1

Topic: permission denied on dovecot-sieve.log?

==== Required information ====
- iRedMail version: 0.9.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version: CentOS 6.6
- Related log if you're reporting an issue: /var/log/dovecot-sieve.log
====

Getting a fair number of these:

temporary failure. Command output: Can't open log file /var/log/dovecot-sieve.log: Permission denied

I saw an earlier thread saying to chmod that file to 666, but that won't help after the next logrotation, since it creates the new file 600 again sad  It looks like this:

/var/log/dovecot.log
/var/log/dovecot-sieve.log
/var/log/dovecot-lmtp.log {
    compress
    weekly
    rotate 10
    create 0600 vmail vmail
...

I think you need to give dovecot/sieve.log its own stanza with 666, no?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: permission denied on dovecot-sieve.log?

All 3 Dovecot log files should be owned by vmail:vmail with permission 0600.

3

Re: permission denied on dovecot-sieve.log?

ZhangHuangbin wrote:

All 3 Dovecot log files should be owned by vmail:vmail with permission 0600.

that isn't what you said in the other thread? 

http://www.iredmail.org/forum/topic4591 … enied.html

the pathname is different since it's a two-year old post, but the point is still the same, no?  in any event, obviously something is not right since the local delivery agent was trying (and unable) to open the sieve log?

4

Re: permission denied on dovecot-sieve.log?

I looked at the body of the rejected messages.  These are from the nightly jobs that email root the status of backups and such.  I hadn't seen the failures for  a week or so, since I had chmod 666 the sieve file.  When the logrotate happened, the new sieve file was back to 600 and then the emails started failing...

5

Re: permission denied on dovecot-sieve.log?

Old thread is wrong (too open), 0600 is the best.

Owner 'vmail:vmail' with permission 0600 is the default setting in iRedMail, so i'm sure it works.

6

Re: permission denied on dovecot-sieve.log?

So why are these errors happening.  Obviously 600 is NOT right (at least not for the sieve file for local delivery!)  Here is the entire text:

This is the mail system at host iredmail.druber.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<root@iredmail.druber.com>: temporary failure. Command output: Can't open log
    file /var/log/dovecot-sieve.log: Permission denied
Reporting-MTA: dns; iredmail.druber.com
X-Postfix-Queue-ID: 2EBC82C0678
X-Postfix-Sender: rfc822; root@druber.com
Arrival-Date: Wed, 17 Jun 2015 03:00:02 -0400 (EDT)

Final-Recipient: rfc822; root@iredmail.druber.com
Original-Recipient: rfc822;root@iredmail.druber.com
Action: failed
Status: 4.3.0
Diagnostic-Code: x-unix; Can't open log file
    /var/log/dovecot-sieve.log: Permission denied
Subject     Cron <root@iredmail> /bin/bash /var/vmail/backup/backup_openldap.sh
From     root@druber.comAdd contact
To     root@druber.comAdd contact
Date     Today 03:00
Return-Path: <root@druber.com>
Received: from iredmail.druber.com (iredmail.druber.com [127.0.0.1])
    by iredmail.druber.com (Postfix) with ESMTP id 2EBC82C0678
    for <root@iredmail.druber.com>; Wed, 17 Jun 2015 03:00:02 -0400 (EDT)
Authentication-Results: iredmail.druber.com (amavisd-new); dkim=pass
    reason="pass (just generated, assumed good)" header.d=druber.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=druber.com; h=
    date:date:message-id:auto-submitted:content-type:content-type
    :subject:subject:to:from:from; s=dkim; t=1434524401; x=
    1435388402; bh=zKa0tJCVnUloabNYK3fc69PFub8Z83LO6PB5YpYg+4g=; b=2
    ubtYrzXwWPHdEa11dgIv+VbBr5y3SP7IjjO4PvOTRolZvVbXls7+dGcMRbagWyWQ
    v8CdpnEsNCKSgy2qdU3j62xkMnJ48iHve0DtdGKsDW5WNPqlpK8e5mzQFDhHFRyB
    zaweIyCDBEFShJrF7rjrCd61rpDppCTb1uLmtg7fOkFWhbaWDJyGFbmSO2JztsEF
    sPsPjAcx6q6kfJAsR9OU9A06UcfzP9VAyE0ThqG4Sswjnfm5tKTs75KAINHRkk0L
    exR2KyAK35gYpy3MLPbSIulFwI0Mww7j+VTpGkL50yT5mkwc93ZqGCVuyO3RFIUx
    MtqaZVVU95xt+lOOOmRrA==
X-Virus-Scanned: amavisd-new at iredmail.druber.com
Received: from iredmail.druber.com ([127.0.0.1])
    by iredmail.druber.com (iredmail.druber.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 9IUGHUeQ31Vb for <root@iredmail.druber.com>;
    Wed, 17 Jun 2015 03:00:01 -0400 (EDT)
Received: by iredmail.druber.com (Postfix, from userid 0)
    id B62272C06AE; Wed, 17 Jun 2015 03:00:01 -0400 (EDT)
From: root@druber.com (Cron Daemon)
To: root@druber.com
Subject: Cron <root@iredmail> /bin/bash /var/vmail/backup/backup_openldap.sh
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <20150617070001.B62272C06AE@iredmail.druber.com>
Date: Wed, 17 Jun 2015 03:00:01 -0400 (EDT)

