# Courier-Imapd Permisson Denied Error

## flakzeus

I have courier-imapd installed and working, but when I go to login via imaps or imap i get the following errors in my log files.

```

May  4 19:25:49 lancelot imapd: LOGIN FAILED, user=user@domain.com, ip=[::ffff:127.0.0.1]

May  4 19:25:49 lancelot imapd: authentication error: Permission denied

May  4 19:27:01 lancelot imapd: Connection, ip=[::ffff:127.0.0.1]

May  4 19:27:02 lancelot imapd: user@domain.com: chdir(/path/to/userdirectory) failed!!

May  4 19:27:02 lancelot imapd: error: Permission denied

May  4 19:27:02 lancelot imapd: LOGIN FAILED, user=user@domain.com, ip=[::ffff:127.0.0.1]

May  4 19:27:02 lancelot imapd: authentication error: Permission denied

May  4 19:27:36 lancelot imapd: Connection, ip=[::ffff:127.0.0.1]

May  4 19:27:37 lancelot imapd: chdir /path/to/userdirectory/.maildir/: Permission denied

```

Anyone have any ideas on this error?  

PS. I used the Virtual Mailhosting System with Postfix Guide from gentoo.

----------

## cokey

is this local or remote?

----------

## adaptr

So you have your maildirs set up right ?

----------

## flakzeus

This log is from where I tried to check my e-mail via SquirrelMail, and postfix can deliver to the maildirs just fine.

----------

## cokey

well your login is failing. Are you sure that you haven't accidentally put extra security like secure authentication on and then not using it?

----------

## flakzeus

I changed the rights on the directory to 777 and it works. I know this isn't what it should be, but I can't figure out what they need to be.

----------

## adaptr

You did not set your maildirs up correctly...

man maildirmake tells you to only use maildirmake, and then only as the user that will use this maildir.

Any other way means the permissions aren't right.

----------

## flakzeus

According to the tutorial, once the users are in the sql database and receive an e-mail their maildir's will automatically be created. which is what happened...I'm assuming that postfix used maildirmake. Should I delete them and let postfix create them again or create them myself? I can't create the maildir as the user because the user is virtual and doesn't have an account on the system.

----------

## adaptr

Hoookay, sorry, didn't get that the first time.

No, obviously the permissinos for virtual mail users are much simpler - always set to the same user.

Which immediately leads to the next question:

What are the permissions on those maildirs ?

At the very least, both postdrop and courier-imapd must have access to them.

----------

## flakzeus

It looks like when the directory is created it has the file permissions 700 and is owned by vmail:users.

----------

## adaptr

So.. have you set the mail user for postfix to vmail ?

This is needed in order to deliver.

----------

## flakzeus

I have this in my main.cf file:

```
virtual_minimum_uid = 1000
```

which 1000 is the uid of the vmail account.

It doesn't have a problem delivering the mail, it's just that courier can't ready it because it only has read/write access for the root user it seems.

```
host cur # ls -la

total 4

drwxrwxrwx  2 vmail users 1024 May  5 11:24 .

drwxrwxrwx  6 vmail users 1024 May  4 20:33 ..

-rw-------  1 vmail users 1059 May  5 11:24 1115306664.V6200Iba848.edited.com:2,

```

----------

## adaptr

I doubt that has anything to do with one another - you did notice the "virtual_" there, didn't you ?

These are not real UIDs.

What UID is courier run under ?

----------

## flakzeus

```
root     25792     1  0 May04 ?        00:00:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-

root     25795     1  0 May04 ?        00:00:00 /usr/lib/courier-imap/courierlogger imapd-ssl

root     25973     1  0 May04 ?        00:00:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-

root     25976     1  0 May04 ?        00:00:00 /usr/lib/courier-imap/courierlogger imapd

```

Looks like the process is owned by root. Is that the information you were asking for?

----------

## adaptr

Well... yes and no.

Most daemons try to drop root as soon as they can; this is always indicated by a username in the config file.

That's what I meant.

----------

## flakzeus

I've looked through the config files in /etc/courier-imap/ and I can not find anywherea uid is set, which file should it be in?

