dotlock permissions problems with dovecot and OS X 10.10.3++

by Haru   Last Updated October 11, 2018 11:01 AM

I have installed dovecot on OS X Yosemite via Homebrew. But for some reason I can't get it to fully work properly anymore starting with the 10.10.3 system update by Apple. There's some kind of unsolvable permission issue when it comes to create the dotlock files when dovecot wants to access the INBOXes. Interestingly postfix has no problems creating the dotlock files in the very same directory.

$ dovecot --version
2.2.18

The default path setup in OS X, also officially supported/ documented in the dovecot wiki. I would like to keep it as that, as system updates usually change permissions here back anyway:

$ ls -lae /var/
...
drwxrwxr-x    3 root       mail        102 Aug 14 18:52 mail
...

$ ls -lae /var/mail
...
-rw-------  1 haru mail  542 Aug 14 18:53 haru
...

This was my initial setup until OS X 10.10.2. I removed bunch of irrelevant options from the output:

$ cat /usr/local/etc/dovecot/local.conf
protocols = pop3
listen = localhost
# Note: user _dovecot is member of the 'mail' group.
default_internal_user = _dovecot
default_login_user = _dovenull
mail_location = mbox:~/.mail:INBOX=/var/mail/%u
mail_privileged_group = mail

All was working fine until the OS X 10.10.3 update came along and suddenly dovecot[PID]: pop3(haru): Error: setegid(privileged) failed: Operation not permitted errors were dumped when fetching mails. It still could fetch mails, but failed to delete them from the INBOX, so with every fetch the same mails came in again and again.

After lots of research and random tries I ended up adding mail_access_groups = mail to the dovecot config. I don't really understand what the option does exactly though.

$ cat /usr/local/etc/dovecot/local.conf 
protocols = pop3
listen = localhost
# Note: user _dovecot is member of the 'mail' group.
default_internal_user = _dovecot
default_login_user = _dovenull
mail_location = mbox:~/.mail:INBOX=/var/mail/%u
mail_privileged_group = mail
mail_access_groups = mail

All was working fine again until the OS X 10.10.5 update came along yesterday and suddenly all hell broke lose and it was failing completely with dovecot[PID]: pop3(haru): Fatal: setgroups(mail,) failed: Too many extra groups. Removing mail_access_groups = mail fixed this error, but brought back the previously described misbehaviors that started with 10.10.3. In the end I had to disable dotfile locking by removing the default dotlockentry from the mbox_write_locksoption:

$ cat /usr/local/etc/dovecot/local.conf 
protocols = pop3
listen = localhost
# Note: user _dovecot is member of the 'mail' group.
default_internal_user = _dovecot
default_login_user = _dovenull
mail_location = mbox:~/.mail:INBOX=/var/mail/%u
mail_privileged_group = mail
mbox_read_locks = fcntl
mbox_write_locks = fcntl

Do I miss something here or fail to understand? Why is the default permission setup (as described in dovecot's documentation) not working? Perhaps it's even some kind of incompatibility starting to appear with OS X 10.10.3, or some bug in dovecot?



Answers 1


The failure with setgroups() comes from the fact that the user on the machine, where Dovecot runs has more than 16 groups assigned to it.

Run id -G <user> or id <user> as root (or as that user) to see the number of groups.

Unfortunately is macOS assigning a ton of groups to users to run fine-grained access control for stuff like screen-sharing. Luckily Dovecot has an option to set ranges of 'valid' gids. So you can set

last_valid_gid = 100

The number may be different for you.

I just ran into this and wrote about it here: http://pilhuhn.blogspot.com/2018/10/solution-for-dovecot-and-setgroups.html

Heiko Rupp
Heiko Rupp
October 11, 2018 10:12 AM

Related Questions


Dovecot pop3 protocol not working

Updated September 27, 2015 16:00 PM

Gmail pop3 ssl can't fetch mail server

Updated August 08, 2018 15:01 PM

How to avoid deleting emails from Dovecot

Updated July 25, 2018 20:01 PM

what is the difference between imap and pop3

Updated February 21, 2017 06:01 AM