Re: [EXT] doveadm backup from gmail with imapc
On Fri, 2020-04-10 at 15:13 +0300, Sami Ketola wrote: > > > > > On 10 Apr 2020, at 14.07, Ben Mulvihill > > wrote: > > > > > last answer from gmail: > > > > > 1586513176.126970 1944 OK Success > > last commands send by dovecot: > > > > > 1586513175.951965 1944 UID FETCH > > 99624,99627,99628,99629,99631,99632,99633,99634,99635,99636,99637,9 > > 9639 > > ,99640,99641,99642,99643,99644,99645,99646,99647,99648 (X-GM-MSGID) > > 1586513176.127109 1945 LIST "" "*" > > So gmail hangs and never gives response to the last LIST command. > > Fetcing X-GM-MSGID is related to POP3 UIDLs. If you don't care about > POP3 and gmail labels you can remove gmail-migration from > imapc_features. > > also you can try to set imapc_cmd_timeout to some low value like 10s > to make dovecot to reconnect in case gmail hangs. Default is to wait > for 5 mins. > > Sami > > Thanks again! I tried setting imapc_cmd_timeout = 10s and that was enough to take the download process past the ID stage and on to downloading messages. doveadm still failed the same ASSERT and core dumps, just not so soon. In four attempts I downloaded 4200, 1800, 0 and 4200 messages respectively. That was yesterday. I tried today and have successfully downloaded a further 2 messages without any core dumps. I ended up interrupting the process myself because I was concerned at exceeding my ISPs fair usage limits. But by repeating the command from time to time I should gradually be able to synchronise the whole mailbox. Ben
Re: Missing permissions
On 11/04/2020 15:47 Alex JOST <
jost+li...@dimejo.at> wrote:
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log
I get:
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.
Any suggestions on this?
Looks like /home/mail as mail store isn't included in the default
SELinux policy. Did you make sure that the correct SELinux type is set
on the directories?
https://www.unix.com/man-page/centos/8/dovecot_selinux/
If this isn't enough to get you going you might need to create your own
policy. The following steps should be all that it takes to create your
own policy.
Check that grep includes only lines that you want included in your new
policy:
grep dovecot /var/log/audit/audit.log | audit2allow -w
Create your new policy for Dovecot and install it:
grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
semodule -i dovecot_custom.pp
--
Alex JOST
Or just label the directory with mail_home_rw_t
---
Aki Tuomi
Re: Missing permissions
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log
I get:
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.
Any suggestions on this?
Looks like /home/mail as mail store isn't included in the default
SELinux policy. Did you make sure that the correct SELinux type is set
on the directories?
https://www.unix.com/man-page/centos/8/dovecot_selinux/
If this isn't enough to get you going you might need to create your own
policy. The following steps should be all that it takes to create your
own policy.
Check that grep includes only lines that you want included in your new
policy:
grep dovecot /var/log/audit/audit.log | audit2allow -w
Create your new policy for Dovecot and install it:
grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
semodule -i dovecot_custom.pp
--
Alex JOST
Re: [EXT] doveadm backup from gmail with imapc
> On 11 Apr 2020, at 15.20, Ben Mulvihill wrote: > > I tried setting imapc_cmd_timeout = 10s and that was enough to take the > download process past the ID stage and on to downloading messages. > doveadm still failed the same ASSERT and core dumps, just not so soon. > In four attempts I downloaded 4200, 1800, 0 and 4200 > messages respectively. That was yesterday. I tried today and have > successfully downloaded a further 2 messages without any core > dumps. I ended up interrupting the process myself because I was > concerned at exceeding my ISPs fair usage limits. But by repeating > the command from time to time I should gradually be able to synchronise > the whole mailbox. Nice! Those assert crashes are probably a bug of somekind. Maybe Aki or Timo could take a look at them. Sami
Re: Missing permissions
Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log
I get:
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.
Any suggestions on this?
Mura Andrei
On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura
wrote:
> I think I found here what I'm interested in:
> https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/.
>
> On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura
> wrote:
>
>> Hi Aki,
>>
>> Thanks. I was especially interested in documentation related to dovecot
>> and it's users permissions, the way in which dovecot uses users. Till now I
>> found only spread information on different articles from dovecot's website.
>>
>> Thanks,
>> Mura Andrei
>>
>> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi
>> wrote:
>>
>>> Hi,
>>>
>>>
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>>>
>>> although we probably need to add some words into doc.dovecot.org under
>>> known issues.