----------

## adaptr

In imapd.conf, presumably.

----------

## flakzeus

I have no imapd.conf file, however i have a imapd file. 

This is the contents

```
##VERSION: $Id: imapd.dist.in,v 1.29 2004/04/18 15:54:39 mrsam Exp $

#

# imapd created from imapd.dist by sysconftool

#

# Do not alter lines that begin with ##, they are used when upgrading

# this configuration.

#

#  Copyright 1998 - 2004 Double Precision, Inc.  See COPYING for

#  distribution information.

#

#  This configuration file sets various options for the Courier-IMAP server

#  when used with the couriertcpd server.

#  A lot of the stuff here is documented in the manual page for couriertcpd.

#

#  NOTE - do not use \ to split long variable contents on multiple lines.

#  This will break the default imapd.rc script, which parses this file.

#

##NAME: ADDRESS:0

#

#  Address to listen on, can be set to a single IP address.

#

# ADDRESS=127.0.0.1

ADDRESS=0

##NAME: PORT:1

#

#  Port numbers that connections are accepted on.  The default is 143,

#  the standard IMAP port.

#

#

#  Multiple port numbers can be separated by commas.  When multiple port

#  numbers are used it is possible to select a specific IP address for a

#  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900"

#  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1

#  The previous ADDRESS setting is a default for ports that do not have

#  a specified IP address.

PORT=143

##NAME: AUTHSERVICE:0

#

#  It's possible to authenticate using a different 'service' parameter

#  depending on the connection's port.  This only works with authentication

#  modules that use the 'service' parameter, such as PAM.  Example:

#

#  AUTHSERVICE143=imap

#  AUTHSERVICE993=imaps

##NAME: MAXDAEMONS:0

#

#  Maximum number of IMAP servers started

#

MAXDAEMONS=40

##NAME: MAXPERIP:0

#

#  Maximum number of connections to accept from the same IP address

MAXPERIP=4

##NAME: PIDFILE:0

#

#  File where couriertcpd will save its process ID

#

PIDFILE=/var/run/imapd.pid

##NAME: TCPDOPTS:0

#

# Miscellaneous couriertcpd options that shouldn't be changed.

#

TCPDOPTS="-nodnslookup -noidentlookup"

##NAME: AUTHMODULES:0

#

# Authentication modules.  Here's the default list:

#

#    authdaemon

#

# The default is set during the initial configuration.

#

# If this is currently set to AUTHMODULES="authdaemon", DO NOT CHANGE IT.

# Instead, change the parameter authmodulelist in authdaemonrc.

AUTHMODULES="authdaemon"

##NAME: AUTHMODULES_ORIG:0

#

#

# For use by webadmin

AUTHMODULES_ORIG="authdaemon"

##NAME: DEBUG_LOGIN:0

#

# Dump additional login diagnostics to syslog

#

# DEBUG_LOGIN=0   - turn off login debugging

# DEBUG_LOGIN=1   - turn on login debugging

# DEBUG_LOGIN=2   - turn on login debugging + log passwords too

#

# Note that most information is sent to syslog at level 'debug', so

# you may need to modify your /etc/syslog.conf to be able to see it.

DEBUG_LOGIN=0

##NAME: IMAP_CAPABILITY:1

#

# IMAP_CAPABILITY specifies what most of the response should be to the

# CAPABILITY command.

#

# If you have properly configured Courier to use CRAM-MD5 or CRAM-SHA1

# authentication (see INSTALL), set IMAP_CAPABILITY as follows:

#

# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-

MD5 AUTH=CRAM-SHA1 IDLE"

#

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"

##NAME: KEYWORDS_CAPABILITY:0

#

# IMAP_KEYWORDS=1 enables custom IMAP keywords.  Set this option to 0 to

# disable custom keywords.

IMAP_KEYWORDS=1

##NAME: SMAP1_CAPABILITY:0

#

# EXPERIMENTAL

#

# To enable the experimental "Simple Mail Access Protocol" extensions,

# uncomment the following setting.

#

# SMAP_CAPABILITY=SMAP1

##NAME: IMAP_CAPABILITY_ORIG:1

#

# For use by webadmin

IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CR

AM-MD5 AUTH=CRAM-SHA1 IDLE"

##NAME: IMAP_IDLE_TIMEOUT:0

#

# This setting controls how often

# the server polls for changes to the folder, in IDLE mode (in seconds).

IMAP_IDLE_TIMEOUT=60

