maildomain-permissions acting strangely & user_insert returns wrong maildirowner

Discussion in 'Installation/Configuration' started by osterhase, Aug 17, 2011.

  1. osterhase

    osterhase New Member

    Hi there!

    Three strange problems arised from - I don't know from where to be honest... :confused:

    This is what happens:

    - When a new maildomain is created nothing happens until a new mailuser is inserted (intended behavior as far as I know). When a new mailuser is created the following problems arise:

    1. The maildomain.name [f.e. test.int] has the permission-set 0755 (owned by vmail) and not 0700 - is that intended behavior?

    2. The maildir of the new mailuser is owned by the user root (0700) which obviously leads to trouble during maildelivery.

    3. If the mailuser is updated (function user_update in mail_plugin.inc.php) the user is honored by applying the correct owner to his maildir.

    I thought that my problem would reside in the mail_plugin.inc.php and I compared it with the "install-version" and only found the changes that I applied - see here.

    I've attached my mail_plugin.inc.php as textfile - maybe someone can give me a hint what's going wrong here. (It seems that line 123 is not executed. All changes are marked with "osterhase".)
     

    Attached Files:

  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Have you changed the mail plugin? The plugin that is delivered with ispconfig 3.0.3.3 works fine, so dont change it and use the code ftom ispconfig 3.0.3.3 without changes. Maildir permission 0700 is ok and works fine, as only the vmail user needs to access it.
     
  3. osterhase

    osterhase New Member

    But I had to change it to change the sieve-filter location. See this post - I thought the changes would be fine.
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Which excat errors dou you get in your imap client and which errors do you get in the mail.log file?

    To your questiosn above:

    1) is ok.
    2) is ok.
    3) the owner is always vmail. It does not matter if the permissions are 700 or 755. So which other user owns the maildir on your setup.
     
    Last edited: Aug 17, 2011
  5. osterhase

    osterhase New Member

    Code:
    Aug 17 10:56:02 flux01 dovecot: deliver(info2@test.int): chdir(/var/vmail/test.de/info2) failed: Permission denied
    Aug 17 10:56:02 flux01 dovecot: deliver(info2@test.int): sieve: failed to stat user's sieve script: stat(/var/vmail/test.int/info2/sieve/dovecot.sieve) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +x perm: /var/vmail/test.int/info2) (using global script path in stead)
    Aug 17 10:56:02 flux01 dovecot: deliver(info2@test.int): stat(/var/vmail/test.de/info2/tmp) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +x perm: /var/vmail/test.int/info2)
    The reason for this is 2) because the maildir (/var/vmail/test.int/info2) of the newly created user (not updated) is owned by root and not by vmail. So the user vmail is not allowed to access this folder.

    1) This seems to be a security issue (0755) for the domain-path (/var/vmail/[Domain] because logged in system users are able to determine the mailadresses of the domain (but does not interferre with functionality - so it's - at the moment - not too important).
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Just tested the plugin from 3.0.3.3 on my server and the user of the maildir is vmail and not root. Also the plugin code is ok.

    Maybe the email user is not set to "vmail" in the server settings in ispconfig on your system.
     
  7. osterhase

    osterhase New Member

    Thanks for testing!

    I've checked out the system configuration in the ISPConfig control panel and it's set correctly to vmail (I also saved the settings to overwrite wrong settings). Sadly there was no effect (newly created maildirs are still owned by root).

    At the moment I've no further ideas - but I'm thinking hard. ;)
     
  8. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You can try to enable debugging in ispconfig, then create a new mailbox and check the system log for the debug messages.
     
  9. osterhase

    osterhase New Member

    Ok - I did some testing and found the reason which causes this behavior (but I don't know where & when this happens):

    When a new maildomain is created and the spamfilter is not activated (during maildomain creation) it causes the described behavior. E.g. all newly created mailboxes are owned by the wrong user.

    If the spamfilter is activated, the maildomain-directory has the owner "vmail" permission-set 0700 (and not 0755 - which happens when the spamfilter is not activated) and all mailboxes are created within this domain have the correct owner.
     
  10. osterhase

    osterhase New Member

    Addition: If the spamfilter is activated when a new mailbox is created in a maildomain which does not use a spamfilter the owner of the maildir is set correctly as well whereas the owner of the maildomain-directory and permissions do not change.
     
  11. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I guess that the maildir with wrong permissions gets created by the lda (deliver if you use dovecot) while the correct one gets created by ispconfig. As ispconfig does not change the directory or permissions when the maildir already exists, then the wrong permissions are kept. what you can try is to add a forced permission update in ispconfig on the maildir path in the insert function of the mail plugin.
     
  12. osterhase

    osterhase New Member

    Instead I fixed the mistake in /etc/dovecot/dovecot.conf and changed the lda user to vmail - taadaa problem is gone.

    Fantastic mate - thank you so much for your help! :)
     

Share This Page