>>>
>>> Aki
>>>
>>> > On 11/04/2020 09:24 Andrei Petru Mura wrote:
>>> >
>>> >
>>> > Hi Aki,
>>> >
>>> > Any documentation on this topic?
>>> >
>>> > Mura Andrei
>>> >
>>> >
>>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi
>>> wrote:
>>> > > This is probably caused by systemd (or selinux or both).
>>> > >
>>> > > With systemd, you need to add
>>> > >
>>> > > ReadWritePaths=/home/mail
>>> > >
>>> > > to the systemd unit.
>>> > >
>>> > > Then you can check /var/log/audit/audit.log for any selinux
>>> specific problems. If you are using Centos/Redhat.
>>> > >
>>> > > Aki
>>> > >
>>> > > > On 06/04/2020 17:01 Andrei Petru Mura
>>> wrote:
>>> > > >
>>> > > >
>>> > > > Hi,
>>> > > >
>>> > > > Dovecot version 2.2.36
>>> > > > In log files I get this error:
>>> > > > dovecot: imap(test): Namespace '':
>>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
>>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
>>> perms appear ok (ACL/MAC wrong?))
>>> > > >
>>> > > > My authentication configuration is this:
>>> > > > passdb {
>>> > > > driver = passwd-file
>>> > > > args = username_format=%n /etc/dovecot/users
>>> > > > }
>>> > > >
>>> > > > userdb {
>>> > > > driver = static
>>> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n
>>> username_format=%n /etc/dovecot/users
>>> > > >
>>> > > > }
>>> > > >
>>> > > > /home/mail/domain/test directory is owned by vmail user.
>>> > > > How to fix this?
>>> > > >
>>> > > > Mura Andrei
>>> > >
>>>
>>
Re: Missing permissions
I think I found here what I'm interested in:
https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/.
On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura
wrote:
> Hi Aki,
>
> Thanks. I was especially interested in documentation related to dovecot
> and it's users permissions, the way in which dovecot uses users. Till now I
> found only spread information on different articles from dovecot's website.
>
> Thanks,
> Mura Andrei
>
> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi
> wrote:
>
>> Hi,
>>
>>
>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>>
>> although we probably need to add some words into doc.dovecot.org under
>> known issues.
>>
>> Aki
>>
>> > On 11/04/2020 09:24 Andrei Petru Mura wrote:
>> >
>> >
>> > Hi Aki,
>> >
>> > Any documentation on this topic?
>> >
>> > Mura Andrei
>> >
>> >
>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi
>> wrote:
>> > > This is probably caused by systemd (or selinux or both).
>> > >
>> > > With systemd, you need to add
>> > >
>> > > ReadWritePaths=/home/mail
>> > >
>> > > to the systemd unit.
>> > >
>> > > Then you can check /var/log/audit/audit.log for any selinux specific
>> problems. If you are using Centos/Redhat.
>> > >
>> > > Aki
>> > >
>> > > > On 06/04/2020 17:01 Andrei Petru Mura wrote:
>> > > >
>> > > >
>> > > > Hi,
>> > > >
>> > > > Dovecot version 2.2.36
>> > > > In log files I get this error:
>> > > > dovecot: imap(test): Namespace '':
>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
>> perms appear ok (ACL/MAC wrong?))
>> > > >
>> > > > My authentication configuration is this:
>> > > > passdb {
>> > > > driver = passwd-file
>> > > > args = username_format=%n /etc/dovecot/users
>> > > > }
>> > > >
>> > > > userdb {
>> > > > driver = static
>> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n
>> username_format=%n /etc/dovecot/users
>> > > >
>> > > > }
>> > > >
>> > > > /home/mail/domain/test directory is owned by vmail user.
>> > > > How to fix this?
>> > > >
>> > > > Mura Andrei
>> > >
>>
>
Re: Missing permissions
Hi Aki,
Thanks. I was especially interested in documentation related to dovecot and
it's users permissions, the way in which dovecot uses users. Till now I
found only spread information on different articles from dovecot's website.
Thanks,
Mura Andrei
On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi
wrote:
> Hi,
>
>
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>
> although we probably need to add some words into doc.dovecot.org under
> known issues.
>
> Aki
>
> > On 11/04/2020 09:24 Andrei Petru Mura wrote:
> >
> >
> > Hi Aki,
> >
> > Any documentation on this topic?
