On 22.1.2013, at 21.44, Tim Marston <t...@ed.am> wrote: > On Tue, Jan 15, 2013 at 11:33:08PM +0000, Tim Marston wrote: >> Would it be acceptable to setgid the dovecot executable and change it's >> group to "mail" (i.e., `chgrp mail dovecot` and `chmod g+s dovecot`)? >> Would this pose some kind of security risk? Would this actualy do what >> I want, or am I missing a bigger picture? > > Just to confirm, doing the following fixed the problem for me: > > # chgrp mail /usr/bin/dovecot > # chmod g+s /usr/bin/dovecot > > I am still able to use IMAP normally, and I am now also able to set up > mutt with the following:
You've now basically given any user ability to run any process with mail group privileges. > My INBOX in no longer occasionally read-only, and I no longer get the > following error in /var/log/mail.err: > > Jan 22 08:48:59 mailhost IMAP(user): : file_dotlock_create(/var/mail/user) > failed: Permission denied (euid=1000(user) egid=1000(user) missing +w > perm: /var/mail) (set mail_privileged_group=mail) Other possibilities: a) Deliver mails elsewhere than /var/mail/ (under each user's home dir) b) Don't use dotlocking: mbox_write_locks = fcntl c) Make /var/mail/ 01777 permissions