Skip to content

[BUG] Restarting the container changes the owner of folders in /var/mail to 5000 #2238

Open
Open
[BUG] Restarting the container changes the owner of folders in /var/mail to 5000#2238
Assignees
MohammedNoureldin
Labels
area/scriptsbug/confirmedA bug report whose bug is confirmedbug/solution proposedA bug report, whose bug is confirmed, and an unverified solution was proposedkind/bug/reportA report about a bugmeta/help wantedThe OP requests help from others - chime in! :Dmeta/needs triageThis issue / PR needs checks and verification from maintainersservice/ldapstale-bot/ignoreIndicates that this issue / PR shall not be closed by our stale-checking CI
@MohammedNoureldin

Description

@MohammedNoureldin
MohammedNoureldin
opened on Oct 3, 2021

Sorry for popping up again :) but I have to report this too.

Miscellaneous first checks

  • I checked that all ports are open and not blocked by my ISP / hosting provider.
  • I know that SSL errors are likely the result of a wrong setup on the user side and not caused by DMS itself. I'm confident my setup is correct.

Affected Component(s)

Mail home folder permissions (observed in v10.1.2 and 10.2.0)

What happened and when does this occur?

When trying to use the mailserver, some permission error related to mail home directory is shown.

What did you expect to happen?

To not get the error

How do we replicate the issue?

Try the attached configuration with LDAP server.

DMS version

Observed in 10.1.2 and 10.2.0 (maybe also in other versions, but I did not test with other versions)

How much RAM is available to DMS explicitly?

less than 2GB

How many CPU cores are available?

less than 1 Core

Is DMS running in a virtualized environment?

... a virtual private server (VPS) (with virtual CPU cores)

What operating system is DMS running on?

Linux

What instruction set architecture is DMS running on?

x86_64 / AMD64

I/O - Persistent memory

What container orchestration tool are you using?

Docker Compose

Docker version

Docker version 20.10.8, build 3967b7d

Docker Compose version

docker-compose version 1.29.2, build 5becea4c

The output of uname -a

Linux srv02 5.4.0-84-generic #94-Ubuntu SMP Thu Aug 26 20:27:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Important environment variables

DMS_DEBUG=1

[email protected]

SSL_TYPE=manual
SSL_CERT_PATH=/etc/ssl/pki/mail.MYDOMAIN.com.crt
SSL_KEY_PATH=/etc/ssl/pki/mail.MYDOMAIN.com.key

ENABLE_LDAP=1
LDAP_START_TLS=yes
LDAP_SERVER_HOST=dc1.internal.MYDOMAIN.com
LDAP_SEARCH_BASE=dc=internal,dc=MYDOMAIN,dc=com
LDAP_BIND_DN=cn=Administrator,cn=users,dc=internal,dc=MYDOMAIN,dc=com
LDAP_BIND_PW=Ch@ngeMe
# Specifies how ldap should be asked for users.
LDAP_QUERY_FILTER_USER=(&(objectclass=person)(mail=%s))
# Specifies how ldap should be asked for groups.
LDAP_QUERY_FILTER_GROUP=(|)
# Specifies how ldap should be asked for aliases.
LDAP_QUERY_FILTER_ALIAS=(|)
# Specifies how ldap should be asked for domains.
LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)

DOVECOT_TLS=yes
DOVECOT_USER_FILTER=(&(objectclass=person)(sAMAccountName=%n))
DOVECOT_USER_ATTRS==uid=%{ldap:uidNumber},=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir
DOVECOT_PASS_ATTRS=sAMAccountName=user,userPassword=password
DOVECOT_AUTH_BIND=yes

ENABLE_SASLAUTHD=1
SASLAUTHD_MECHANISMS=ldap
SASLAUTHD_LDAP_SERVER=dc1.internal.MYDOMAIN.com
SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=users,dc=internal,dc=MYDOMAIN,dc=com
SASLAUTHD_LDAP_SEARCH_BASE=dc=internal,dc=MYDOMAIN,dc=com
SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
SASLAUTHD_LDAP_START_TLS=yes
SASLAUTHD_LDAP_TLS_CHECK_PEER=yes
SASLAUTHD_LDAP_TLS_CACERT_FILE=/etc/ssl/self-signed-pki/pki/ca.crt

Relevant log output

Oct  3 18:17:40 mail postfix/master[2360]: daemon started -- version 3.4.14, configuration /etc/postfix
Oct  3 18:18:01 mail dovecot: imap-login: Login: user=<Administrator>, method=PLAIN, rip=85.127.7.5, lip=10.8.0.4, mpid=2396, TLS, session=<EFvwI3XNVttVfwe/>
Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: chdir(/var/mail/administrator/) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)

Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: stat(/var/mail/administrator/Maildir/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: stat(/var/mail/administrator/Maildir/.Sent/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)

Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: stat(/var/mail/administrator/Maildir) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: mkdir(/var/mail/administrator/Maildir) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: stat(/var/mail/administrator/Maildir/.Sent/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:18:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Error: stat(/var/mail/administrator/Maildir/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap-login: Login: user=<Administrator>, method=PLAIN, rip=85.127.7.5, lip=10.8.0.4, mpid=2428, TLS, session=<QJuCJ3XNndtVfwe/>
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: chdir(/var/mail/administrator/) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: stat(/var/mail/administrator/Maildir) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: mkdir(/var/mail/administrator/Maildir) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: stat(/var/mail/administrator/Maildir/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: stat(/var/mail/administrator/Maildir/.Sent/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: mkdir(/var/mail/administrator/Maildir) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: stat(/var/mail/administrator/Maildir/.Sent/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2396><EFvwI3XNVttVfwe/>: Connection closed (SELECT finished 59.933 secs ago) in=129 out=1026 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct  3 18:19:01 mail dovecot: imap(Administrator)<2428><QJuCJ3XNndtVfwe/>: Error: stat(/var/mail/administrator/Maildir/tmp) failed: Permission denied (euid=10001(<unknown>) egid=5000(docker) missing +x perm: /var/mail/administrator, dir owned by 5000:5000 mode=0700)

Other relevant information

Please do not miss the other information below the docker-compose.

1. Find the **Docker-Compose** file below:

version: '3.9'
services:
  mailserver:
    container_name: mailserver
    image: docker.io/mailserver/docker-mailserver:edge # TODO change the TAG to 10.2.0 when released.
    hostname: mail
    domainname: ${PUBLIC_DOMAIN_NAME}
    # dns: 1.1.1.1
    # To avoid conflicts with yaml base-60 float, DO NOT remove the quotation marks.
    # More information about the mailserver ports:
    # https://docker-mailserver.github.io/docker-mailserver/edge/config/security/understanding-the-ports/
    networks:
      - internal01
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - mailserver-data:/var/mail/
      - mailserver-state:/var/mail-state/
      - mailserver-logs:/var/log/mail/
      - mailserver-config:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      - publicly-trusted-pki:/etc/ssl/pki/:ro
    restart: always
    stop_grace_period: 1m
    cap_add: [ "NET_ADMIN", "SYS_PTRACE" ]
    env_file:
      - mailserver/mailserver.env
    environment:
      # The following variables will be passed from the .env (if exist) to override the variables in mailserver.env.
      - DMS_DEBUG
      - POSTMASTER_ADDRESS
      - SSL_TYPE
      - SSL_CERT_PATH
      - SSL_KEY_PATH
      - ENABLE_LDAP
      - LDAP_START_TLS
      - LDAP_SERVER_HOST
      - LDAP_SEARCH_BASE
      - LDAP_BIND_DN
      - LDAP_BIND_PW
      - LDAP_QUERY_FILTER_USER
      - LDAP_QUERY_FILTER_GROUP
      - LDAP_QUERY_FILTER_ALIAS
      - LDAP_QUERY_FILTER_DOMAIN
      - DOVECOT_TLS
      - DOVECOT_USER_FILTER
      - DOVECOT_USER_ATTRS
      - DOVECOT_PASS_ATTRS
      - DOVECOT_AUTH_BIND
      - ENABLE_SASLAUTHD
      - SASLAUTHD_MECHANISMS
      - SASLAUTHD_LDAP_SERVER
      - SASLAUTHD_LDAP_BIND_DN
      - SASLAUTHD_LDAP_SEARCH_BASE
      - SASLAUTHD_LDAP_FILTER
      - SASLAUTHD_LDAP_START_TLS
      - SASLAUTHD_LDAP_TLS_CHECK_PEER
      - SASLAUTHD_LDAP_TLS_CACERT_FILE


volumes:
  mailserver-data:
  mailserver-state:
  mailserver-logs:
  mailserver-config:

internal01 network and the volume of the public key are defined in another docker-compose.yml file. But this should not be an issue.

Make sure the container does not validate the CA in the ldap.conf file, as is seems that there is an issue here (the certificate seems to be refused even if it is valid). In simple words, execute the following on the host and this will do the job:

docker exec mailserver sh -c 'echo "TLS_REQCERT   never" > /etc/ldap/ldap.conf'

Then of course restart the container.

Just to let you know: the related info in my active directory for the user Administrator looks like this:
uidNumber: 10001
mail=[email protected]

The output of ls -lan shows:

root@mail:/var/mail# ls -lan
total 16
drwxrwsr-x 3 5000 5000 4096 Oct  3 19:23 .
drwxr-xr-x 1    0    0 4096 Oct  3 19:22 ..
drwx--S--- 3 5000 5000 4096 Oct  3 19:23 administrator

What level of experience do you have with Docker and mail servers?

Trust me, I'm a (computer) engineer! [expert]

Code of conduct

Improvements to this form?

No response

Metadata

Metadata

Assignees

Labels

area/scriptsbug/confirmedA bug report whose bug is confirmedbug/solution proposedA bug report, whose bug is confirmed, and an unverified solution was proposedkind/bug/reportA report about a bugmeta/help wantedThe OP requests help from others - chime in! :Dmeta/needs triageThis issue / PR needs checks and verification from maintainersservice/ldapstale-bot/ignoreIndicates that this issue / PR shall not be closed by our stale-checking CI

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions