Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Permissions issue with virtual maildirs

1,075 views
Skip to first unread message

Toomas Vendelin

unread,
Nov 9, 2010, 12:15:59 PM11/9/10
to
Hi there!

I run Postfix on CentOS 5.5 with virtual domains. Mail is supposed to
be delivered to maildirs. Everything worked with a sendmail/mbox setup
for the same domain, so MX issues can be eliminated immediately :)

I'm trying to set up a virtual mail hosting on a testing machine,
following the tutorial at:
http://howtoforge.net/linux_postfix_virtual_hosting

Here's the issue. Message file cannot be written to tmp folder because
of "Permission denied". Needless to say, both owherships and
permissions were checked by hand descending from base
(/var/spool/vmail) to the bottom. To check misspelled directory names,
I've copied the full path and run #cd
/var/spool/vmail/minu.biz/toomas/tmp/ - worked fine. I've even tried
to chmod -R 0777 /var/spool/vmail (it is a testing machine), but even
then I've got the very same "Permission denied". Disabling SELinux
didn't work either. Maildirs WERE created in advance, exactly as the
message suggests. It's late, and I'm running out of ideas. Please,
help.

Exerpt from maillog:

Nov 9 18:27:45 rh2 postfix/smtpd[5139]: warning: dict_nis_init: NIS
domain name not set - NIS lookups disabled
Nov 9 18:27:45 rh2 postfix/smtpd[5139]: connect from
smtp-out.neti.ee[194.126.126.41]
Nov 9 18:27:46 rh2 postfix/smtpd[5139]: 0028C1F494:
client=smtp-out.neti.ee[194.126.126.41]
Nov 9 18:27:46 rh2 postfix/cleanup[5143]: 0028C1F494:
message-id=<1F1C29E7-C1CD-4EFF...@vendelin.com>
Nov 9 18:27:46 rh2 postfix/smtpd[5139]: disconnect from
smtp-out.neti.ee[194.126.126.41]
Nov 9 18:27:46 rh2 postfix/qmgr[4738]: 0028C1F494:
from=<x...@yyy.com>, size=1507, nrcpt=1 (queue active)
Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: maildir access
problem for UID/GID=5000/5000: create maildir file
/var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com:
Permission denied
Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: perhaps you need
to create the maildirs in advance
Nov 9 18:27:46 rh2 postfix/virtual[5144]: 0028C1F494:
to=<too...@minu.biz>, relay=virtual, delay=0.07,
delays=0.05/0.01/0/0.01, dsn=4.2.0, status=deferred (maildir delivery
failed: create maildir file
/var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com:
Permission denied)

Output of postconf -n:

command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
inet_interfaces = all
mail_owner = postfix
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = $myhostname
myhostname = rh2.tere.com
mynetworks = 192.168.50.0/24
myorigin = $mydomain
queue_directory = /var/spool/postfix
relay_domains = $mydestination
virtual_alias_maps = hash:/etc/postfix/valias
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_uid_maps = static:5000

Jeroen Geilman

unread,
Nov 9, 2010, 2:33:40 PM11/9/10
to
On 11/09/2010 06:15 PM, Toomas Vendelin wrote:
> Hi there!
>
> I run Postfix on CentOS 5.5 with virtual domains. Mail is supposed to
> be delivered to maildirs.

Don't you mean "I have configured postfix to deliver to maildirs".
If that's not what you mean, it's an unwarranted - and quite dangerous -
assumption.

> Everything worked with a sendmail/mbox setup
> for the same domain, so MX issues can be eliminated immediately :)
>

I never considered MX issues until you brought them up - you haven't
mentioned any issue yet.

> I'm trying to set up a virtual mail hosting on a testing machine,
> following the tutorial at:
> http://howtoforge.net/linux_postfix_virtual_hosting
>

Yesh - tutorials often get things wrong, or assume you know more about
postfix than you do.
I'd suggest the actual documentation instead, located at
http://www.postfix.org/VIRTUAL_README.html

> Here's the issue. Message file cannot be written to tmp folder because
> of "Permission denied".

Which user is postfix delivering virtual mailbox mail as ?
Did you check that the UID of the virtual user corresponds with write
permissions on the virtual_mailbox_maps location ?

> Needless to say, both owherships and
> permissions were checked by hand descending from base
> (/var/spool/vmail) to the bottom. To check misspelled directory names,
> I've copied the full path and run #cd
> /var/spool/vmail/minu.biz/toomas/tmp/ - worked fine. I've even tried
> to chmod -R 0777 /var/spool/vmail

Don't. Ever. Chmod anything to 777.

> (it is a testing machine),

And ?

> but even
> then I've got the very same "Permission denied".