55811af1 hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
==> Backup completed successfully.
==> Detailed log (/var/vmail/backup/ldap/2015/06/2015-06-17-03:00:01.log):
=========================
    [DONE]
* File size:
=================
4.0K    /var/vmail/backup/ldap/2015/06/2015-06-17-03:00:01.ldif.bz2
=================
* Backup completed (Success? YES).

7

Re: permission denied on dovecot-sieve.log?

Show me output of command "dovecot -n", and "ls -l /var/log/dovecot*.log", AND the log which contains this error in Postfix log file.

8

Re: permission denied on dovecot-sieve.log?

[root@iredmail ~]# dovecot -n
# 2.1.17: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-504.el6.x86_64 x86_64 CentOS release 6.6 (Final)
auth_default_realm = druber.com
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = * [::]
log_path = /var/log/dovecot.log
mail_gid = 2000
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
mail_plugins = quota acl
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  inbox = yes
  location =
  prefix =
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
passdb {
  args = /etc/dovecot/dovecot-master-users
  driver = passwd-file
  master = yes
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk
  quota = dict:user::proxy::quotadict
  quota_rule = *:storage=1G
  quota_warning = storage=85%% quota-warning 85 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=95%% quota-warning 95 %u
  sieve = %Lh/sieve/dovecot.sieve
  sieve_before = /var/vmail/sieve/dovecot.sieve
  sieve_dir = %Lh/sieve
  sieve_global_dir = /var/vmail/sieve
}
protocols = imap sieve lmtp
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  process_limit = 500
  service_count = 1
}
service lmtp {
  executable = lmtp -L
  inet_listener lmtp {
    address = 127.0.0.1 ::1
    port = 24
  }
  process_min_avail = 5
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
  user = vmail
}
service managesieve-login {
  inet_listener sieve {
    address = 127.0.0.1 ::1
    port = 4190
  }
}
service pop3-login {
  service_count = 1
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl = required
ssl_cert = </etc/pki/tls/certs/iRedMail.crt
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_key = </etc/pki/tls/private/iRedMail.key
ssl_protocols = !SSLv2 !SSLv3
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  lda_mailbox_autosubscribe = yes
  log_path = /var/log/dovecot-sieve.log
  mail_plugins = quota acl sieve autocreate
  postmaster_address = root
}
protocol lmtp {
  info_log_path = /var/log/dovecot-lmtp.log
  lmtp_save_to_detail_mailbox = yes
  mail_plugins = quota sieve
  postmaster_address = postmaster
  recipient_delimiter = +
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_max_userip_connections = 20
  mail_plugins = quota acl imap_quota autocreate imap_acl
}
protocol pop3 {
  mail_max_userip_connections = 20
  mail_plugins = quota acl
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

[root@iredmail ~]# ls -l /var/log/dovecot*
-rw------- 1 vmail vmail       0 Jun 14 03:50 /var/log/dovecot-lmtp.log
-rw------- 1 vmail vmail      14 Jun 14 03:50 /var/log/dovecot-lmtp.log-20150614.bz2
-rw------- 1 vmail vmail 1083887 Jun 17 10:53 /var/log/dovecot.log
-rw------- 1 vmail vmail   30190 Jun 14 03:50 /var/log/dovecot.log-20150614.bz2
-rw-rw-rw- 1 vmail vmail   37588 Jun 17 10:53 /var/log/dovecot-sieve.log
-rw------- 1 vmail vmail    2704 Jun 14 03:50 /var/log/dovecot-sieve.log-20150614.bz2

(I set the sieve file 666 to avoid the errors for now)

9

Re: permission denied on dovecot-sieve.log?

Show me the log which contains this error in Postfix log file. I guess email was sent to a system account, you should add an alias in /etc/postfix/aliases for this account to solve this issue, it's not a permission issue of Dovecot log file.

10

Re: permission denied on dovecot-sieve.log?

Here is one example from /var/log/maillog:

Jun 15 11:19:09 iredmail postfix/pickup[12791]: 411B62C069E: uid=0 from=<root>
Jun 15 11:19:09 iredmail postfix/cleanup[12802]: 411B62C069E: message-id=<20150615151909.411B62C069E@iredmail.druber.com>
Jun 15 11:19:09 iredmail postfix/qmgr[12790]: 411B62C069E: from=<root@iredmail.druber.com>, size=426, nrcpt=1 (queue active)
Jun 15 11:19:09 iredmail postfix/smtpd[12812]: connect from iredmail.druber.com[127.0.0.1]
Jun 15 11:19:09 iredmail postfix/smtpd[12812]: 8FA592C069D: client=iredmail.druber.com[127.0.0.1]
Jun 15 11:19:09 iredmail postfix/cleanup[12802]: 8FA592C069D: message-id=<20150615151909.411B62C069E@iredmail.druber.com>
Jun 15 11:19:09 iredmail postfix/qmgr[12790]: 8FA592C069D: from=<root@iredmail.druber.com>, size=1172, nrcpt=1 (queue active)
Jun 15 11:19:09 iredmail postfix/smtpd[12812]: disconnect from iredmail.druber.com[127.0.0.1]
Jun 15 11:19:09 iredmail amavis[10429]: (10429-06) Passed CLEAN {RelayedInternal}, MYUSERS <root@iredmail.druber.com> -> <root@iredmail.druber.com>, Message-ID: <20150615151909.411B62C069E@iredmail.druber.com>, mail_id: jYZQTxyC2IUB, Hits: 5.289, size: 426, queued_as: 8FA592C069D, 257 ms
Jun 15 11:19:09 iredmail postfix/smtp[12806]: 411B62C069E: to=<root@iredmail.druber.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.39, delays=0.07/0.04/0/0.28, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FA592C069D)
Jun 15 11:19:09 iredmail postfix/qmgr[12790]: 411B62C069E: removed
Jun 15 11:19:09 iredmail postfix/local[12814]: 8FA592C069D: to=<root@iredmail.druber.com>, relay=local, delay=0.08, delays=0.01/0.04/0/0.04, dsn=4.3.0, status=deferred (temporary failure. Command output: Can't open log file /var/log/dovecot-sieve.log: Permission denied )

11

Re: permission denied on dovecot-sieve.log?

Hmmm, I think you may be right.  The original aliases file redirected things to postmaster@druber.com.  I have a single default domain and was having trouble getting that to work right (among other things, I didn't yet have ldap aliases, so things like root@druber.com were not working.)  I finally figured out how to add aliases to ldap, but I think I may have messed up the postmaster alias before that.  Sorry for wasting your time sad  I restored the dovecot-sieve file to 600 and will keep an eye out...)

12

Re: permission denied on dovecot-sieve.log?

You can add one line in /etc/postfix/aliases like below:

root: user@domain.com

Then run 'postalias /etc/postfix/aliases'.

Make sure you are using a real/valid email address.

13

Re: permission denied on dovecot-sieve.log?

Yes, this worked fine.  Thanks!