, May 20 '13 at 04:00

Sandor Marton · Accepted Answer · 2013-05-20T13:53:59.443

4

I'm answering here instead commenting , so I can format properly.
Since you have dovecot, you should already have lda installed (its in dovecot-core ). Add this to /etc/postfix/master.cf:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

Add this to /etc/postfix/main.cf:

virtual_transport               = dovecot
dovecot_destination_recipient_limit = 1

Change /etc/dovecot/conf.d/15-lda.conf:

protocol lda {
  postmaster_address = postmaster@example.com
  log_path = /var/log/dovecot-deliver
  info_log_path = /var/log/dovecot-deliver
}

(though pretty much optional that 3 line between {} )
postmaster_address is the from address for the bounced mail

Change /etc/dovecot/conf.d/10-master.conf:

service auth {
...
    unix_listener auth-userdb {
    mode = 0666
    user = vmail
    group = vmail
    }
...
}

Add all users from /etc/postfix/vmailbox to /etc/postfix/virtual like this:

user1@myhost.com user1@myhost.com 
user2@myhost.com user2@myhost.com 
... etc

Move the catch-all to /etc/postfix/virtual:

@myhost.com andrews@myhost.com

Change /etc/dovecot/conf.d/15-lda.conf:

lda_mailbox_autocreate = yes

This will auto-create maiboxes that are absent

To keep the discard rules, Add to main.cf :

mydestination=localhost.localdomain

Add to /etc/postfix/virtual:

info@myhost.com devnull@localhost.localdomain
sales@myhost.com devnull@localhost.localdomain
webmaster@myhost.com devnull@localhost.localdomain

Then to /etc/aliases :

devnull: /dev/null

These lines from /etc/postfix/main.cf are no longer needed and can be removed:

#virtual_mailbox_base = /var/mail/vhosts
#virtual_minimum_uid = 100
#virtual_uid_maps = static:5000
#virtual_gid_maps = static:5000
#transport_maps = hash:/etc/postfix/transport

Run

newaliases
postmap /etc/postfix/virtual
service postfix restart
service dovecot restart

and lets hope it works.