Run namei -l /var/spool/vmail/minu.biz/toomas/tmp to verify *complete*
access.

> Disabling SELinux
> didn't work either. Maildirs WERE created in advance, exactly as the
> message suggests. It's late, and I'm running out of ideas. Please,
> help.
>
> Exerpt from maillog:
>

<snip>


> Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: maildir access
> problem for UID/GID=5000/5000: create maildir file
> /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com:
> Permission denied
> Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: perhaps you need
> to create the maildirs in advance
>

HOW did you create the maildir ?
If postfix created the maildir, it would obviously be able to write to
it afterwards.

> Output of postconf -n:
>
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> inet_interfaces = all
> mail_owner = postfix
> mydestination = $myhostname, localhost.$mydomain, localhost
> mydomain = $myhostname
> myhostname = rh2.tere.com
> mynetworks = 192.168.50.0/24
> myorigin = $mydomain
> queue_directory = /var/spool/postfix
> relay_domains = $mydestination
> virtual_alias_maps = hash:/etc/postfix/valias
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /var/spool/vmail
> virtual_mailbox_domains = /etc/postfix/vhosts
> virtual_mailbox_maps = hash:/etc/postfix/vmaps
> virtual_uid_maps = static:5000
>

This mandates that ALL virtual mailboxes MUST be writable by either uid
5000 or gid 5000. Are they ?

What is the contents of virtual_mailbox_maps ?
You left out one of the principal deciding factors by not including it.


--
J.

mouss

unread,
Nov 9, 2010, 4:27:26 PM11/9/10
to
Le 09/11/2010 18:15, Toomas Vendelin a écrit :
> Hi there!
>
> I run Postfix on CentOS 5.5 with virtual domains. Mail is supposed to
> be delivered to maildirs. Everything worked with a sendmail/mbox setup

> for the same domain, so MX issues can be eliminated immediately :)
>
> I'm trying to set up a virtual mail hosting on a testing machine,
> following the tutorial at:
> http://howtoforge.net/linux_postfix_virtual_hosting
>
> Here's the issue. Message file cannot be written to tmp folder because
> of "Permission denied". Needless to say, both owherships and

> permissions were checked by hand descending from base
> (/var/spool/vmail) to the bottom. To check misspelled directory names,
> I've copied the full path and run #cd
> /var/spool/vmail/minu.biz/toomas/tmp/ - worked fine. I've even tried
> to chmod -R 0777 /var/spool/vmail (it is a testing machine), but even
> then I've got the very same "Permission denied". Disabling SELinux

> didn't work either. Maildirs WERE created in advance, exactly as the
> message suggests. It's late, and I'm running out of ideas. Please,
> help.
>
> Exerpt from maillog:
>
> Nov 9 18:27:45 rh2 postfix/smtpd[5139]: warning: dict_nis_init: NIS
> domain name not set - NIS lookups disabled

This is unrelated to your problem, but you should remove NIS from your
config. configure alias_maps explicitely:
$ postconf -d |grep nis
alias_maps = hash:/etc/aliases, nis:mail.aliases
$ postconf -e alias_maps=hash:/etc/aliases


> Nov 9 18:27:45 rh2 postfix/smtpd[5139]: connect from
> smtp-out.neti.ee[194.126.126.41]
> Nov 9 18:27:46 rh2 postfix/smtpd[5139]: 0028C1F494:
> client=smtp-out.neti.ee[194.126.126.41]
> Nov 9 18:27:46 rh2 postfix/cleanup[5143]: 0028C1F494:
> message-id=<1F1C29E7-C1CD-4EFF...@vendelin.com>
> Nov 9 18:27:46 rh2 postfix/smtpd[5139]: disconnect from
> smtp-out.neti.ee[194.126.126.41]
> Nov 9 18:27:46 rh2 postfix/qmgr[4738]: 0028C1F494:
> from=<x...@yyy.com>, size=1507, nrcpt=1 (queue active)

> Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: maildir access
> problem for UID/GID=5000/5000: create maildir file
> /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com:
> Permission denied


try running

$ touch /var/spool/vmail/minu.biz/toomas/tmp/test.test

as a user with uid=gid=5000.

> Nov 9 18:27:46 rh2 postfix/virtual[5144]: warning: perhaps you need
> to create the maildirs in advance

> Nov 9 18:27:46 rh2 postfix/virtual[5144]: 0028C1F494:
> to=<too...@minu.biz>, relay=virtual, delay=0.07,
> delays=0.05/0.01/0/0.01, dsn=4.2.0, status=deferred (maildir delivery

> failed: create maildir file
> /var/spool/vmail/minu.biz/toomas/tmp/1289320066.P5144.rh2.tere.com:
> Permission denied)

Toomas Vendelin

unread,
Nov 10, 2010, 2:37:23 AM11/10/10
to
Jeroen, thank you for taking time to answer.