##NAME: IMAP_CAPABILITY_TLS:0

#

# The following setting will advertise SASL PLAIN authentication after

# STARTTLS is established.  If you want to allow SASL PLAIN authentication

# with or without TLS then just comment this out, and add AUTH=PLAIN to

# IMAP_CAPABILITY

IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"

##NAME: IMAP_TLS_ORIG:0

#

# For use by webadmin

IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"

##NAME: IMAP_DISABLETHREADSORT:0

#

# Set IMAP_DISABLETHREADSORT to disable the THREAD and SORT commands -

# server side sorting and threading.

#

# Those capabilities will still be advertised, but the server will reject

# them.  Set this option if you want to disable all the extra load from

# server-side threading and sorting.  Not advertising those capabilities

# will simply result in the clients reading the entire folder, and sorting

# it on the client side.  That will still put some load on the server.

# advertising these capabilities, but rejecting the commands, will stop this

# silliness.

#

# IMAP_ULIMITD sets the maximum size of the data segment of the server

# process.  The value of IMAP_ULIMITD is simply passed to the "ulimit -d"

# command (or ulimit -v).  The argument to ulimi sets the upper limit on the

# size of the data segment of the server process, in kilobytes.  The default

# value of 65536 sets a very generous limit of 64 megabytes, which should

# be more than plenty for anyone.

#

# This feature is used as an additional safety check that should stop

# any potential denial-of-service attacks that exploit any kind of

# a memory leak to exhaust all the available memory on the server.

# It is theoretically possible that obscenely huge folders will also

# result in the server running out of memory when doing server-side

# sorting (by my calculations you have to have at least 100,000 messages

# in a single folder, for that to happen).

IMAP_ULIMITD=65536

##NAME: IMAP_USELOCKS:0

#

# Setting IMAP_USELOCKS to 1 will use dot-locking to support concurrent

# multiple access to the same folder.  This incurs slight additional

# overhead.  Concurrent multiple access will still work without this setting,

# however occasionally a minor race condition may result in an IMAP client

# downloading the same message twice, or a keyword update will fail.

#

# IMAP_USELOCKS=1 is strongly recommended when shared folders are used.

IMAP_USELOCKS=1

##NAME: IMAP_SHAREDINDEXFILE:0

#

#

# The index of all accessible folders.  Do not change this setting unless

# you know what you're doing.  See README.sharedfolders for additional

# information.

IMAP_SHAREDINDEXFILE=/etc/courier-imap/shared/index

##NAME: IMAP_ENHANCEDIDLE:0

#

# If Courier was compiled with the File Alteration Monitor, setting

# IMAP_ENHANCEDIDLE to 1 enables enhanced IDLE mode, where multiple

# clients may open the same folder concurrently, and receive updates to

# folder contents in realtime.  See the imapd(8) man page for additional

# information.

#

# IMPORTANT: IMAP_USELOCKS *MUST* also be set to 1, and IDLE must be included

# in the IMAP_CAPABILITY list.

#

IMAP_ENHANCEDIDLE=0

##NAME: IMAP_TRASHFOLDERNAME:0

#

# The name of the magic trash Folder.  For MSOE compatibility,

# you can set IMAP_TRASHFOLDERNAME="Deleted Items".

#

# IMPORTANT:  If you change this, you must also change IMAP_EMPTYTRASH

IMAP_TRASHFOLDERNAME=Trash

##NAME: IMAP_EMPTYTRASH:0

##NAME: IMAP_EMPTYTRASH:0

