Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:postfix_spamassassin_clamav_dovecot [2021/05/24 16:58] – [Checking Dovecot Quota] niccolo
+++ doc:appunti:linux:sa:postfix_spamassassin_clamav_dovecot [2022/09/30 11:38] – [Dovecot Local Delivery Agent] niccolo
@@ Line 251: / Line 251: @@
 mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
 </file>
+**WARNING**: At least in **Debian 11 Bullseye** it seems that the **dovecot-lda** sometimes (not always!) tries to write to the **Dovecot Stats Service** using the **/run/dovecot/stats-writer** socket. Unfortunately the socket is owned by **root:dovecot** and has mode **0660** (default Debian settings), whereas the LDA is invoked by Postfix with just the user's privileges. So you will find error messages like this into the mail.log:
+<code>
+postfix/local[76866]: 7E67B7D3F4: to=<user@domain.tld>, ...,
+    status=bounced (Command died with status 134:
+    "/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"".
+    Command output: lda(lica-marilena):
+    Error: net_connect_unix(/run/dovecot/stats-writer) failed:
+    Permission denied Aborted Unable to flush stdout: Broken pipe )
+</code>
+It seems that the quickest and simplest solution is to make the socket **0666 mode** (which will risk the stats service to be abused). Add the following snippet to **/etc/dovecot/conf.d/15-lda.conf**:
+<file>
+service stats {
+  unix_listener stats-writer {
+    mode = 0666
+  }
+}
+</file>
+See the following posts about the problem:
+  * [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961033|stats-writer permission issue when using LDA via procmail - Debian bug #961033]]
+  * [[https://dovecot.org/pipermail/dovecot/2022-February/124267.html|postfix, dovecot-lda, /run/dovecot/stats-writer socket permision and local user delivery, again]]
 ===== Sieve filtering =====
@@ Line 806: / Line 833: @@
 <file>
+# === WARNING ===
+# Both "quota_over_flag_value" and "quota_over_script" are
+# required, otherwise the Postfix quota-status check will always
+# return DUNNO (i.e. user is under quota). This is because
+# without those two parameters the quota check is skipped
+# completely, as seen in the mail_debug = yes log:
+# Debug: quota: quota_over_flag check: quota_over_script unset - skipping
+#
+# Actually we don't have a "quota_over_flag" field in userdb;
+# when quota-status service is called by Postfix, the value
+# quota_over_flag=0(*dummy*) is assumed due the config values
+# below. Current quota status for the user is then checked by
+# querying the filesystem and it will be 1 for overquota, 0
+# otherwise.
+#
+# As a side effect, the quota-warning script is executed at
+# every check if the user is overquota because 0 mismatches 1.
 plugin {
   quota_over_flag_value = FALSE
@@ Line 879: / Line 923: @@
 action=554 5.2.2 Quota exceeded (mailbox for user is full)
 </file>
+The **554 Quota exceeded error** should be returned when the **actual user's quota** plus the announced **size** will exceed the filesystem **soft quota** plus the **quota_grace** percentage.
 Another way to check the service using a single command line is using **netcat**: