What permissions on /var/mail directory

emailfile-permissionspermissionspostfix

I've been suffering a permission problem in Postfix/Dovecot for a couple of days now. The setup is using virtual domains and users, so the path to user's home is /var/mail/<domain>/<user>; and the path to MailDir is /var/mail/<domain>/<user>/MailDir

The mail logs continue to show a Permission Denied:

Apr  3 05:44:16 debian-x2 postfix/virtual[5670]: D6DDD1780100: to=<jeff@deltoid.com>,
relay=virtual, delay=0.15, delays=0.1/0.01/0/0.04, dsn=4.2.0, status=deferred
(maildir delivery failed: create maildir file
/var/mail/deltoid.com/jeff/Maildir/tmp/1396518256.P5670.debian-x2: Permission denied)

Permissions are as follows:

# ls -l /var/mail/
total 96
drw-rws--- 4 vmail  vmail  4096 Apr  2 18:19 deltoid.com
-rw-rw---- 1 nobody mail  80586 Apr  2 07:45 nobody

# ls -l /var/mail/deltoid.com/
total 12
drw-rws--- 3 vmail vmail 4096 Apr  3 04:47 jeff
drw-rws--- 3 vmail vmail 4096 Apr  3 04:47 support
-rw-rws--- 1 vmail vmail  122 Apr  2 03:33 users

# ls -l /var/mail/deltoid.com/jeff/
total 4
drw-rws--- 2 vmail vmail 4096 Apr  3 04:47 Maildir

# ls -l /var/mail/deltoid.com/jeff/Maildir/
total 0

vmail is both a user and group, and its set to id 5000:

# id -u vmail
5000

postfix and dovecot are both in the vmail group:

# members vmail
vmail postfix dovecot

And Postfix's main.conf:

# Mailbox location
virtual_mailbox_base = /var/mail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

I have a little script that attempts to set the proper permission bits, but its apparently wrong:

# Ensure permissions are set on directories
chown -R vmail:vmail /var/mail/*.com
chmod -R 0660 /var/mail/*.com
chmod -R g+rwxs /var/mail/*.com
# chown -R dovecot:dovecot /var/mail/*.com/users

I got the chmod -R g+rwxs from SuperUser questions on setting directory permissions and having subdirectories and files inherit those permissions (for example, How to set file permissions so that new files inherit same permissions?, Setting default permissions for newly created files and sub-directories under a directory in Linux?, and
How to make new file permission inherit from the parent directory?).

Two questions:

  1. What is wrong with the current permissions?

  2. What are the permissions supposed to be?

Best Answer

The permissions drw-rws--- on directories are wrong because even the owner of the directory cannot go into them, due to the lack of the x bit (=1 when using the numeric form).

You can test this by yourself by doing this as a normal user (not root):

$ mkdir -m 2670 /tmp/testdir
$ ls -ld /tmp/testdir
drw-rws--- 2 vmail vmail 4096 Apr  3 23:16 /tmp/testdir
$ cd /tmp/testdir
bash: cd: /tmp/testdir: Permission denied

I think that these lines in your current script:

chmod -R 0660 /var/mail/*.com
chmod -R g+rwxs /var/mail/*.com

should be instead:

chmod -R 2770 /var/mail/*.com
Related Question