2

We are migrating from an old Centos 5.5 system to a new Centos 6.4 server. The postfix version looks the same, but Dovecot has gone up from 1.x to 2.x. It uses MySQL to store the mail account details and its managed with pfadmin.

I have used rsync to copy the /var/vmail folder from old to new server. I have got postfix and dovecot installed, pfadmin is working, as is mysql. But I am having major problems with the permissions for the /var/vmail folder.

from the var/ folder:

drwxrwx---. 34 vmail vmail 4096 May 28 10:03 vmail

from /etc/passwd:

postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:498:499:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
vmail:x:125:12::/var/vmail:/usr/sbin/nologin

relevant lines in dovecot.conf

first_valid_uid = 125
last_valid_uid = 150
mail_location = maildir:/var/vmail/%d/%u
mail_privileged_group = mail
mbox_write_locks = fcntl

When I telnet onto port 25 and 110 (for PF and Dovecot testing). The smtp session goes ok and the pop3 session crashed out.

maillog has the clues - Here is what Postfix is generating:

warning: maildir access problem for UID/GID=150/12: create maildir
file /var/vmail/thedomain.com/test@thedomain.com/tmp/1369997999.P1913.IS-20698: 
Permission denied

and for Dovecot:

dovecot: pop3(test@thedomain.com): Error: file_dotlock_create
(/var/vmail/thedomain.com/test@thedomain.com/dovecot-uidlist) 
failed: Permission denied (euid=125(vmail) egid=125(vmail) missing +w 
perm: /var/vmail/thedomain.com/test@thedomain.com, euid is not dir owner)
  • So basically neither process can write to the mail directories.

How do I get all my permissions in-line?

dawud
  • 15,096
  • 3
  • 42
  • 61
jon
  • 61
  • 1
  • 1
  • 4
  • 2
    What are the permissions on `/thedomain.com/` ? – NickW May 31 '13 at 11:58
  • 1
    Also, postfix is using UID 150, while dovecot is using 125, which one is supposed to be the owner? – NickW May 31 '13 at 12:57
  • Postfix and dovecot should have the same UID? – jon Jun 03 '13 at 11:06
  • The user they use to access mailboxes should be, or you need to make sure the directories at least have a common group with all the permissions necessary. – NickW Jun 03 '13 at 11:11
  • I seem to have gone backwards. I could telnet onto port 110 and login to dovecot, provided there was no email in the /new folder. Now I can't login at all. (euid=125() egid=125() missing +x perm: /var/vmail, euid is not dir owner) – jon Jun 03 '13 at 16:15
  • Of course, once you change the users in postfix and dovecot, you need to make sure that `vmail` is the owner of the directory, from the base up :) – NickW Jun 03 '13 at 16:16
  • Why is it vmail:x:125:12:: instead of vmail:x:125:125:: in /etc/passwd? – tgharold Jun 03 '13 at 19:49

3 Answers3

4

I have juggled uids and gids but the fix in fact was in the /dovecot/conf.d/10-master.conf

Having got postfix/SMTP to deliver incoming emails to the users folder:

I had the user and group set to vmail, whereas it should be set to use the postfix user/group. After all, if postfix can write to the files/directories then it has to work.

service auth {
 unix_listener auth-userdb {
 mode = 0660
 user = postfix
group = postfix
}

Once this was changed and services restarted, everything worked - including POP3, imap, postfixadmin and squirrelmail.

jon
  • 61
  • 1
  • 1
  • 4
0

You probably need to add "postfix" to the "vmail" group in /etc/group. And look at your dovecot/conf.d/10-mail.conf file. You'll need to make sure that mail_uid and mail_gid are set to 'vmail' and are both uncommented.

conf.d/10-mail.conf:mail_uid = vmail
conf.d/10-mail.conf:mail_gid = vmail
tgharold
  • 609
  • 8
  • 19
  • Thanks. I have got a bit further with this. A local smtp session, delivers the message to the "new" folder however, owner group and permissions are wrong. User/group is vmail:mail and permissions are just rw------------ – jon Jun 03 '13 at 10:59
  • Also, had to disable selinux. – jon Jun 03 '13 at 11:02
  • I would verify permissions, ownership, plus make sure that the files are labeled properly (ls -lZ) and/or (restorecon -Rv /var/vmail). Also using (setenforce Permissive) is a good way of keeping SELinux active while you get things up, then look at (sealert -a /var/log/audit/audit/log) to look for issues in labeling of files. – tgharold Jun 03 '13 at 15:15
  • permissions are ok on the /var/vmail/domains. I did a chown -R vmail:vmail vmail and chmod'd them to 770. Its the guid, uids that have got me confused. Emails arrive in the new folder and dovecot doesn't have permission to read them. – jon Jun 03 '13 at 16:31
  • I also wonder why your mailbox path is "/var/vmail/thedomain.com/test@thedomain.com" instead of "/var/vmail/thedomain.com/test". – tgharold Jun 03 '13 at 19:47
  • I suggest adding to your question the latest output of "ls -lZ" /var/vmail, as well as the output of "grep -i 'vmail' /etc/group". – tgharold Jun 03 '13 at 19:51
  • to tgharold - the reason you include the domain name in the folder, so you can have multiple domains, both having the same username. – jon Jun 04 '13 at 09:54
  • output of ls -lZ looks normal. All domain folders show: drwxr-x---. vmail vmail system_u:object_r:var_t:s0 thedomain.com – jon Jun 04 '13 at 09:57
  • line from /etc/group/ is: "vmail:x:5000:postfix, dovecot" – jon Jun 04 '13 at 10:02
  • If you are using the default of "mail_home = /var/vmail/%d/%n", you still get the ability to have users in different domains with the same username. But that's a side issue. The problem I see is that your dovecot error says "egid=125(vmail)" but you are saying that vmail is defined as gid=5000 in /etc/group. I suggest making sure that the vmail gid is the same as the vmail uid. – tgharold Jun 04 '13 at 10:52
0

In my cast, this problem was due to SELinux. I resolved the problem by sudo nano /etc/sysconfig/selinux and then setting SELINUX=disabled. This is acceptable during development. A more complete solution will be to set up an SELinux rule allowing postfix and dovecot to function with SELinux enabled before this goes into production.

CodeMed
  • 315
  • 1
  • 8
  • 21