Unable to receive e-mails with Dovecot: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied

Created:

2016-12-18 06:42:06 UTC

Modified:

2017-08-23 15:28:05 UTC

17

Was this article helpful?


Have more questions?

Submit a request

Unable to receive e-mails with Dovecot: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied

Applicable to:

  • Plesk Onyx for Linux

Symptoms

  1. Unable to receive emails if Dovecot is installed. The following error can be found in /var/log/maillog:
    dovecot: service=lda, user=mail@example.com, ip=[]. Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=30(popuser) egid=31(popuser) UNIX perms appear ok (ACL/MAC wrong?), dir owned by 0:0 mode=0755)
  2. Ubuntu 16.04 is installed with Plesk Onyx.
  3. AppArmor service is enabled.

Cause

This is Plesk bug with ID #PPPM-5544.

Resolution

As a workaround for Plesk Onyx 17.0 and 17.5:

  1. Verify that /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda file contains the following line:

    # grep "/run/dovecot/auth-userdb rw," /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda
    /run/dovecot/auth-userdb rw,

    And that /etc/apparmor.d/usr.lib.dovecot.dovecot-lda file contains the following line:

    # cat /etc/apparmor.d/usr.lib.dovecot.dovecot-lda | grep "/usr/lib/dovecot/dovecot-lda flags=(complain,attach_disconnected) {"
    /usr/lib/dovecot/dovecot-lda flags=(complain,attach_disconnected) {
  2. Due to the fact that AppArmor tries to apply all profiles from /etc/apparmor.d/ directory, make sure that there are no old or default profiles for /etc/apparmor.d/usr.lib.dovecot.dovecot-lda, like usr.lib.dovecot.dovecot-lda.orig, usr.lib.dovecot.dovecot-lda.dpkg-new, in that case the last read profile will be applied. If there is any, move it from /etc/apparmor.d/ directory, e.g.:
    # mv /etc/apparmor.d/usr.lib.dovecot.dovecot-lda.orig /root/
  3. Re-apply AppArmor policy and reset its cache:

    # apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.dovecot.dovecot-lda
    
    # service apparmor recache
  4. Restart AppArmor service:

    # service apparmor restart

Additional information

Unable to apply AppArmor policy

Have more questions? Submit a request

12 Comments

  • 0
    Avatar
    Tarct

    I'm getting the same Error, but the solution does not work.

     

    My File '/etc/apparmor.d/usr.lib.dovecot.dovecot-auth' looks like the following without the solution. I didn't modify it befor the error occours.

    --------------------------------------------------------------------------

    # ------------------------------------------------------------------
    #
    # Copyright (C) 2009-2013 Canonical Ltd.
    # Copyright (C) 2013 Christian Boltz
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of version 2 of the GNU General Public
    # License published by the Free Software Foundation.
    #
    # ------------------------------------------------------------------
    # vim: ft=apparmor

    #include <tunables/global>

    /usr/lib/dovecot/dovecot-auth flags=(complain) {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/wutmp>
    #include <abstractions/dovecot-common>

    capability chown,
    capability dac_override,

    @{PROC}/@{pid}/mounts r,
    /usr/lib/dovecot/dovecot-auth mr,
    /{,var/}run/dovecot/** rw,
    # required for postfix+dovecot integration
    /var/spool/postfix/private/dovecot-auth w,

    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.lib.dovecot.dovecot-auth>
    }

    --------------------------------------------------------------------------

    After adding '/var/run/dovecot/auth-userdb rw,' to the last line AppArmor is not starting anymore.

     

    Update:

    I found a solution:

    i had to modify the file '/etc/apparmor.d/usr.lib.dovecot.dovecot-lda' and add the line '/var/run/dovecot/* rw,' to the end of the block 'profile /usr/sbin/sendmail flags=(complain,attach_disconnected) { ...}'

    Edited by Tarct
  • 1
    Avatar
    Anton Maslov

     

    @Tarct thank you for sharing this with us - the article was updated accordingly. We also checked that deeply and confirmed as a bug, it was fixed in MU12.

