Dovecot/postfix mkhomedir issue

Rocky Linux General
1

I’m installing a Rocky linux 8.4 to be an email server. I installed postfix and dovecot and the server is joined on Active Directory with SSS.

When I create a new user on Active Directory, if we try to connect on server via ssh with new user, it correctly create the home folder of that user.

I configured postfix to deliver the email on ~/Maildir folder.

If user home folder is already created, when first mail is received it is correctly created Maildir folder inside user home folder, instead, if new user never connected via ssh on mail server (and the home folder has never been created) I receive these errors:

lmtp(testivan): Error: mkdir(/home/testivan/Maildir) failed: Permission denied (euid=401401110(testivan) egid=401400513(domain users) missing +w perm: /home, dir owned by 0:0 mode=0755)

this is my dovecot configuration:


# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# OS: Linux 4.18.0-305.19.1.el8_4.x86_64 x86_64 Rocky Linux release 8.4 (Green Obsidian)

# Hostname: dt-sl-mail.example.com

auth_username_format = %n

first_valid_uid = 1000

mail_location = maildir:~/Maildir

mail_privileged_group = mail

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    auto = create

    special_use = \Drafts

  }

  mailbox Junk {

    auto = create

    special_use = \Junk

  }

  mailbox Sent {

    auto = create

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    auto = create

    special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0600

    user = postfix

  }

}

service lmtp {

  unix_listener /var/spool/postfix/private/dovecot-lmtp {

    group = postfix

    mode = 0600

    user = postfix

  }

}

ssl = required

ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem

ssl_cipher_list = PROFILE=SYSTEM

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_min_protocol = TLSv1.2

ssl_prefer_server_ciphers = yes

userdb {

  driver = passwd

}
2

hello all,
I believe that my issue could be related to selinux.
I’ma newbie with selinux but I dont want to disable it.
I tried to enable write access to everyone on /home folder (chmod 777 /home)
and in this way home folder tree is created when the first email is delivered, but as you can see from ls output:

ls -laZ /home/
drwx------.  3 ivan         domain users unconfined_u:object_r:user_home_dir_t:s0  248 Oct  5 17:31 ivan
drwx------.  3 testivan   domain users system_u:object_r:home_root_t:s0                 21 Oct  7 14:33 testivan

the first home folder has been created when the user connected on server via SSH, the second one has been created by dovecot LMTP or IMAP
as you can see, the se permission are different on 2 home folders and, even if the directory is correctly created, the message connot be delivered on the Maildir folder.

Oct  7 15:26:44 dt-sl-mail setroubleshoot[55495]: SELinux is preventing /usr/libexec/dovecot/imap from create access on the file mailboxes.lock4722088b443a5514. For complete SELinux messages run: sealert -l 095ce080-5405-4de3-980b-30c2b2d3dc3f
Oct  7 15:26:44 dt-sl-mail setroubleshoot[55495]: SELinux is preventing /usr/libexec/dovecot/imap from create access on the file mailboxes.lock4722088b443a5514.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that imap should be allowed create access on the mailboxes.lock4722088b443a5514 file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'imap' --raw | audit2allow -M my-imap#012# semodule -X 300 -i my-imap.pp#012

this is the sealert output:

 sealert -l 095ce080-5405-4de3-980b-30c2b2d3dc3f
SELinux is preventing /usr/libexec/dovecot/imap from create access on the file mailboxes.lock907fc1763d8833c8.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that imap should be allowed create access on the mailboxes.lock907fc1763d8833c8 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'imap' --raw | audit2allow -M my-imap
# semodule -X 300 -i my-imap.pp


Additional Information:
Source Context                system_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                mailboxes.lock907fc1763d8833c8 [ file ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          dt-sl-mail
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dt-sl-mail
Platform                      Linux dt-sl-mail 4.18.0-305.19.1.el8_4.x86_64 #1
                              SMP Wed Sep 15 19:12:32 UTC 2021 x86_64 x86_64
Alert Count                   107
First Seen                    2021-10-07 14:25:28 CEST
Last Seen                     2021-10-07 15:36:36 CEST
Local ID                      095ce080-5405-4de3-980b-30c2b2d3dc3f

Raw Audit Messages
type=AVC msg=audit(1633613796.754:2244): avc:  denied  { create } for  pid=55829 comm="imap" name="mailboxes.lock907fc1763d8833c8" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=0


Hash: imap,dovecot_t,home_root_t,file,create

I tried to run the commands explained but nothing is changed.

these are other dovecot errors:



Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: open(/home/testivan) failed: Permission denied

Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: mkdir(/home/testivan/Maildir) failed: Permission denied (euid=401401110(testivan) egid=401400513(domain users) stat(/home/testivan/Maildir) failed: No such file or directory)

Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: open(/home/testivan/Maildir) failed: Permission denied

Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: mkdir(/home/testivan/Maildir) failed: Permission denied (euid=401401110(testivan) egid=401400513(domain users) UNIX perms appear ok (ACL/MAC wrong?))

Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: lmtp-server: conn unix:pid=55076,uid=89 [1]: rcpt testivan@devoteam.it: Mailbox INBOX: Failed to autocreate mailbox: Internal error occurred. Refer to server log for more information. [2021-10-07 15:26:45]

Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: sieve: msgid=<DSNr7Mz-vdaTrvc@mail.devoteam.it>: failed to store into mailbox 'INBOX': Internal error occurred. Refer to server log for more information. [2021-10-07 15:26:45]

Oct  7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: sieve: Execution of script /var/spool/mail/SpamToJunk.sieve was aborted due to temporary failure

could you help me to find the right way to set selinux permission?
thanks
Ivan