When working with Dovecot IMAP servers, you might encounter the permission error:
dovecot: imap(ec2-user): Error: user *theuser*: Couldn't drop privileges: Mail access for users with UID 222 not permitted
This typically occurs when Dovecot's security restrictions prevent a user session from starting due to UID-based access control.
The error stems from Dovecot's default configuration which restricts mail access to specific UID ranges. The main culprits are:
first_valid_uidsetting in dovecot.conf- System user UID falling outside permitted range
- Incorrect permission inheritance
Here's how to modify your Dovecot configuration to resolve this:
# /etc/dovecot/conf.d/10-master.conf
service imap {
# Ensure the minimum UID is low enough
first_valid_uid = 100
}
# Alternative global setting in 10-mail.conf
mail_uid = 222
mail_gid = 222
first_valid_uid = 100
last_valid_uid = 5000
After making changes, verify with:
dovecot -n # Check current configuration
systemctl restart dovecot
tail -f /var/log/mail.log # Monitor for errors
For more complex environments, consider:
# Check user's actual UID:
id -u username
# For systemd systems, check service constraints:
systemctl show dovecot | grep Protect
systemctl edit dovecot # Add overrides if needed
When lowering UID restrictions:
- Audit all users in the expanded UID range
- Consider using
mail_access_groupsinstead of UID ranges - Implement additional PAM restrictions if needed
When you encounter the error message Couldn't drop privileges: Mail access for users with UID 222 not permitted in Dovecot, it's typically related to security restrictions in your configuration. Dovecot refuses to start the IMAP service because it's attempting to drop privileges to a UID that isn't explicitly permitted.
This error occurs because of these common scenarios:
- The UID (222 in this case) isn't listed in Dovecot's
first_valid_uid/last_valid_uidrange - The system user doesn't have proper mail directory permissions
- Dovecot is configured with too restrictive UID/GID settings
Check your /etc/dovecot/conf.d/10-mail.conf file for these settings:
# Example of proper UID range configuration
first_valid_uid = 100
last_valid_uid = 2000
# Or to specifically allow UID 222
mail_uid = 222
mail_gid = 222
First, confirm the UID of your mail user:
id -u theuser
Then verify the mail directory permissions:
ls -ld /var/mail/theuser
Here's a tested configuration that resolves this issue:
# /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
mail_privileged_group = mail
first_valid_uid = 100
last_valid_uid = 65000
# /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
!include auth-system.conf.ext
Enable verbose logging to get more details about the authentication process:
# /etc/dovecot/conf.d/10-logging.conf
auth_verbose = yes
auth_debug = yes
mail_debug = yes
After making changes, always test your configuration:
dovecot -n
systemctl restart dovecot
If you're using systemd, you might need to adjust service restrictions:
# /etc/systemd/system/dovecot.service.d/override.conf
[Service]
ReadWritePaths=/var/mail
PrivateTmp=false
For SELinux systems, don't forget to check security contexts:
restorecon -Rv /var/mail