kopano-dagent not starting (permission denied: var/spool/kopano/dagent.sock)

ThomasH

Hello everyone.

Referring to
5.11.1. Configure Kopano-dagent for delivery via unix socket
I’m trying to setup the dagent for lmtp.
But the service won’t start.

System: Ubuntu 20.04 64Bit
Kopano 8.7.0
The result If I’m trying to start:

kopano-dagent.service - Kopano Groupware Core Delivery Agent
     Loaded: loaded (/lib/systemd/system/kopano-dagent.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Fri 2021-02-19 21:02:08 CET; 2s ago
       Docs: man:kopano-dagent(8)
             man:kopano-dagent.cfg(5)
    Process: 8909 ExecStart=/usr/sbin/kopano-dagent -l -F -c /etc/kopano/dagent.cfg (code=exited, status=0/SUCCESS)
   Main PID: 8909 (code=exited, status=0/SUCCESS)

Feb 19 21:02:08 thomas-laptop systemd[1]: Started Kopano Groupware Core Delivery Agent.
Feb 19 21:02:08 thomas-laptop kopano-dagent[8909]: Starting kopano-dagent version 8.7.0 (pid 8909 uid 0) (LMTP mode)
Feb 19 21:02:08 thomas-laptop kopano-dagent[8909]: ec_listen_localsock: bind /var/spool/kopano/dagent.sock: Permission denied
Feb 19 21:02:08 thomas-laptop systemd[1]: kopano-dagent.service: Succeeded.

I performed the commands under 5.11 and proven it right.

drwxrwx---+ 2 kopano kopano 4096 Jan 13 21:50 /var/spool/kopano/

The dagent.sock won’t be created.

The dagent.cfg active lines:

lmtp_listen = unix:/var/spool/kopano/dagent.sock
run_as_user = kopano
run_as_group = kopano

If lmtp_listen is commented out, the service runs stable.

I don’t know what might be wrong here.
Do you have any idea what I can do here?

A Former User

@thomash my lmtp_listen contains a port value:

lmtp_listen = *:2003

Walter

fbartels

@thomash it’s probably the appamor profile of Ubuntu blocking Access.

Generally i would not advise to use the packages that come with Debian/Ubuntu as they are heavily outdated.

ThomasH

Thanks for your replies.
@WalterHof It’s up to the user what to choose from, I want to use a local socket.
From the comments in dagent.cfg

#    "unix:/var/spool/kopano/dagent.sock" — local socket
#    "*:236" — port 2003, all protocols
#    "[::]:236" — port 2003 on IPv6 only
#    "[2001:db8::1]:236" — port 2003 on specific address only

@fbartels
Thank you for your hint of AppArmor.
Just for a test, I stopped the service of AppArmor.

/etc/init.d/apparmor status
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Sun 2021-02-21 19:03:58 CET; 55s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 965 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
    Process: 42811 ExecStop=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 965 (code=exited, status=0/SUCCESS)

Feb 19 19:38:36 thomas-laptop systemd[1]: Starting Load AppArmor profiles...
Feb 19 19:38:36 thomas-laptop apparmor.systemd[965]: Restarting AppArmor
Feb 19 19:38:36 thomas-laptop apparmor.systemd[965]: Reloading AppArmor profiles
Feb 19 19:38:36 thomas-laptop apparmor.systemd[989]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Feb 19 19:38:36 thomas-laptop apparmor.systemd[1001]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Feb 19 19:38:36 thomas-laptop systemd[1]: Finished Load AppArmor profiles.
Feb 21 19:03:58 thomas-laptop systemd[1]: Stopping Load AppArmor profiles...
Feb 21 19:03:58 thomas-laptop systemd[1]: apparmor.service: Succeeded.
Feb 21 19:03:58 thomas-laptop systemd[1]: Stopped Load AppArmor profiles.

But the error is still the same.

I’m not familiar with AppArmor, in
/etc/apparmor.d/usr.sbin.kopano-dagent
I have:

# Last Modified: Sun, 12 Aug 2019 14:45:00 +0200
#include <tunables/global>

/usr/sbin/kopano-dagent flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/python>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability setgid,
  capability setuid,

  @{PROC}/@{pid}/task/@{tid}/comm rw,
  @{PROC}/@{pid}/cmdline r,

  /etc/gai.conf r,
  /etc/gss/mech.d/ r,
  /etc/gss/mech.d/*.conf r,
  /etc/kopano/dagent.cfg r,
  /etc/ssl/openssl.cnf r,

  /usr/sbin/kopano-dagent r,

  /run/kopano/server.sock rw,

  /usr/share/kopano-dagent/python/ r,
  /usr/share/kopano-dagent/python/*.py{,c} r,

  /var/lib/kopano/dagent/plugins/ r,
  /var/lib/kopano/dagent/plugins/*.py{,c} r,

  /etc/mapi/ r,
  /etc/mapi/* r,

  /run/kopano/dagent.pid rw,
  /var/log/kopano/dagent.log rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.kopano-dagent>
}

Are these settings correct so far?

tobelger

@thomash
Hi, we had the same issue. The Problem is, that if i remember your MTA dosn’t has the permission. I changed our dagent.sock in dagent.cfg to

lmtp_listen = unix:/var/spool/postfix/kopano/dagent.sock

that worked for us.

ThomasH

Unfortunately this doesn’t help. Neither with directory right for fetchmail nor kopano. :-/

tobelger

@thomash did fixed the ACLs and did you set tne Path also in the MTA?