You are not logged in.

Pages: 1

#1 2025-12-01 18:14:27

sandu_teodor
Member
Registered: 2025-12-01
Posts: 1

Dovecot process crashing: "open(/proc/self/io) failed: Permission deni

Hi everyone,

I am trying to set up a Dovecot server on Arch Linux, but I am hitting a persistent permission error regarding /proc/self/io which causes the IMAP connection to close immediately after a successful login.

The Symptoms:

Clients (Thunderbird) can connect to Nginx Proxy.

Dovecot authenticates the user successfully (SQL auth works).

Dovecot correctly calculates the home path (/var/vmail/...).

Immediately after authentication, the connection is closed.

The Error Log:

Plaintext

Debug: Effective uid=5000, gid=5000, home=/var/vmail/intelligentsofts.org/admin
Debug: open(/proc/self/io) failed: Permission denied
Debug: maildir++: root=/var/vmail/intelligentsofts.org/admin/Maildir, index=, ...
Disconnected: Connection closed (NAMESPACE finished 0.005 secs ago)

What I have tried so far:

Downgraded Dovecot: I tried both version 2.4.2 and downgraded to 2.3.21.1. The error persists on both.

Permissions: I moved the mail storage to /var/vmail and ensured vmail:vmail (uid 5000) has full rwx permissions.

Systemd Overrides: I edited the systemd service to disable sandboxing:

Ini, TOML

ProtectSystem=off
ProtectHome=no
ProtectProc=default
ProcSubset=all
ReadWritePaths=/var/vmail

Mount Options: I tried remounting /proc with hidepid=0 (mount -o remount,rw,hidepid=0 /proc), but the error persists.

Config: I tried disabling stats plugins in dovecot.conf.

It seems like the Dovecot process drops privileges to user vmail and then gets blocked by the Kernel/System when trying to read its own IO stats from /proc.

My Setup:

OS: Arch Linux (Current)

Dovecot: 2.3.21.1 (Downgraded from 2.4)

Storage: Maildir

Auth: MySQL / MariaDB

Does anyone know if there is a specific Arch Kernel sysctl or systemd setting that blocks a process from reading its own /proc/self/io even with hidepid=0?

Thanks!

# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21.1 (49005e73)
# OS: Linux 6.17.8-arch1-1 x86_64  
# Hostname: rack01r6201
auth_mechanisms = plain login
disable_plaintext_auth = no
first_valid_gid = 5000
first_valid_uid = 5000
haproxy_trusted_networks = 192.168.1.130/32
login_trusted_networks = 192.168.1.130/32
mail_access_groups = proc_readers
mail_debug = yes
mail_gid = 5000
mail_location = maildir:~/Maildir
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  unix_listener auth-userdb {
    mode = 0666
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imap_proxy {
    haproxy = yes
    port = 10143
    ssl = no
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0666
  }
}
service stats {
  unix_listener stats-writer {
    mode = 0666
  }
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

Offline

Pages: 1

Board footer

Powered by FluxBB