Solved mail/dovecot - stats-writer failed: Permission denied

M

Mayhem30

I am using Dovecot v2.3.4.1 and receiving the following error when emails are getting bounced back to me :
Code: 
net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied


dovecot.conf
Code: 
service stats {
  unix_listener stats-reader {
    user = dovecot
    group = wheel
    mode = 0660
  }
  unix_listener stats-writer {
    user = dovecot
    group = wheel
    mode = 0660
  }
}


/var/run/dovecot/
Code: 
srw-rw----   1 dovecot  wheel        0B Feb 14 22:01 stats-reader
srw-rw----   1 dovecot  wheel        0B Feb 14 22:01 stats-writer


Any ideas how to fix this?
 
You can change the mode to 666 to allow everyone access to the stats but i will not recommend it. It's better to use some default group like "mail" and add the user under which you invoke the process to that group and keep it to 660

Code: 
service stats {
  unix_listener stats-reader {
    group = mail
    mode = 0666
  }
  unix_listener stats-writer {
    group = mail
    mode = 0666
  }
}
service anvil {
  unix_listener anvil {
    group = mail
    mode = 0666
  }
}
 
If you are running the stats service under user dovecot and group wheel with permissions 0660 then only the processes that are running under user which is part of group wheel or running with dovecot user can access the stats-reader or stats-writer. If you are receiving the above error
net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
Click to expand...
then your dovecot is runing under some different user for example "vmail/vscan/postfix/mail...." and you need to add this user under the same group under your stats service is running and this group MUST NOT be wheel as this is the root group. That's why it's better to use some default group like mail or dovecot and add the user as member of this group so the process can access the stats.
 
The stats service is running as "dovecot", so my current setup should be working - but it's not.

Code: 
dovecot  24529   0.0  0.0   17384   8224  -  I    08:16        0:00.00 dovecot/pop3-login
root     31311   0.0  0.0   13084   4192  -  Is   14Feb19      0:00.89 /usr/local/sbin/dovecot -c /usr/local/etc/dovecot/dovecot.conf
dovecot  31313   0.0  0.0   12700   3904  -  I    14Feb19      0:00.15 anvil: [2 connections] (anvil)
root     31314   0.0  0.0   12740   3952  -  I    14Feb19      0:00.15 dovecot/log
root     31315   0.0  0.0   13320   4492  -  I    14Feb19      0:00.83 dovecot/config
dovecot  31316   0.0  0.0   12700   3956  -  I    14Feb19      0:00.34 stats: [2 connections] (stats)
dovecot  31317   0.0  0.1   22356  13148  -  I    14Feb19      0:00.41 auth: [0 wait, 0 passdb, 0 userdb] (auth)
 
Code: 
$ ps aux | grep dovecot
dovecot  25789   0.0  0.0   17384   8224  -  I    08:55        0:00.00 dovecot/pop3-login
root     31311   0.0  0.0   13084   4192  -  Is   14Feb19      0:00.90 /usr/local/sbin/dovecot -c /usr/local/etc/dovecot/dovecot.co
dovecot  31313   0.0  0.0   12700   3904  -  I    14Feb19      0:00.15 anvil: [2 connections] (anvil)
root     31314   0.0  0.0   12740   3952  -  I    14Feb19      0:00.15 dovecot/log
root     31315   0.0  0.0   13320   4492  -  I    14Feb19      0:00.85 dovecot/config
dovecot  31316   0.0  0.0   12700   3972  -  I    14Feb19      0:00.35 stats: [2 connections] (stats)
dovecot  31317   0.0  0.1   22356  13148  -  I    14Feb19      0:00.41 auth: [0 wait, 0 passdb, 0 userdb] (auth)
 
The user who start doveadm is not a member of the group under the service stats is running. That's why when you or some service try to access stats-writer which you run under dovecot:wheel you receive this error. You can allow all users to have access to stats-writer by changing the mode to 0666 or change the group under the stats-writer is running to "mail" and add all services that need to have access to the stats to that group.

For example if you logon under normal user (not root) which is not member of wheel group and run doveadm who you will receive the same error. If you change the service to run under group where this user is member it will have access to the stats. So some process (imap maybe) is trying to access the stats-writer and this process is running under another user and that's why you get this access denied message.

The easy workaround is to change the stats service to run as 0666 so all users of the system to have access to it, or use some group like "mail" and add all processes which need to access to the stats into that group and keep the restriction to 0660.
 
which service you are running under user "virtual"
ps aux | grep virtual

you can use doveadm config | grep user to list all your configuration sections and they users.
 
No "service" is running under the user virtual. However, the config has "auth-master" using virtual/virtual - and everything started working when I used that user/group for the reader/writer.

Nothing else in the config uses virtual/virtual except those 3 sections now.

/var/run/dovecot :
Code: 
$ ll | grep virtual
srw-------   1 virtual  virtual      0B Feb 22 19:04 auth-master
srw-rw----   1 virtual  virtual      0B Feb 22 19:04 stats-reader
srw-rw----   1 virtual  virtual      0B Feb 22 19:04 stats-writer
 
In my configuration auth-master service is runing as following

Code: 
unix_listener auth-master {
    group =
    mode = 0600
    user =
  }

But i'm running the dovecot with "vscan" user from postfix.
 
I had someone set dovecot up for me 6+ years ago. I'm not sure why they used "virtual", but I see it's also referenced in the Postfix master.cf file :
Code: 
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=virtual:virtual argv=/usr/local/libexec/dovecot/deliver -d ${recipient}
 
it's just a user name under which dovecot local delivery agent (lda) is started. It's called virtual or vmail just to reminds you that this user has no login privileges on the local system and under it's name all virtual e-mail accounts and virtual domains get they access to the local file system.

 
You must log in or register to reply here.
Back
Top