Queue browse error after 8.7 upgrade

[quanah]

Those errors are/were just in the zimbra.log - for me, nothing was needed to make them happen, due to the file system permissions issues (or process as wrong user perhaps) they increment in the log file.

That's a known bug/problem with postdrop that's existed for years, unfortunately. Basically you have to stop postfix and kill any running postdrop instances, then restart postfix. The postdrop instances that are runaway are referencing things that no longer exist.

[IvanH]

Same problem, tried the given solutions but no go.

Multi-Server (2) install.

Upgraded both servers from 8.6 to 8.7 today.
1 Server has the problem, the other doesnt.
The server with the problem is the one where i had to do a zmfixperms on.... the other one, that doesn't have a problem no fixperms!
Can this be the start of the problem, fixperms setting the wrong permissions?
On the server without problems i see postdrop being started under the root user, with problem it is started under the zimbra user.

Any help please...

[bithammer]

After upgrading my servers (Multiserver setup with two MTA/Mailstore) last week from 8.6 to 8.7 I suddenly have the same problems as described.
In the beginning only one server was effected, now both are.

mail.log

Code: Select all

Aug 19 09:48:19 zm0 postfix/postdrop[19936]: warning: mail_queue_enter: create file maildrop/643190.19936: Permission denied
Aug 19 09:48:23 zm0 postfix/postqueue[17689]: fatal: Connect to the Postfix showq service: Permission denied
Aug 19 11:48:23 ser-zimbra postfix/postdrop[8722]: warning: mail_queue_enter: create file maildrop/840207.8722: Permission denied
Aug 19 11:48:24 ser-zimbra postfix/postdrop[23818]: warning: mail_queue_enter: create file maildrop/77746.23818: Permission denied
Aug 19 09:48:25 zm0 postfix/postdrop[29728]: warning: mail_queue_enter: create file maildrop/931055.29728: Permission denied

The process of postdrop is running as user zimbra:

Code: Select all

root@zm0:~# ps axu | egrep post
postfix  14406  0.0  0.0  46308  2436 ?        S    09:42   0:00 pickup -l -t unix -u
postfix  18875  0.0  0.0  46488   824 ?        S    Aug18   0:00 qmgr -l -t unix -u
zimbra   19936  0.0  0.0  46276   444 ?        S    Aug18   0:00 /opt/zimbra/common/sbin/postdrop -r
postfix  24146  0.0  0.0  46316   732 ?        S    Aug18   0:00 tlsmgr -l -t unix -u
zimbra   29728  0.0  0.0  46276   540 ?        S    Aug17   0:01 /opt/zimbra/common/sbin/postdrop -r

This might be necessary, but the user zimbra does not have access to the directories

Code: Select all

root@zm0:~# ll /opt/zimbra/data/postfix/spool/
total 64
drwxr-xr-x 16 root    root     4096 Jul  9  2011 ./
drwxr-xr-x  4 postfix zimbra   4096 Oct  9  2011 ../
drwx------  2 postfix postfix  4096 Aug 19 09:43 active/
drwx------  2 postfix postfix  4096 Aug  3 06:38 bounce/
drwx------  2 postfix postfix  4096 Jul  9  2011 corrupt/
drwx------ 18 postfix postfix  4096 Jul  2  2012 defer/
drwx------ 18 postfix postfix  4096 Jul  2  2012 deferred/
drwx------  2 postfix postfix  4096 Jul  9  2011 flush/
drwx------  2 postfix postfix  4096 Jul  9  2011 hold/
drwx------  2 postfix postfix  4096 Aug 19 09:43 incoming/
drwx-wx---  2 postfix postdrop 4096 Aug 17 09:32 maildrop/
drwxr-xr-x  2 postfix root     4096 Aug 14 09:05 pid/
drwx------  2 postfix postfix  4096 Aug 16 20:18 private/
drwx--x---  2 postfix postdrop 4096 Aug 16 20:18 public/
drwx------  2 postfix postfix  4096 Jul  9  2011 saved/
drwx------  2 postfix postfix  4096 Aug 16 05:48 trace/

I checked, zmfixperms does set exactly these permissions. Somthing must be wrong either in running postdrop as zimbra user or in the zmfixperms script.

I contacted zimbra professional support, but after the initial confirmation of my request, I did not get an answer yet.

Is there anyone who can help. Setting perms to 777 is not an option. Also, the suggested killing of postdrop and restarting postfix is not helping. Even an reboot is not.

[bithammer]

There is a major bug in zmfixperms version 8.7! Actually there are two!

This is the temporary solution

Code: Select all

chown root:root -Rh /opt/zimbra/common/sbin/*
chown root:postdrop /opt/zimbra/common/sbin/postdrop
chown root:postdrop /opt/zimbra/common/sbin/postqueue
chmod g+s /opt/zimbra/common/sbin/postdrop
chmod g+s /opt/zimbra/common/sbin/postqueue

Bug one is not setting the s-flag any more.

Code: Select all

ll /opt/zimbra/common/sbin/
insgesamt 23300
-rwxr-xr-x 1 root root      1531710 Dez  6  2015 amavisd
-rwxr-xr-x 1 root root        12671 Dez  6  2015 amavisd-release
-rwxr-xr-x 1 root root        53704 Dez  6  2015 amavisd-snmp-subagent-zmq
-rwxr-xr-x 1 root root        14380 Dez  6  2015 amavisd-status
-rwxr-xr-x 1 root root        19245 Dez  6  2015 amavis-mc
-rwxr-xr-x 1 root root        34311 Dez  6  2015 amavis-services
-rwxr-xr-x 1 root root       226976 Jun  7 04:19 clamav-milter
-rwxr-xr-x 1 root root       175784 Jun  7 04:19 clamd
lrwxrwxrwx 1 root root            8 Jun 14 16:51 mailq -> sendmail
-rwxr-xr-x 1 root root     16857128 Jun 14 01:56 mysqld
lrwxrwxrwx 1 root root            8 Jun 14 16:51 newaliases -> sendmail
-rwxr-xr-x 1 root root      1322336 Jun 14 21:23 nginx
-rwxr-xr-x 1 root root       241784 Mai  2 23:28 opendkim
-rwxr-xr-x 1 root root        66576 Mai  2 23:28 opendkim-atpszone
-rwxr-xr-x 1 root root         6445 Mai  2 23:28 opendkim-genkey
-rwxr-xr-x 1 root root        70768 Mai  2 23:28 opendkim-genzone
-rwxr-xr-x 1 root root        79088 Mai  2 23:28 opendkim-testkey
-rwxr-xr-x 1 root root        14568 Mai  2 23:28 opendkim-testmsg
-rwxr-xr-x 1 root root        14800 Jan 11  2016 pluginviewer
-rwxr-xr-x 1 root root       259096 Jun 14 16:51 postalias
-rwxr-xr-x 1 root root       189560 Jun 14 16:51 postcat
-rwxr-xr-x 1 root root       346712 Jun 14 16:51 postconf
-rwxr-sr-x 1 root postdrop   271616 Jun 14 16:51 postdrop
-rwxr-xr-x 1 root root       176600 Jun 14 16:51 postfix
-rwxr-xr-x 1 root root       176600 Jun 14 16:51 postkick
-rwxr-xr-x 1 root root       180728 Jun 14 16:51 postlock
-rwxr-xr-x 1 root root       176760 Jun 14 16:51 postlog
-rwxr-xr-x 1 root root       259576 Jun 14 16:51 postmap
-rwxr-xr-x 1 root root       189408 Jun 14 16:51 postmulti
-rwxr-sr-x 1 root postdrop   267456 Jun 14 16:51 postqueue
-rwxr-xr-x 1 root root       193432 Jun 14 16:51 postsuper
-rwxr-xr-x 1 root root        12897 Jun 14 16:51 qshape.pl
-rwxr-xr-x 1 root root        73176 Jan 11  2016 saslauthd
-rwxr-xr-x 1 root root       247296 Jun 14 16:51 sendmail
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapacl -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapadd -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapauth -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapcat -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapdn -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapindex -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slappasswd -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slapschema -> ../libexec/slapd
lrwxrwxrwx 1 root root           16 Jul 29 16:27 slaptest -> ../libexec/slapd
-rwxr-xr-x 1 root root        14664 Jan 11  2016 testsaslauthd

In my system I had all these files owned by zimbra:zimbra.

In addition, I recommend to run

Code: Select all

su - zimbra
postfix stop
postfix start

This shows you, if there are more and other files effected by wrong permissions. I had to change permissions of the following directory to eliminate all errors:

Code: Select all

chown root.root -Rh /opt/zimbra/common/libexec/
chown root.root /opt/zimbra/common/libexec

Attention!!

Do NOT run zmfixperms -extended!

This will reset all the changes above. This is bug number 2.

[bithammer]

A Bug has been filed now: https://bugzilla.zimbra.com/show_bug.cgi?id=106379.

Please up-vote this bug to get it fixed faster.

[DavideSJHS]

Hi Bithammer,
I have tried the solution you posted

There is a major bug in zmfixperms version 8.7! Actually there are two!

This is the temporary solution

Code: Select all

chown root:root -Rh /opt/zimbra/common/sbin/*
chown root:postdrop /opt/zimbra/common/sbin/postdrop
chown root:postdrop /opt/zimbra/common/sbin/postqueue
chmod g+s /opt/zimbra/common/sbin/postdrop
chmod g+s /opt/zimbra/common/sbin/postqueue

In my system I had all these files owned by zimbra:zimbra.

In addition, I recommend to run

Code: Select all

su - zimbra
postfix stop
postfix start

This shows you, if there are more and other files effected by wrong permissions. I had to change permissions of the following directory to eliminate all errors:

Code: Select all

chown root.root -Rh /opt/zimbra/common/libexec/
chown root.root /opt/zimbra/common/libexec

Attention!!

Do NOT run zmfixperms -extended!

This will reset all the changes above. This is bug number 2.

but unfortunately it didn't worked for me.
After changing the permission as you suggested (and NOT using zmfixperms) , i had run the command

Code: Select all

su - zimbra
postfix stop
postfix start

But returned the error

Code: Select all

postalias: fatal: open database /etc/aliases.lmdb: Permission denied

while still getting all the maildrop error message in the mail.log file.

Moreover after rebooting the server the things got worse with the message

Code: Select all

Aug 25 05:54:30 mail postfix/postqueue[4791]: fatal: Queue report unavailable - mail system is down
Aug 25 05:55:00 mail postfix/postqueue[5293]: fatal: Queue report unavailable - mail system is down
Aug 25 05:55:30 mail postfix/postqueue[5398]: fatal: Queue report unavailable - mail system is down
Aug 25 05:56:00 mail postfix/postqueue[6197]: fatal: Queue report unavailable - mail system is down

My installation is a fresh one and not an upgrade from a previous version, so the files/directory path may differ a little from someone who upgraded.



But if could be of help to anyone, i resolved my problem with the "poor man, but hey... it's work, solution (TM)" by launching again the zimbra installer and doing a 8.7 to 8.7 version upgrade keeping the config.
In this way the permission was fixed and no more error regarding postdrop

Davide

[whattheserver]

tried both the above steps to manually set perms for postfix and postdrop as well as tried running installer again


no errors when starting postfix as zimbra but same errors in maillog

permisssions denied


wondering if there is another workaround?

any more updates on this i desperately need to get this production server working

update got this from bugzilla email

Code: Select all

 Rick King 2016-09-13 17:02:46 UTC

To manually correct the permissions for postqueue and postdrop, run as root...

chown root:postdrop /opt/zimbra/common/sbin/postqueue

chown root:postdrop /opt/zimbra/common/sbin/postdrop

chmod g+s /opt/zimbra/common/sbin/postqueue

chmod g+s /opt/zimbra/common/sbin/postdrop

Switch to zimbra user...

su - zimbra

postfix check   <<== there should be no output

[Gram]

After upgrading to 8.7 queue browsing (summary counters and details) doesnt work.

Logs shows errors:
Jul 15 15:45:30 mail1 postfix/postqueue[25522]: fatal: Connect to the Postfix showq service: Permission denied

I already tried fixing permissions with below commands (as root), but no change:
/opt/zimbra/libexec/zmfixperms
/opt/zimbra/libexec/zmfixperms -extended

EDIT:
Additionally I need to run zmfixperms after every zmcontrol restart, because of errors with storing message in queue!

Jul 15 16:30:03 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/370137.7889: Permission denied
Jul 15 16:30:13 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/378964.7889: Permission denied
Jul 15 16:30:23 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/402504.7889: Permission denied

I was running into the same series of errors after upgrading to Zimbra 8.7.

Initially I modified the maildrop folder permissions to be slightly more relaxed (as root: chmod 733 /opt/zimbra/data/postfix/spool/maildrop). I noticed that a file owned by zimbra:zimbra was created successfully moments later but the Connect to the Postfix showq service: Permission denied error persisted, so I restored the maildrop folder permission (as root: chmod 730 /opt/zimbra/data/postfix/spool/maildrop) then tried adding the zimbra user to the postdrop group instead.

Code: Select all

$ su root
# usermod -a -G postdrop zimbra
# su zimbra
$ zmcontrol restart

The postdrop and postqueue permission denied error no longer appears in zimbra.log. In looking at the maildrop folder permissions the zimbra user should have had write access already, since the zimbra user is a member of the postfix group. There's probably some other access postdrop has that I'm unaware of. But presumably it's safe to add the zimbra user to the postdrop group, considering the much wider reach the zimbra user already has. Correct me if I'm wrong though please!

Running /opt/zimbra/libexec/zmfixperms -extended or /opt/zimbra/libexec/zmfixperms has not reverted my change in group membership, and the change persisted through a reboot, by the way.

[eMC]

I had the same problems on a clean install of Zimbra 8.7.1 on Ubuntu 16.04.
Right now the permission denied problems are fixed using the suggested chown in the other posts.
But what I have seen afterwards that there are a lot of symbolic links which will get a postfix check warning:
www /postfix-script[13003]: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/sssvlv-2.4.so.2

The Zimbra install script is maybe setting some wrong persmissions for postfix and the zmfixperms will not fix them.

[jmaillar]

I had the same problems on a clean install of Zimbra 8.7.1 on Ubuntu 16.04 running inside a Proxmox KVM virtual machine.
The fresh install work great from the beginning (one week) and problems start after using for the first time zmfixperms script :-/

Adding zimbra user to the postdrop group work for me.

Code: Select all

sudo adduser zimbra postdrop

I have fixed perm's like whattheserver say but running postfix check as zimbra user give me lot of right problem :

Code: Select all

sudo -u zimbra -i postfix check
postalias: fatal: open database /etc/aliases.lmdb: Permission denied
postsuper: warning: bogus file name: maildrop/871634.1141
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/.
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./post-install
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./spawn
(... 177 others "warning: not owned by root:"  ...)
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./dnsblog
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./smtpd

So, I won't try removing zimbra from postdrop group before zmfixperms do his job in the right way... Anyone know the existence of a patch for that script ?