The problem was that I have put /sbin/nologin for a login shell
instead of /bin/false. Don't ask, why on Earth did I do that (I'm
asking that myself). Anyway, with this changed, mail goes through as
expected. The moral being, don't work too long hours.

Picking your points:


> Don't you mean "I have configured postfix to deliver to maildirs".
> If that's not what you mean, it's an unwarranted - and quite dangerous -
> assumption.

I've meant "I have configured postfix to deliver to maildirs", indeed.

> Yesh - tutorials often get things wrong, or assume you know more about
> postfix than you do.
> I'd suggest the actual documentation instead, located at
> http://www.postfix.org/VIRTUAL_README.html

Nobody's perfect. Yes, I've read the "official HOWTO" as well. In this
particular case, the HowtoForge.com tutorial was both correct and
better written. It was me who "got the things wrong".

> Run namei -l /var/spool/vmail/minu.biz/toomas/tmp to verify *complete*
> access.

I've got:
namei: invalid option -- l
usage: namei [-mx] pathname [pathname ...]

> HOW did you create the maildir ?
> If postfix created the maildir, it would obviously be able to write to it
> afterwards.

With mkdir.

> This mandates that ALL virtual mailboxes MUST be writable by either uid 5000
> or gid 5000. Are they ?

Yes. I should have written it explicitly, of course.

> What is the contents of virtual_mailbox_maps ?
> You left out one of the principal deciding factors by not including it.

My mistake. Fortunately, as we know by now, it was irrelevant in this case.

Jeroen Geilman

unread,
Nov 10, 2010, 8:07:30 AM11/10/10
to
On 11/10/2010 08:37 AM, Toomas Vendelin wrote:
> Jeroen, thank you for taking time to answer.
>
> The problem was that I have put /sbin/nologin for a login shell
> instead of /bin/false. Don't ask, why on Earth did I do that (I'm
> asking that myself). Anyway, with this changed, mail goes through as
> expected. The moral being, don't work too long hours.
>

I seriously doubt that this would cause the reported error.


>> Yesh - tutorials often get things wrong, or assume you know more about
>> postfix than you do.
>> I'd suggest the actual documentation instead, located at
>> http://www.postfix.org/VIRTUAL_README.html
>>
> Nobody's perfect. Yes, I've read the "official HOWTO" as well. In this
> particular case, the HowtoForge.com tutorial was both correct and
> better written.

But not complete. No such tutorial ever is.


>> Run namei -l /var/spool/vmail/minu.biz/toomas/tmp to verify *complete*
>> access.
>>
> I've got:
> namei: invalid option -- l
> usage: namei [-mx] pathname [pathname ...]
>
>

Odd. My distribution (ubuntu 10.04) has many more options to namei.

>> HOW did you create the maildir ?
>> If postfix created the maildir, it would obviously be able to write to it
>> afterwards.
>>
> With mkdir.
>

That is not a valid method of creating a maildir, which requires a very
precise permission structure.
Please let the MTA or MDA create your maildirs, or use a third-party
supplied utility such as courier's maildirmake.

>> This mandates that ALL virtual mailboxes MUST be writable by either uid 5000
>> or gid 5000. Are they ?
>>
> Yes. I should have written it explicitly, of course.
>

You haven't shown us any sort of directory listing for the virtual
mailboxes. That would have eliminated all of these uncertainties.

>> What is the contents of virtual_mailbox_maps ?
>> You left out one of the principal deciding factors by not including it.
>>
> My mistake. Fortunately, as we know by now, it was irrelevant in this case.
>

Maybe, but impossible to tell if you don't provide that information.


--
J.

Toomas Vendelin

unread,
Nov 10, 2010, 9:27:18 AM11/10/10
to
Jeroen,

On Wed, Nov 10, 2010 at 3:07 PM, Jeroen Geilman <jer...@adaptr.nl> wrote:
>> The problem was that I have put /sbin/nologin for a login shell
>> instead of /bin/false.
>

> I seriously doubt that this would cause the reported error.

You were right, I've changed it back to /sbin/nologin, and it still
works. Strange, I didn't touch anything else since reporting the issue
for the first time.

>> I've got:
>> namei: invalid option -- l
>> usage: namei [-mx] pathname [pathname ...]
> Odd. My distribution (ubuntu 10.04) has many more options to namei.

I use CentOS 5.5, and some software appears to be not exactly current,
like Dovecot v 1.0.7. Of course, one can compile it from source.

Thank you again for an advice on maildirs and other tips.

0 new messages