> >
> > Mura Andrei
> >
> >
> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi
> wrote:
> > > This is probably caused by systemd (or selinux or both).
> > >
> > > With systemd, you need to add
> > >
> > > ReadWritePaths=/home/mail
> > >
> > > to the systemd unit.
> > >
> > > Then you can check /var/log/audit/audit.log for any selinux specific
> problems. If you are using Centos/Redhat.
> > >
> > > Aki
> > >
> > > > On 06/04/2020 17:01 Andrei Petru Mura wrote:
> > > >
> > > >
> > > > Hi,
> > > >
> > > > Dovecot version 2.2.36
> > > > In log files I get this error:
> > > > dovecot: imap(test): Namespace '':
> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
> perms appear ok (ACL/MAC wrong?))
> > > >
> > > > My authentication configuration is this:
> > > > passdb {
> > > > driver = passwd-file
> > > > args = username_format=%n /etc/dovecot/users
> > > > }
> > > >
> > > > userdb {
> > > > driver = static
> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n
> username_format=%n /etc/dovecot/users
> > > >
> > > > }
> > > >
> > > > /home/mail/domain/test directory is owned by vmail user.
> > > > How to fix this?
> > > >
> > > > Mura Andrei
> > >
>
Re: Missing permissions
Hi,
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
although we probably need to add some words into doc.dovecot.org under known
issues.
Aki
> On 11/04/2020 09:24 Andrei Petru Mura wrote:
>
>
> Hi Aki,
>
> Any documentation on this topic?
>
> Mura Andrei
>
>
> On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi wrote:
> > This is probably caused by systemd (or selinux or both).
> >
> > With systemd, you need to add
> >
> > ReadWritePaths=/home/mail
> >
> > to the systemd unit.
> >
> > Then you can check /var/log/audit/audit.log for any selinux specific
> > problems. If you are using Centos/Redhat.
> >
> > Aki
> >
> > > On 06/04/2020 17:01 Andrei Petru Mura wrote:
> > >
> > >
> > > Hi,
> > >
> > > Dovecot version 2.2.36
> > > In log files I get this error:
> > > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> > failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
> > perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
> > >
> > > My authentication configuration is this:
> > > passdb {
> > > driver = passwd-file
> > > args = username_format=%n /etc/dovecot/users
> > > }
> > >
> > > userdb {
> > > driver = static
> > > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> > /etc/dovecot/users
> > >
> > > }
> > >
> > > /home/mail/domain/test directory is owned by vmail user.
> > > How to fix this?
> > >
> > > Mura Andrei
> >
Re: Missing permissions
Hi Aki,
Any documentation on this topic?
Mura Andrei
On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi wrote:
> This is probably caused by systemd (or selinux or both).
>
> With systemd, you need to add
>
> ReadWritePaths=/home/mail
>
> to the systemd unit.
>
> Then you can check /var/log/audit/audit.log for any selinux specific
> problems. If you are using Centos/Redhat.
>
> Aki
>
> > On 06/04/2020 17:01 Andrei Petru Mura wrote:
> >
> >
> > Hi,
> >
> > Dovecot version 2.2.36
> > In log files I get this error:
> > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
> perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
> >
> > My authentication configuration is this:
> > passdb {
> > driver = passwd-file
> > args = username_format=%n /etc/dovecot/users
> > }
> >
> > userdb {
> > driver = static
> > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> /etc/dovecot/users
> >
> > }
> >
> > /home/mail/domain/test directory is owned by vmail user.
> > How to fix this?
> >
> > Mura Andrei
>
Re: Missing permissions
Hi Michael,
I don't have apparmour installed in my system.
Mura Andrei
On Mon, Apr 6, 2020 at 10:11 PM Michael Hirmke wrote:
> Hi Andrei,
>
> >Hi,
>
> >Dovecot version 2.2.36
> >In log files I get this error:
> >dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> >failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
> >perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
>
> >My authentication configuration is this:
> >passdb {
> > driver = passwd-file
> > args = username_format=%n /etc/dovecot/users
> >}
>
> >userdb {
> > driver = static
> > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> >/etc/dovecot/users
>
> >}
>
> >/home/mail/domain/test directory is owned by vmail user.
> >How to fix this?
>
> do you have apparmor up and running?
> If so, you have to modify its config for dovecot.
>
> >Mura Andrei
>
> Bye.
> Michael.
> --
> Michael Hirmke
>
