Hi everyone, I've noticed that spam keeps getting through. rspamd scans, but doesn't take any action. ... In the logs I see entries like this: Code: 02-16T03:41:49.494934+01:00 srv1 dovecot: lmtp([email protected])<3644379><LEoyHe2DkmnbmzcAz1nDYA>: Error: sieve: open: failed to open: open(/var/vmail/domain.tld/vorstand/.ispconfig-before.svbin) failed: Permission denied (euid=10004(web4) egid=5000(vmail) missing +r perm: /var/vmail/domain.tld/vorstand/.ispconfig-before.svbin) 2026-02-16T03:41:49.495014+01:00 srv1 dovecot: lmtp([email protected])<3644379><LEoyHe2DkmnbmzcAz1nDYA>: Error: sieve: storage ispconfig_before: file: script '.ispconfig-before': Failed to open sieve script: open(/var/vmail/domain.tld/vorstand/.ispconfig-before.sieve) failed: Permission denied (euid=10004(web4) egid=5000(vmail) missing +r perm: /var/vmail/domain.tld/vorstand/.ispconfig-before.sieve) 2026-02-16T03:41:49.495069+01:00 srv1 dovecot: lmtp([email protected])<3644379><LEoyHe2DkmnbmzcAz1nDYA>: Error: sieve: .ispconfig-before: parse failed 2026-02-16T03:41:49.495123+01:00 srv1 dovecot: lmtp([email protected])<3644379><LEoyHe2DkmnbmzcAz1nDYA>: Error: sieve: Failed to open script 'ispconfig_before/.ispconfig-before' for compile 2026-02-16T03:41:49.500004+01:00 srv1 dovecot: lmtp([email protected])<3644379><LEoyHe2DkmnbmzcAz1nDYA>: sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX' I have manually blocked (blacklisted) the domain from the sender "takute.com.tr" using a rule. Could that be the cause? What permissions should the .ispconfig* files have?
The script should be owned by the user and group vmail and not the user web4. Please try to change the user of that file to see if the error goes away then.
I set the "Website Linux UID for mailboxes" option during server setup. The permissions themselves seem to be correct. Code: /var/vmail/domain.tld/vorstand # ls -la total 32 drwx--x--- 4 web4 vmail 4096 Feb 15 23:28 . drwx--x--- 8 vmail vmail 4096 Feb 14 09:49 .. -rwx--x--- 1 vmail vmail 1229 Feb 15 23:28 .ispconfig-before.sieve -rwx--x--- 1 vmail vmail 952 Feb 15 23:28 .ispconfig-before.svbin -rwx--x--- 1 vmail vmail 363 Feb 15 23:28 .ispconfig.sieve -rwx--x--- 1 vmail vmail 380 Feb 15 23:28 .ispconfig.svbin drwx--x--- 10 web4 vmail 4096 Feb 16 05:04 Maildir drwx--x--- 2 web4 vmail 4096 Feb 7 11:19 sieve On another email account where I haven't encountered this error, the permissions look like this: Code: # ls -la total 32 drwx--x--- 4 web4 vmail 4096 Feb 7 11:24 . drwx--x--- 8 vmail vmail 4096 Feb 14 09:49 .. -rwx--x--- 1 web4 vmail 573 Feb 7 11:24 .ispconfig-before.sieve -rwx--x--- 1 web4 vmail 535 Feb 7 11:24 .ispconfig-before.svbin -rwx--x--- 1 web4 vmail 363 Feb 7 11:24 .ispconfig.sieve -rwx--x--- 1 web4 vmail 380 Feb 7 11:24 .ispconfig.svbin drwx--x--- 9 web4 vmail 4096 Feb 16 08:37 Maildir drwx--x--- 2 web4 vmail 4096 Feb 7 11:24 sieve
I won't recommend using that option and its off by default for good reasons. It is a very old backwards compatibility setting for ISPConfig 2 and is not used or tested anymore for 10+ years. Using it makes your emails available to the website user, so if e.g. a WordPress site gets hacked, the hacker gets access to all emails, which would be very bad as you removed the security barrier between email and website system.
Okay, I understand. Wouldn't it make sense to include a corresponding note with the option? Does that mean I should delete all the mailboxes, deactivate the option, and then recreate them?
The option says that you make emails available to the website user UID, which implies that the web user, or anyone having access to the site, has email access. But we might add a more prominent warning. In general, ISPConfig is already delivered with recommended defaults, so when you change something, you should consider that your settings is probably worse in one way or another than what you got as default. No. You can change the option and then run: Code: chown -R vmail:vmail /var/vmail to recursively change the owner of all files and folders.
Yes, a warning/notification for that option would certainly be helpful, especially for others who might encounter the same problem. Alternatively, the checkbox could be hidden or disabled and only enabled when needed via a configuration change. When I try to disable the option on a running server where mail accounts are already enabled, I get the message "UID mapping can only be switched if no mail users have been created yet."
