Troubleshooting Dovecot Permission Error: “missing +w perm” for /var/mail When User Is in mail Group


3 views 
dovecot: missing +w perm: /var/mail, we're not in group 8(mail)

When setting up a mail server with Dovecot, this error can be particularly frustrating because it persists even when you've verified the user is in the mail group (GID 8). Let's examine why this happens and how to properly fix it.

The critical elements in this setup are:

mail:x:8:dovecot,user.name  # /etc/group entry
drwxrwsr-x 3 root mail 4096 nov 11 12:20 /var/mail  # directory permissions

First, verify the effective group membership:

# Check if user is in mail group
groups user.name
# Should show: user.name : user.name mail

# Check effective group ID of running process
ps aux | grep dovecot
# Look for the group under which dovecot processes run

The 's' in the group permission (rws) indicates the SGID bit is set. While this maintains group ownership for new files, it doesn't guarantee write access for group members.

# 1. Verify and set proper permissions
sudo chown -R root:mail /var/mail
sudo chmod -R 2775 /var/mail  # 2=SGID, 7=rwx for owner, 7=rwx for group, 5=rx for others

# 2. Ensure proper group inheritance
sudo usermod -aG mail dovecot
sudo usermod -aG mail user.name

# 3. Restart services
sudo systemctl restart dovecot
sudo systemctl restart postfix  # if using Postfix as MTA

Add these to your dovecot.conf for better permission handling:

mail_privileged_group = mail
mail_access_groups = mail

first_valid_uid = 8
last_valid_uid = 8

Verify with:

sudo -u user.name touch /var/mail/test_file
# Should succeed without permission errors

ls -la /var/mail
# New files should have mail group ownership

If using SELinux, additional steps may be needed:

# Check SELinux context
ls -Z /var/mail

# Set proper context if needed
sudo chcon -R -t mail_spool_t /var/mail

After implementing changes, check logs for confirmation:

journalctl -u dovecot --since "1 hour ago" | grep -i permission
# Should show no more permission errors

When setting up a mail server with Dovecot, you might encounter the error:

Dovecot: missing +w perm: /var/mail, we're not in group 8(mail)

This occurs despite having:

drwxrwsr-x  3 root mail   4096 nov 11 12:20 mail/
mail:x:8:dovecot,user.name

The issue stems from the combination of these factors:

  • The /var/mail directory has group write permission (rws)
  • Dovecot process needs to write to user mailboxes
  • The setgid bit (s) means new files inherit the mail group
  • Your user might not have proper group membership

First, confirm your user is properly in the mail group (GID 8):

id username
groups username

If missing, add with:

sudo usermod -aG mail username

Option 1: Adjust Directory Permissions

Make /var/mail writable by all (less secure):

sudo chmod 1777 /var/mail

Option 2: Proper Group Configuration

Ensure Dovecot runs with correct group:

service dovecot {
  group = mail
  extra_groups = mail
}

Option 3: Mail Location Alternative

Consider using maildir format instead of mbox:

mail_location = maildir:~/Maildir

Enable verbose logging to pinpoint the issue:

mail_debug = yes
auth_verbose = yes

When adjusting permissions:

  • Avoid world-writable directories (777)
  • Prefer group-based permissions
  • Consider SELinux/AppArmor contexts

Here's a verified working setup:

# /etc/dovecot/conf.d/10-mail.conf
mail_location = mbox:/var/mail/%u
mail_privileged_group = mail

# /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imap {
    port = 143
  }
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

After changes, always restart Dovecot:

sudo systemctl restart dovecot