Dovecot user and permissions

I’m one step away from getting my mail server back online and I need some advice.

dovecot/postfix setup using TLS

My mailbox structure is owned by tcb:mail (770); however, I’m getting permission errors when I try to log in and use mail from Thunderbird…essentially Dovecot doesn’t have the proper permissions to access the folder structures. I can fix this with a quick chmod 777 -R but I don’t really what to do that.

I thought that dovecot ran as root - why is it requiring public access to read/write to the folder structure? Where do I assign a the group “mail” to dovecot so that I can leave my permissions at 770? btw is 770 correct for mail boxes?


What are the specific errors that you’re seeing in the mail logs? Depending on what errors you’re getting, we can offer some tips to solve the problem you’re having. Thanks!


I went ahead and did a chmod 777 - that cleared up the obvious errors in the log (essentially it said permission error -x is required)

I think I have a firewall problem now. I can get good authentication using openssl with localhost

openssl s_client -starttls smtp -crlf -connect localhost:587

250 DSN
AUTH PLAIN (base64 login/pass)
235 2.7.0 Authentication successful

However, when I try to authenticate using Thunderbird I get the following in the logs-
warning: [x.x.x.208]: SASL PLAIN authentication failed:

So that leads me to the ipTables which I attached

Am I missing anything there?



If that’s the error you’re seeing in the logs, it’s not likely an iptables issue… what settings are you using when authenticating with Dovecot? For example, is Dovecot configured to hit port 587? And is it setup to use SSL, TLS, or neither, when performing the authentication?


I think I have just one or two settings off that are causing me problems…just keep running in circles when I try to trouble shoot this.

Here’s my info

readme_directory = /usr/share/doc/postfix-2.6.7/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual

sender_bcc_maps = hash:/etc/postfix/bcc

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

home_mailbox = Maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

broken_sasl_auth_clients = yes

smtpd_tls_security_level = may

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

data_directory = /var/lib/postfix

smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem

smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

smtp inet n - n - - smtpd

submission inet n - n - - smtpd

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

smtps inet n - n - - smtpd

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

and dovecot

ssl = yes

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem

ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

mail_location = maildir:~/Maildir

auth default {

mechanisms = plain

passdb pam { }

userdb passwd { }

user = root

socket listen {

client {

path = /var/spool/postfix/private/auth

mode = 0660

user = postfix

group = postfix



Wish this wasn’t so complicated