#

# The following setting is optional, and causes messages from the given

# folder to be automatically deleted after the given number of days.

# IMAP_EMPTYTRASH is a comma-separated list of folder:days.  The default

# setting, below, purges 7 day old messages from the Trash folder.

# Another useful setting would be:

#

# IMAP_EMPTYTRASH=Trash:7,Sent:30

#

# This would also delete messages from the Sent folder (presumably copies

# of sent mail) after 30 days.  This is a global setting that is applied to

# every mail account, and is probably useful in a controlled, corporate

# environment.

#

# Important: the purging is controlled by CTIME, not MTIME (the file time

# as shown by ls).  It is perfectly ordinary to see stuff in Trash that's

# a year old.  That's the file modification time, MTIME, that's displayed.

# This is generally when the message was originally delivered to this

# mailbox.  Purging is controlled by a different timestamp, CTIME, which is

# changed when the file is moved to the Trash folder (and at other times too).

#

# You might want to disable this setting in certain situations - it results

# in a stat() of every file in each folder, at login and logout.

#

IMAP_EMPTYTRASH=Trash:7

##NAME: IMAP_MOVE_EXPUNGE_TO_TRASH:0

#

# Set IMAP_MOVE_EXPUNGE_TO_TRASH to move expunged messages to Trash.  This

# effectively allows an undo of message deletion by fishing the deleted

# mail from trash.  Trash can be manually expunged as usually, and mail

# will get automatically expunged from Trash according to IMAP_EMPTYTRASH.

#

# NOTE: shared folders are still expunged as usual.  Shared folders are

# not affected.

#

IMAP_MOVE_EXPUNGE_TO_TRASH=0

##NAME: OUTBOX:0

#

# The next set of options deal with the "Outbox" enhancement.

# Uncomment the following setting to create a special folder, named

# INBOX.Outbox

#

# OUTBOX=.Outbox

##NAME: SENDMAIL:0

#

# If OUTBOX is defined, mail can be sent via the IMAP connection by copying

# a message to the INBOX.Outbox folder.  For all practical matters,

# INBOX.Outbox looks and behaves just like any other IMAP folder.  If this

# folder doesn't exist it must be created by the IMAP mail client, just

# like any other IMAP folder.  The kicker: any message copied or moved to

# this folder is will be E-mailed by the Courier-IMAP server, by running

# the SENDMAIL program.  Therefore, messages copied or moved to this

# folder must be well-formed RFC-2822 messages, with the recipient list

# specified in the To:, Cc:, and Bcc: headers.  Courier-IMAP relies on

# SENDMAIL to read the recipient list from these headers (and delete the Bcc:

# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the

# message piped on standard input.  $SENDER will be the return address

# of the message, which is set by the authentication module.

#

# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing.

#

SENDMAIL=/usr/sbin/sendmail

##NAME: HEADERFROM:0

#

# For administrative and oversight purposes, the return address, $SENDER

# will also be saved in the X-IMAP-Sender mail header.  This header gets

# added to the sent E-mail (but it doesn't get saved in the copy of the

# message that's saved in the folder)

#

# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive

# the magic OUTBOX treatment.  Therefore advance LARTing is in order for

# _all_ of your lusers, until every one of them is aware of this.  Otherwise if

# OUTBOX is left at its default setting - a folder name that might be used

# accidentally - some people may be in for a rude surprise.  You can redefine

# the name of the magic folder by changing OUTBOX, above.  You should do that

# and pick a less-obvious name.  Perhaps brand it with your organizational

# name ( OUTBOX=.WidgetsAndSonsOutbox )

HEADERFROM=X-IMAP-Sender

##NAME: IMAPDSTART:0

#

# IMAPDSTART is not used directly.  Rather, this is a convenient flag to

# be read by your system startup script in /etc/rc.d, like this:

#

#  . /etc/courier-imap/imapd

#

#  case x$IMAPDSTART in

#  x[yY]*)

#        /usr/lib/courier-imap/imapd.rc start

#        ;;

#  esac

#

# The default setting is going to be NO, so you'll have to manually flip

# it to yes.

IMAPDSTART=NO

##NAME: MAILDIRPATH:0

#

# MAILDIRPATH - directory name of the maildir directory.

#

MAILDIRPATH=Maildir

#Hardwire a value for ${MAILDIR}

MAILDIR=.maildir

MAILDIRPATH=.maildir

#Put any program for ${PRERUN} here

PRERUN=
```

