autocreation of ldap user's mailboxes fails

[HappyBasher]

Hi!

Autocreation of ldap user's mailboxes fails with permission denied error:

/var/log/mail/mail.log:

Jan 13 13:34:34 mail dovecot: imap-login: Login: user=<zell>, method=PLAIN, rip=10.16.1.253, lip=172.18.0.2, mpid=969, TLS, session=<n43+5PlFOAAKEAH9>
Jan 13 13:34:34 mail dovecot: imap(zell): Error: user zell: Initialization failed: Namespace '': mkdir(/var/mail//zell) failed: Permission denied (euid=10034(<unknown>) egid=10000(<unknown>) missing +w perm: /var/mail/, we're not in group 5000(docker), dir owned by 5000:5000 mode=0775)
Jan 13 13:34:34 mail dovecot: imap(zell): Error: Invalid user settings. Refer to server log for more information.

docker-compose.yml:

version: '2'

services:
  mail:
    image: tvial/docker-mailserver:2.1
    hostname: mail
    domainname: linuxmuster.lokal
    container_name: mail
    ports:
    - "25:25"
    - "143:143"
    - "587:587"
    - "993:993"
    volumes:
    - maildata:/var/mail
    - mailstate:/var/mail-state
    - ./config/:/tmp/docker-mailserver/
    - ./config/dovecot-ldap.conf.ext:/etc/dovecot/dovecot-ldap.conf.ext
    - ./config/ldap.conf:/etc/ldap/ldap.conf
    environment:
    - ENABLE_SPAMASSASSIN=0
    - ENABLE_CLAMAV=0
    - ENABLE_FAIL2BAN=0
    - ENABLE_LDAP=1
    - LDAP_SERVER_HOST=10.16.1.1
    - LDAP_SEARCH_BASE=dc=linuxmuster,dc=lokal
    - LDAP_BIND_DN=cn=admin,dc=linuxmuster,dc=lokal
    - LDAP_BIND_PW=bind_password
    - SSL_TYPE=self-signed
    - ONE_DIR=1
    - DMS_DEBUG=1
    cap_add:
    - NET_ADMIN

volumes:
  maildata:
    driver: local
  mailstate:
    driver: local

config/dovecot-ldap.conf.ext:

base = dc=linuxmuster,dc=lokal
default_pass_scheme = SSHA
uris = ldaps://10.16.1.1
dn = cn=admin,dc=linuxmuster,dc=lokal
dnpass = bind_password
pass_attrs = uid=user, userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
ldap_version = 3

config/ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE	dc=linuxmuster,dc=local
URI	ldaps://10.16.1.1

#SIZELIMIT	12
#TIMELIMIT	15
DEREF		never

# TLS certificates (needed for GnuTLS)
TLS_CACERT	/etc/ssl/certs/ca-certificates.crt

TLS_REQCERT never

Any hints?

Regards, Thomas

[tomav]

mkdir(/var/mail//zell) it seems that domain is missing.

[HappyBasher]

domain is missing where? it's entered in docker-compose.yml.

[tomav]

Probably in LDAP configuration. But sorry, I don't use it so I'm not an expert at all. Perhaps part of the answer can be found here: https://github.com/tomav/docker-mailserver/tree/master/test/docker-openldap/bootstrap

[HappyBasher]

Okay, thanks so far. I'll research further.

[HappyBasher]

I fear the missing domain is not the problem. I removed the domain from the maildir path setting

mail_location = maildir:/var/mail/%n

since the users authenticate only with login name without domain and dovecot complains that it is not in group docker so it cannot create the maildir:

Jan 13 19:38:36 mail dovecot: imap-login: Login: user=<zell>, method=PLAIN, rip=10.16.1.253, lip=172.18.0.2, mpid=958, TLS, session=<6V3s+f5FCAAKEAH9>
Jan 13 19:38:36 mail dovecot: imap(zell): Error: user zell: Initialization failed: Namespace '': mkdir(/var/mail/zell) failed: Permission denied (euid=10034(<unknown>) egid=10000(<unknown>) missing +w perm: /var/mail, we're not in group 5000(docker), dir owned by 5000:5000 mode=0775)

So it's a permission problem.

[HappyBasher]

If I set /var/mail world writable it works like a charm. But this cannot be the solution.

[HappyBasher]

It also works if /var/mail is group writable for group mail. Will it break other things if we make /var/mail group owned by mail per default?

[HappyBasher]

New insight: dovecot's imap service runs with guid 10000. Since there is no group with this guid, running

chgrp 10000 /var/mail

within the container on every start is a quick and dirty fix. If it does not break other things it may be included in start-mailserver.sh.

[alinmear]

Does this problem still exists?

[sndl]

@alinmear yes, it does - stumbled upon it myself. Its permissions issue and it can be avoided by setting user gid in LDAP equal to 5000, or overriding command in docker-compose and allow anybody to create a directory inside of /var/mail. But well its not a solution, just a workaround.

[johansmitsnl]

@sndl what do you suggest on fixing the issue? When the uid and gid are set to 5000 there are no issue correct? The problem is when there are more uid's of the ldap accounts in different groups that cain't get access.

[jckoester]

This stil is a problem I think. Setting the gid of all (mail) users to 5000 can't be the solution if you also store posixAccount login information in an ldap. I've also tried setting mail_uid=500 and mail_gid=5000 in dovecot-ldap.ext - but no success.

EDIT: This works very well when setting mail_uid=5000 and mail_gid=5000 in an override config file for dovecot.

[s0ftcorn]

This still seems to be an issue, as i get mailserver | Aug 2 23:16:12 nordstadtliga dovecot: lmtp([email protected])<2388><FE9RJZxgCGFUCQAA/I4ujQ>: Error: mkdir(/srv/vmail/[email protected]/Maildir) failed: Permission denied (euid=5000(docker) egid=5000(docker) missing +w perm: /srv, dir owned by 0:0 mode=0755) when a new user gets mail the first time.

[juddm]

It's still a problem as far as I can see for LDAP auth.

My solution is:

1. do not set the DOVECOT_USER_ATTRS environment variable
2. create a file ./config/dovecot-local.conf mail_uid=5000 mail_gid=5000
3. modify your docker-compose.yml to mount the file: volumes:
   • ./config/dovecot-local.conf:/etc/dovecot/local.conf
4. restart your container