FS#56933 - [dovecot] vacation filter produces sendmail "permission denied" error

Attached to Project: Community Packages
Opened by Anthony K. (crt.011) - Wednesday, 03 January 2018, 03:19 GMT
Last edited by Thore Bödecker (foxxx0) - Wednesday, 07 March 2018, 08:51 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Johannes Löthberg (demize)
Thore Bödecker (foxxx0)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
When the sendmail binary is called by Dovecot's LMTP for sending an auto-response to the sender when a Vacation/OOO filter is enabled - the following repeated errors are found in the error log.

Jan 02 17:20:33 lmtp(me@domain.email)<13528><qg2bJ8MvTFrYNAAAUXb6+w>: Error: sieve: msgid=<CAE2c3QaHRrFCrHixwr4HfqtaOLSvKTUCPkj-2W3shzLnntcrOw@mail.gmail.com>: failed to send vacation response to me@gmail.com: <Failed to execute sendmail> (temporary error)
Jan 02 17:20:39 lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/248933.10994: Permission denied

When I enable debugging I see:
Dec 29 21:21:38 lmtp(me@domain.email)<17187><UA2fMEQiR1ojQwAAUXb6+w>: Debug: program `/usr/sbin/sendmail'(17336) execution timed out after 30000 milliseconds: sending TERM signal
Dec 29 21:21:38 lmtp(me@domain.email)<17187><UA2fMEQiR1ojQwAAUXb6+w>: Debug: Mailbox <lmtp DATA local>: Opened mail UID=1 because: virtual size (Cache file is unusable)

Additional info:
* package version(s)
postfix 3.2.4-2
postfix 3.2.4-3

I don't know if this happened with 3.2.4-1. I started getting email notifications about the permission denied error around December 24th from what to me seemed like after a Dovecot/Pigeonhole update. So far, the Dovecot mailing list is not acknowledging that it is a problem with Dovecot or Pigeonhole. They're under the assumption that I have AppArmor or SELinux enabled, but of course none of my Arch hosts have these.

* config and/or log files etc.
The error logs just spit out repeated permission denied error lines as shown.

Steps to reproduce:
Install or upgrade to the latest Arch package releases for the following.
postfix 3.2.4-3
dovecot 2.3.0-1
pigeonhole 0.5.0-2

Create a Vacation/OOO rule such as:
# rule:[Vacation]
if true
{
vacation :days 1 :addresses "me@domain.email" :subject "Vacation" :from "noreply@domain.email" text:
Hello,

Thanks for your email. I am out of the office.
.
;
}

Have any sender mail the address with an enabled OOO sieve response and `tail -f /var/log/mail/mail.err` or the respective error log. Notice a continuous permission denied message in addition to the "Failed to execute sendmail (temporary error)".

Jan 02 17:21:33 lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/725880.13530: Permission denied
Jan 02 17:21:39 lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/250066.10994: Permission denied
Jan 02 17:21:43 lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/726066.13530: Permission denied
Jan 02 17:21:49 lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/250302.10994: Permission denied
Jan 02 17:21:53 lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/726277.13530: Permission denied

Run: postfix check (no errors reported of any kind)

Invoking the `sendmail` command to send from the command line and from the vmail user is successful. Unfortunately the common fix described everywhere has no effect on this bug. For example:

systemctl stop postfix
killall -9 postdrop
chgrp -R postdrop /var/spool/postfix/public (group previously postdrop)
chgrp -R postdrop /var/spool/postfix/maildrop (group previously postdrop)
postfix set-permissions
postfix check
systemctl start postfix

This problem persists across multiple Arch hosts.
This task depends upon

Closed by  Thore Bödecker (foxxx0)
Wednesday, 07 March 2018, 08:51 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Requires configuration changes. Setting "submission_host" will fix this problem.

The issue is highly dependant on the user configuration and thus there is no need or even sense in bringing this into the default package of Arch Linux.
Comment by Anthony K. (crt.011) - Wednesday, 03 January 2018, 03:24 GMT
My apologies for missing the summary:  FS#56933  - [postfix] Permission denied and sendmail times out during postdrop
Comment by Anthony K. (crt.011) - Wednesday, 03 January 2018, 20:28 GMT
This bug appears to be related to dovecot 2.3.0 and pigeonhole 0.5.0. Downgrading to dovecot 2.2.33.2 and pigeonhole 0.4.21 does not run into this bug, but the Dovecot mailing list has yet to confirm this as a bug. In any case, those who upgrade to 2.3.0 and 0.5.0 will probably hit this bug when Vacation/OOO or any auto-response rule is enabled.
Comment by Eli Schwartz (eschwartz) - Wednesday, 03 January 2018, 22:04 GMT
  • Field changed: Status (Unconfirmed → Assigned)
  • Field changed: Category (Packages: Extra → Packages)
  • Field changed: Architecture (All → All)
  • Task assigned to Johannes Löthberg (demize)
Cross-links to the prior discussion on the dovecot mailing list:

https://www.dovecot.org/pipermail/dovecot/2017-December/110516.html
https://www.dovecot.org/pipermail/dovecot/2018-January/110528.html

Comment by Anthony K. (crt.011) - Sunday, 07 January 2018, 10:13 GMT
For security reasons it looks like `NoNewPrivileges=true` is a new addition to Dovecot's systemd service file in systemd.exec. In this case, setting the `submision_host`[1] gets around the issue. This was not documented in the release notes.

[1] https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/15-lda.conf#L20
Comment by Thore Bödecker (foxxx0) - Wednesday, 07 March 2018, 08:50 GMT
According to your own reply on the dovecot mailing list, the issue seems to fixable by setting "submission_host" [1].

I'm closing this.

[1] https://www.dovecot.org/pipermail/dovecot/2018-January/110588.html

Loading...