----------

## adaptr

```
IMAPDSTART=NO 
```

In other words - it's not running ?  :Wink: 

----------

## flakzeus

I changed this to YES and restarted the process and I'm still having the same problems.

When trying to login to squirrel mail, i get this error:

```
ERROR : Could not complete request.

Unknown response from IMAP server: 1.* NO Cannot open message 1 * NO Cannot open message 2 
```

----------

## adaptr

I didn't state that that was the problem - the relevant bit of the config file says this:

```
# IMAPDSTART is not used directly.  Rather, this is a convenient flag to

# be read by your system startup script in /etc/rc.d, like this: 
```

In other words, the init system is not required to use this variable...

Gentoo probably doesn't, since it has a pretty advanced init system to begin with.

Hmm let's get back to the basics:

- can you provide output for the actual imapd processes ?

The couriertcpd process spawns courier-imapd for each connection, so you will have to initiate a connection to properly test this.

```
telnet localhost 143 (or start up an IMAP client somewhere)

ps faxu | grep imap
```

This should also provide a bit more relevant logging.

I know, I know - you get errors, but it is worth it to see if the imapd daemon gets spawned at all, or whether it stalls at tcpd.

----------

## flakzeus

This is with no user logged in:

```

host root # ps faxu |grep imap

root      7746  0.0  0.0   1472     4 ?        S    00:32   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/sbin/courier-imapd .maildir

root      7752  0.0  0.0   1368     4 ?        S    00:32   0:00 /usr/lib/courier-imap/courierlogger imapd

```

this is with "telnet 127.0.0.1 143"

```

host root # ps faxu |grep imap

root      7746  0.0  0.1   1472    72 ?        S    00:32   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/sbin/courier-imapd .maildir

root      9555  0.0  0.7   1456   448 ?        S    17:56   0:00  \_ /usr/sbin/imaplogin /usr/sbin/courier-imapd .maildir

root      7752  0.0  0.3   1368   232 ?        S    00:32   0:00 /usr/lib/courier-imap/courierlogger imapd

```

----------

## adaptr

You'll have to actually log in to get past the imaplogin service to the imapd process.

Also set DEBUG_LOGIN=1.

----------

## flakzeus

I changed debugging to 1 and had to setup syslog-ng to see debug message.. Here is what I've got when I log in:

```

May 11 09:39:48 lancelot imapd: Connection, ip=[::ffff:127.0.0.1]

May 11 09:39:48 lancelot imapd: LOGIN: ip=[::ffff:127.0.0.1], command=LOGIN

May 11 09:39:48 lancelot imapd: LOGIN: ip=[::ffff:127.0.0.1], username=emails@edited.com

May 11 09:39:49 lancelot imapd: Connection, ip=[::ffff:127.0.0.1]

May 11 09:39:49 lancelot imapd: LOGIN: ip=[::ffff:127.0.0.1], command=LOGIN

May 11 09:39:49 lancelot imapd: LOGIN: ip=[::ffff:127.0.0.1], username=emails@edited.com

May 11 09:39:49 lancelot imapd: Connection, ip=[::ffff:127.0.0.1]

May 11 09:39:49 lancelot imapd: LOGIN: ip=[::ffff:127.0.0.1], command=LOGIN

May 11 09:39:49 lancelot imapd: LOGIN: ip=[::ffff:127.0.0.1], username=emails@edited.com

```

I'm not entirely sure this is right..

----------

## adaptr

Why not ? You're logged in, right ?

If not, you have to perform the same debugging magic for courier-authlib, since that authenticates you.

----------

## flakzeus

Yes, I was logged in. I haven't had any problems logging in. Just reading e-mails  :Very Happy: 

----------

## flakzeus

I have figured the problem out, my problem was that in my database my virtual users' uid and gid was not set to the vmail uid/gid. Thanks for your help.

----------

