Dovecot deliver failing?

iainhallam · 6 January 2026 18:39

Problem Description

None of the mail to my mailboxes is getting through for the last few days. Looks like a mail configuration error, but nothing has changed in /etc/dovecot or /etc/exim4 in the last couple of weeks, when things were working fine.

Any Error Messages

journalctl shows:

Jan 06 18:18:27 [HOST REDACTED] dovecot[1669551]: lda([ADDRESS REDACTED])<1669551><braWLvNRXWmveRkAhquTpA>: Fatal: setgid(1009([GROUP REDACTED]) from userdb lookup) failed with euid=1000(sympl), gid=1000(sympl), egid=1000(sympl): Operation not permitted (This binary should probably be called with process group set to 1009([GROUP REDACTED]) instead of 1000(sympl))

/var/log/exim4/mainlog shows:

2026-01-06 18:18:27 1vdBdQ-0070KA-It <= [ADDRESS REDACTED] H=[HOST REDACTED] [[IP REDACTED]] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no SNI=mx.[DOMAIN REDACTED] S=16406 DKIM=[DOMAIN REDACTED] id=lJWXEVjbSJ6npRHbzLAloQ@geopod-ismtpd-16
2026-01-06 18:18:27 1vdBdQ-0070KA-It <[ADDRESS REDACTED]>: dovecot_lda transport output: lda([ADDRESS REDACTED]): Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied
2026-01-06 18:18:27 1vdBdQ-0070KA-It == [ADDRESS REDACTED] R=vhost_forward_sieve T=dovecot_lda defer (0): Child process of dovecot_lda transport returned 75 (could mean temporary error) from command: /usr/lib/dovecot/deliver

ls -l /run/dovecot/stats-* shows:

srw------- 1 root root    0 Jan  6 18:17 /run/dovecot/stats-reader
srw-rw---- 1 root dovecot 0 Jan  6 18:17 /run/dovecot/stats-writer

Environment

Sympl Version: 11 (planning a migration to the latest quite soon, but not there yet!)
Debian Version: 11
Hardware Type: VM
Hosted With: Digital Ocean

Anyone got any thoughts on what to try next to debug, please?

Kelduum · 6 January 2026 21:01

Check the permissions on the mailboxes directory and its subdirectories and files - they should all be owned by the sympl user.

iainhallam · 7 January 2026 04:27

All directories and files from <domain>/mailboxes down are owned by sympl:sympl. I notice that the group used by LDA is the one configured in <domain>/config/public-group, but that’s been true for years, and mail delivery only stopped on 31st December. Only package update on that date was related to ImageMagick.

hairydog · 7 January 2026 13:48

My initial thought was that there is a sympl script that checks and corrects file system permissions, but I don’t see it in yesterday’s report. Perhaps you could try running it manually
Report…
Commands Run:
User root:
[ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi: 48 Time(s)
[ -x /usr/sbin/sympl-dns-generate ] && /usr/sbin/sympl-dns-generate --upload --sleep 7200: 1 Time(s)
/root/.local/bin/borgmatic: 8 Time(s)
[ -x /usr/sbin/sympl-all-crontabs ] && /usr/sbin/sympl-all-crontabs: 1440 Time(s)
[ -x /usr/sbin/sympl-dns-generate ] && /usr/sbin/sympl-dns-generate: 96 Time(s)
[ -x /usr/sbin/sympl-firewall ] && /usr/sbin/sympl-firewall : 24 Time(s)
[ -x /usr/sbin/sympl-firewall-blacklist ] && /usr/sbin/sympl-firewall-blacklist: 96 Time(s)
[ -x /usr/sbin/sympl-firewall-whitelist ] && /usr/sbin/sympl-firewall-whitelist: 96 Time(s)
[ -x /usr/sbin/sympl-password-test ] && /usr/sbin/sympl-password-test --hourly: 24 Time(s)
cd / && run-parts --report /etc/cron.hourly: 24 Time(s)
test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r: 1 Time(s)
test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }: 1 Time(s)
User www-data:
php -f /srv/redacted/public/htdocs/cloud/cron.php: 288 Time(s)
test -d /run/systemd/system || /usr/share/roundcube/bin/cleandb.sh >/dev/null: 1 Time(s)
test -d /run/systemd/system || /usr/share/roundcube/bin/gc.sh: 48 Time(s)

iainhallam · 10 January 2026 21:33

Sadly, no joy. Running sympl-filesystem-security --verbose shows mainly changes to PHP session files. Mail is still failing with a permissions error; I’m at a loss to understand what changed on 31st December, but I can’t receive mail on that domain at the moment. Mail for other domains is working.

hairydog · 11 January 2026 12:28

I would check the permissions of the mail folders.

iainhallam · 12 January 2026 02:24

Got it working again - but I’m not totally sure how. I’ve made permissions changes to match another working domain, but now I’ve selectively reapplied the permissions the tree originally had and it’s still working. I’m guessing it’s the permissions of files within the Maildir directory itself, with which I’m not that familiar, and some extensive reading in the Dovecot docs hasn’t left me much wiser. Strange!

hairydog · 12 January 2026 09:59

They are all owned sympl:sympl I think. They are supposed to be created by sympl but if you made them some other. way, chown them to sympl:sympl