Centos Postfix/Dovecot - Permission problems after migration upgrade
I have juggled uids and gids but the fix in fact was in the /dovecot/conf.d/10-master.conf
Having got postfix/SMTP to deliver incoming emails to the users folder:
I had the user and group set to vmail, whereas it should be set to use the postfix user/group. After all, if postfix can write to the files/directories then it has to work.
service auth {
unix_listener auth-userdb {
mode = 0660
user = postfix
group = postfix
}
Once this was changed and services restarted, everything worked - including POP3, imap, postfixadmin and squirrelmail.
Related videos on Youtube
jon
Updated on September 18, 2022Comments
-
jon almost 2 years
We are migrating from an old Centos 5.5 system to a new Centos 6.4 server. The postfix version looks the same, but Dovecot has gone up from 1.x to 2.x. It uses MySQL to store the mail account details and its managed with pfadmin.
I have used rsync to copy the
/var/vmail
folder from old to new server. I have got postfix and dovecot installed, pfadmin is working, as is mysql. But I am having major problems with the permissions for the/var/vmail
folder.from the
var/
folder:drwxrwx---. 34 vmail vmail 4096 May 28 10:03 vmail
from
/etc/passwd
:postfix:x:89:89::/var/spool/postfix:/sbin/nologin dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin dovenull:x:498:499:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash vmail:x:125:12::/var/vmail:/usr/sbin/nologin
relevant lines in dovecot.conf
first_valid_uid = 125 last_valid_uid = 150 mail_location = maildir:/var/vmail/%d/%u mail_privileged_group = mail mbox_write_locks = fcntl
When I telnet onto port 25 and 110 (for PF and Dovecot testing). The smtp session goes ok and the pop3 session crashed out.
maillog has the clues - Here is what Postfix is generating:
warning: maildir access problem for UID/GID=150/12: create maildir file /var/vmail/thedomain.com/[email protected]/tmp/1369997999.P1913.IS-20698: Permission denied
and for Dovecot:
dovecot: pop3([email protected]): Error: file_dotlock_create (/var/vmail/thedomain.com/[email protected]/dovecot-uidlist) failed: Permission denied (euid=125(vmail) egid=125(vmail) missing +w perm: /var/vmail/thedomain.com/[email protected], euid is not dir owner)
- So basically neither process can write to the mail directories.
How do I get all my permissions in-line?
-
NickW about 11 yearsWhat are the permissions on
/thedomain.com/
? -
NickW about 11 yearsAlso, postfix is using UID 150, while dovecot is using 125, which one is supposed to be the owner?
-
jon about 11 yearsPostfix and dovecot should have the same UID?
-
NickW about 11 yearsThe user they use to access mailboxes should be, or you need to make sure the directories at least have a common group with all the permissions necessary.
-
jon about 11 yearsI seem to have gone backwards. I could telnet onto port 110 and login to dovecot, provided there was no email in the /new folder. Now I can't login at all. (euid=125(<unknown>) egid=125(<unknown>) missing +x perm: /var/vmail, euid is not dir owner)
-
tgharold about 11 yearsWhy is it vmail:x:125:12:: instead of vmail:x:125:125:: in /etc/passwd?
-
jon about 11 yearsThanks. I have got a bit further with this. A local smtp session, delivers the message to the "new" folder however, owner group and permissions are wrong. User/group is vmail:mail and permissions are just rw------------
-
jon about 11 yearsAlso, had to disable selinux.
-
tgharold about 11 yearsI would verify permissions, ownership, plus make sure that the files are labeled properly (ls -lZ) and/or (restorecon -Rv /var/vmail). Also using (setenforce Permissive) is a good way of keeping SELinux active while you get things up, then look at (sealert -a /var/log/audit/audit/log) to look for issues in labeling of files.
-
jon about 11 yearspermissions are ok on the /var/vmail/domains. I did a chown -R vmail:vmail vmail and chmod'd them to 770. Its the guid, uids that have got me confused. Emails arrive in the new folder and dovecot doesn't have permission to read them.
-
tgharold about 11 yearsI also wonder why your mailbox path is "/var/vmail/thedomain.com/[email protected]" instead of "/var/vmail/thedomain.com/test".
-
tgharold about 11 yearsI suggest adding to your question the latest output of "ls -lZ" /var/vmail, as well as the output of "grep -i 'vmail' /etc/group".
-
jon about 11 yearsto tgharold - the reason you include the domain name in the folder, so you can have multiple domains, both having the same username.
-
jon about 11 yearsoutput of ls -lZ looks normal. All domain folders show: drwxr-x---. vmail vmail system_u:object_r:var_t:s0 thedomain.com
-
jon about 11 yearsline from /etc/group/ is: "vmail:x:5000:postfix, dovecot"
-
tgharold about 11 yearsIf you are using the default of "mail_home = /var/vmail/%d/%n", you still get the ability to have users in different domains with the same username. But that's a side issue. The problem I see is that your dovecot error says "egid=125(vmail)" but you are saying that vmail is defined as gid=5000 in /etc/group. I suggest making sure that the vmail gid is the same as the vmail uid.
-
NickW about 11 yearsWhich why I asked whether 125 or 150 was the user :) glad you got it working though!