  • 0
    Avatar
    Tarct

    @ Anton Maslov

    Thanks for investigating.

    My file '/etc/apparmor.d/usr.lib.dovecot.dovecot-lda' was reset this morning to the nonworking version. After applying Update 12 the problem still existed. I had to add the line again.

     

    The reset seams to be linked to an automatic update proceeded by the Package Update Manager this morning?!?

    The following packages were successfully updated:
    - liblxc1 2.0.6-0ubuntu1~ubuntu16.04.1 from Ubuntu for xenial-updates by Ubuntu repo (previous version: 2.0.5-0ubuntu1~ubuntu16.04.3 from Ubuntu for xenial-security by Ubuntu repo)
    - lxc-common 2.0.6-0ubuntu1~ubuntu16.04.1 from Ubuntu for xenial-updates by Ubuntu repo (previous version: 2.0.5-0ubuntu1~ubuntu16.04.3 from Ubuntu for xenial-security by Ubuntu repo)
    - lxcfs 2.0.5-0ubuntu1~ubuntu16.04.1 from Ubuntu for xenial-updates by Ubuntu repo (previous version: 2.0.4-0ubuntu1~ubuntu16.04.1 from now repo)

     

    To force re-delivery of mails:

    postqueue -f

     

  • 0
    Avatar
    Fabian Flasche

    I have this Bug since MU12 on Ubuntu 16.04 + Onyx

  • 0
    Avatar
    Dominik

    Hi,

    I wish you a happy new year. I have followed above steps mentioned in KB and after reinstalling plesk-dovecot-imap-driver my Mails were successfully stored to user inbox but after server restart I have the same problem as before.

    The file /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda contains only following lines on my server:

    /etc/postfix/master.cf r,
    /run/dovecot/auth-userdb rw,

    /var/qmail/mailnames/** rwkl,

    After following above steps the file was recreated but still only with this three lines.

    Version: Plesk 17.0.17 Update 12

    Regards

    Dominik

  • 0
    Avatar
    Fabian Flasche

    Yesterday I have the server restarted.
    The error was there again

    The changes in the files were still there.

    After which I have the service restarted went back everything
    service apparmor restart && service dovecot restart

    When is there a fix for the problem?

     

     

  • 3
    Avatar
    Tarct

    I can confirm, that after a restart the problem stil exists.

     

    My file '/etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda' looks like the following

    Site-specific additions and overrides for usr.lib.dovecot.dovecot-lda.
    # For more details, please see /etc/apparmor.d/local/README.

    /etc/postfix/master.cf r,
    /run/dovecot/auth-userdb rw,

    /var/qmail/mailnames/** rwkl,

     

    I only needed to use the following once after restart:

    apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.dovecot.dovecot-lda

    so i could redeliver all mails with

    postqueue -f

     As a workaround i use the following in a cronjob:

    /sbin/apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.dovecot.dovecot-lda && /usr/sbin/postqueue -f
    Edited by Tarct
  • 0
    Avatar
    Vito Falco

    Me too.

    With Onyx 17.0.17 I've the same situation :(

    When an official fix?

    The Tarct's workaround works

  • 0
    Avatar
    Joe Pesci

    Same here, appeared out of the blue, instructions in article useless.

    Thank you very much Tarct for the solution.

    Running Onyx 17.0.17

  • 0
    Avatar
    Andrey Ivanov

    Hello, Vito and Joe. The resolution section was modified accordingly.

  • 0
    Avatar
    Fabian Flasche
    After the update to Plesk 17.5.3 the error is again there with Ubuntu 16.04 LTS :(
  • 0
    Avatar
    Nikolay Zhmuk

    2Fabian, Check that there are no default/old/saved profiles for /etc/apparmor.d/usr.lib.dovecot.dovecot-lda, AppArmor applies all the profiles in the directory. Move them out if there are any and apply Steps 3,4 

Please sign in to leave a comment.