edited May 20 '13 at 13:53

answered May 16 '13 at 01:57

Sandor Marton

1,564
9
12

I have not tried it yet, but I have a follow up question. The postfix manual says that all these settings that start with `virtual_` in main.cf (as shown above) are specific to virtual(8). See here: http://www.postfix.org/postconf.5.html#virtual_mailbox_maps If this is the case, how dovecot will know these settings? – Andrew Savinykh May 16 '13 at 02:19
Its already setup for IMAP and POP3, no? Will use the same info. – Sandor Marton May 16 '13 at 02:20
It did not work. /var/log/dovecot-deliver: May 16 14:29:30 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) May 16 14:29:30 lda: Fatal: Internal error occurred. Refer to server log for more information. – Andrew Savinykh May 16 '13 at 02:36
Edited my answer – Sandor Marton May 16 '13 at 02:52
It *looks* like it's working now. I give it a few days and if nothing is obviously broken I'll accept your answer. Thank you for your assistance. – Andrew Savinykh May 16 '13 at 10:08
Uhm, not quite. I used to have catch all address (see vmailbox configuration in the question) that all the emails that didn't match elsewhere would go. It's not working with the changes you are outlined. Instead of delivering the email to andrews@myhost.com it got bounced to the sender. – Andrew Savinykh May 16 '13 at 10:14
Sandor, I'll upvote your answer since it is definitely helping, however I can't accept it just yet, as my problem has not been fully solved. – Andrew Savinykh May 16 '13 at 10:16
Move the catch-all to /etc/postfix/virtual: @myhost.com andrews@myhost.com – Sandor Marton May 16 '13 at 14:07
In vmailbox (that as I understand is not used now) there are also definition of other users/mailboxes. What do I do with them? – Andrew Savinykh May 16 '13 at 20:04
All users/mailboxes haves this format: user2@myhost.com myhost.com/user2/ , no? So will be covered by dovecot's 'mail_location' . – Sandor Marton May 16 '13 at 20:55
This stops postfix from creating new mailboxes for the new users. Before if had a new user all I needed is to add them to vmailbox and setup a password. The mailbox then would be created automatically on arrival of the first email for this user. With this new set up all the mail for the new users goes to the catch all address. How do I resolve this? – Andrew Savinykh May 16 '13 at 21:33
Dovecot LDA has all the necessary info and will autocreate for them (see 15-lda.conf , lda_mailbox_autocreate should be yes) – Sandor Marton May 16 '13 at 21:52
Ok, changed lda_mailbox_autocreate to yes and it worked. However the discard rules in /etc/postfix/transport (as per the question above) do not work any longer. all the email for info@myhost.com gets forwarded to catch-all. How do I make the system discard it? Thank you for you continuing help. – Andrew Savinykh May 17 '13 at 00:48
Well, you got me with this. I have only a hack as solution, will add at the end of my answer again. – Sandor Marton May 17 '13 at 01:50
For some bloody reason, I deleted one of the mailboxes that it created to test the creation and not it's not creating it again. lda_mailbox_autocreate is yes. Banging my head at the wall trying to understand what went wrong. – Andrew Savinykh May 19 '13 at 20:06
Ok, so the catch-all (/etc/postfix/virtual: @myhost.com andrews@myhost.com) screws up the mailbox creation. If I have the catch all all messages start redirecting to andrews@myhost.com. This is regardless whether the mailbox exists or not. Basically postfix sees this line and changes the destination address to andrews@myhost.com before handing the message to dovecot for delivery. How can I resolve this? – Andrew Savinykh May 19 '13 at 20:42
Add all users from vmailbox to virtual like this : `user1@myhost.com user1@myhost.com `. – Sandor Marton May 19 '13 at 21:25
Okay, finally it seems to work all right. I'll give it a day or to for issues to show up and then accept the answer. Thank you very much again for all the help. – Andrew Savinykh May 19 '13 at 21:39
Thank you for all the help, Sandor, I have accepted the answer. I made an edit to the answer to reflect all the changes I had to made to the system, please feel to review and adjust if you think that I wrote some rubbish =). – Andrew Savinykh May 20 '13 at 03:59
Well, i would leave `virtual_mailbox_maps = hash:/etc/postfix/vmailbox` in main.cf, since thats needed to properly reject unknown users (but for you doesn't matter since you accept all mail with catch-all) – Sandor Marton May 20 '13 at 13:55

gparent · Answer 2 · 2013-05-16T14:14:26.080

2

You could setup Dovecot as your LDA as a workaround to your problem. That way virtual won't try to deliver mail locally but instead pass it to Dovecot.

According to dovecot documentation, the preferred way to do this is via LMTP.

The virtual settings that I kept will still work, but when it's time to actually deliver the mail to those domains, it will use what's set in virtual_transport instead of delivering the mail directly.

This is a working config on Debian Wheezy, which uses Dovecot 2.x.:

dovecot.conf:

protocols = imap lmtp

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
  user = vmail
}

protocol lmtp {
  postmaster_address = postmaster@example.org
}

main.cf:

virtual_mailbox_domains = example.org
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Don't need these anymore 

#virtual_uid_maps = static:5000
#virtual_gid_maps = static:5000
#virtual_minimum_uid = 1000
#virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_users
#virtual_mailbox_base = /var/mail

edited May 16 '13 at 14:14

answered May 16 '13 at 03:20

gparent

3,601
2
24
28

If you're going to downvote, then say why. This works 100% on my box and it is a valid answer if it does for him too. It's also a better way of doing it than what might end up as the accept answer. – gparent May 16 '13 at 14:10
For those wondering, this should work if you add the aliasing fixes from above. The difference is LDA vs LMTP. – gparent May 28 '13 at 14:51
This is a lot closer to my configuration and I've been using it for a year. – Brian Topping Jun 03 '15 at 04:31
I simply had to add the user to the mail group for some reason. since the user had owner access to all the relevant files I know of. – Ray Foss Apr 18 '16 at 19:29

Postfix/Dovecot permissions on new files in a mailbox

2 Answers2

Linked