]> AppArmor blocking Dovecot Sieve 🌐:aligrant.com

AppArmor blocking Dovecot Sieve

Alastair Grant | Friday 1 May 2020

I had an issue with mail not being delivered and upon investigation some access denied errors for Dovecot LMTP process for accessing sieve files in the local user directory.

Sieve is a mail filtering language for Dovecot IMAP server.  It allows you to do things such as move emails to different folders, classify them, and forward to other people.  I think I've had problems with this before, but I assume a recent update has either reset or made further tweaks to how it works.

In the end to resolve the issue, I've added the following entries into the file /etc/apparmor.d/local/usr.lib.dovecot.lmtp.  By using the local folder, these changes should persist even if there is an update to the base profile by your package manager - although I don't know if it's possible to have an incompatible override.

#include <abstractions/postfix-common>

/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,

owner /home/*/.dovecot.lda-dupes rw,
owner /home/*/.dovecot.lda-dupes.lock rw,
owner /home/*/.dovecot.sieve.log rw,
owner /home/*/.dovecot.svbin* rw,
owner /var/spool/postfix/maildrop/* rw,

It should be fairly obvious what is going on.  It is allowing the LMTP process (which is the local delivery agent) to execute mail tools, as well as write into certain dovecot files in the user's home directory.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.