Issue dovecot / apparmor mail not being delivered

[Tosh]

I recently noticed that no mail was arriving. Mail lost shows dovecot failing to deliver messages.

This issue is mentioned in update#11
"On Ubuntu 16.04 x64 servers with Dovecot installed, mail could not be delivered if apparmor was enabled on the server. (PPP-26959)"

Server is fully up to date but this issue appears to still be present.

Plesk Version

Product version: Plesk Onyx 17.0.17 Update #11
    Update date: 2016/12/16 11:17
     Build date: 2016/11/17 16:00
     OS version: Ubuntu 16.04
       Revision: ab6766191d3ba26e7b21255ab007fc7fc56d84c6
   Architecture: 64-bit
Wrapper version: 1.2

systemctl restart dovecot

Dec 16 13:15:03 plesk systemd[1]: Stopped Dovecot IMAP/POP3 email server.
Dec 16 13:15:03 plesk systemd[1]: Starting Dovecot IMAP/POP3 email server...
Dec 16 13:15:04 plesk kernel: [ 7966.716984] audit: type=1400 audit(1481922904.005:268): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=18742 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Dec 16 13:15:04 plesk systemd[1]: dovecot.service: PID file /var/run/dovecot/master.pid not readable (yet?) after start: No such file or directory
Dec 16 13:15:04 plesk kernel: [ 7966.722493] audit: type=1400 audit(1481922904.009:269): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=18746 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Dec 16 13:15:04 plesk systemd[1]: Started Dovecot IMAP/POP3 email server.
Dec 16 13:15:04 plesk kernel: [ 7966.781501] audit: type=1400 audit(1481922904.069:270): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=18747 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot"
Dec 16 13:15:04 plesk kernel: [ 7966.781523] audit: type=1400 audit(1481922904.069:271): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=18747 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil"
Dec 16 13:15:04 plesk kernel: [ 7966.786721] audit: type=1400 audit(1481922904.073:272): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=18748 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

aa-status

apparmor module is loaded.
56 profiles are loaded.
19 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/lxd/lxd-bridge-proxy
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/mysqld
   /usr/sbin/named
   /usr/sbin/tcpdump
   docker-default
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
37 profiles are in complain mode.
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
   klogd
   syslog-ng
   syslogd
7 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/mysqld (7612)
   /usr/sbin/named (1344)
5 processes are in complain mode.
   /usr/lib/dovecot/anvil (17902)
   /usr/lib/dovecot/auth (18604)
   /usr/lib/dovecot/log (17903)
   /usr/lib/dovecot/ssl-params (18605)
   /usr/sbin/dovecot (17901)
0 processes are unconfined but have a profile defined.

Things I have tried thus far that have not fixed the issue.

plesk repair mail
plesk repair install
change to courier and back to dovecot.
revert to backup from 12/10 and reinstall all missing updates

I understand that Plesk 17 supports apparmor and that it is required for docker.

Any other recommendations would be helpful.

 

[IgorG]

Try to fix it with

# plesk installer --select-release-current --reinstall-patch --upgrade-installed-components

Also show me output of following command:

# grep '/usr/lib/dovecot/dovecot-lda' /etc/apparmor.d/usr.lib.dovecot.dovecot-lda

 

[Tosh]

I apologize for the delay. I did not notice your response.

In the interim I had tried making manual changes to apparmor. Those did not work.
I then tried to remove apparmor lazily with a -y flag and it also remove Plesk (LOL).

Rolled the VM all the way back to 12/8 (oldest backup I had that was pre-patch). Email works properly. Applied all missing updates. Email broken again.

I found a Plesk support page regarding this, which no longer loads, this is a google cache link. I applied the first part earlier this week and email worked briefly but then stopped working again with the same original error.

Just now ran your reinstallation command. Did not resolve the issue.

I just noticed the second solution on the google link above regarding clearing the apparmor cache. Just performed that and it did not resolve the issue.

I ran your Plesk installer command. This did not resolve the issue either.

Output of your grep command

root@plesk:/etc/apparmor.d# grep '/usr/lib/dovecot/dovecot-lda' /etc/apparmor.d/usr.lib.dovecot.dovecot-lda
/usr/lib/dovecot/dovecot-lda flags=(complain,attach_disconnected) {
  /usr/lib/dovecot/dovecot-lda mrix,

Ran the Plesk installer command again. Email appears to be working. Rebooted server and it is still working.

I am assuming it must have been a combination of the apparmor cache clearing followed by the reinstallation of patches and such.

I will keep and eye on it as previous fixes would break after a bit

 

[ferhan1992]

I had someway the same error.
Solved it by removing apparmor.

Dovecot wasn't able to look up the email usernames in the database because it had no access to the file.
(File porperty and permissions were all ok)

There was a solution i found online where i had to modify the apparmor config to add the path of the database file.
It worked with this "workaround" but after a while the apparmor config got back to the version without my addition.
So finally i was forced to remove apparmor to receive mails again!

EDIT:

My error message was similar to this:
https://talk.plesk.com/threads/no-emails-can-be-recieved.340829/

but a restart didn't solved anything on my side

 

[Caspar]

I have the same issue.
What I noticed that just before the e-mail stops working Watchdog is reporting several services to "has been released from monitoring", which for me was the PHP-FPM, and the Plesk SpamAssassin. It also at that moment send that the SMTP (Postfix), Web Proxy (Nginx), Plesk PHP Engine, Flail2Ban, MySQL, PostgreSQL, Webs server (Apache), and Plesk Premium anti-virus has been started

Maybe it is watchdog together with apparmor which will give the issues?

I disabled apparmor, and restarted the services, and that it did work. After that I did the command "# plesk installer --select-release-current --reinstall-patch --upgrade-installed-components" twice, and re-enabled the apparmor again.

Will let you know if it will return. Note that I had it a few days ago as well, and then step 4 helped from this help page: https://support.plesk.com/hc/en-us/...-dovecot-auth-userdb-failed-Permission-denied

 

[Caspar]

Here is an update that the issue is not gone even after using the command "# plesk installer --select-release-current --reinstall-patch --upgrade-installed-components" .

 

[Tosh]

The issue seems to return after a reboot.

Found the following page while searching for an answer:
https://support.plesk.com/hc/en-us/...-dovecot-auth-userdb-failed-Permission-denied

The page has 4 steps.

I ran the command in step 1.
Step 2 did not match up to my files so I performed the the purge and install of plesk-dovecot-imap-driver described in step 3.

Sent a test email and it was delivered.
rebooted the server, sent a second test email and the issue had returned.

Ran the command in step 4, sent a test email and it delivered.
rebooted the server, sent another test message and that one delivered as well.

Is the issue resolved? Not sure, but it at least survived a reboot. I'll keep and eye on it.

 

[jb_alvarado]

Hello Everybody,
I have here the same problem - is there a workaround? I try all the steps here, but it still not work. I got this error when I try to connect with an mail client.

Ubuntu 16.04.1
Onyx Version 17.0.17 Update-Nr. 14

When I run:

apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.dovecot.dovecot-lda​

I got:

kernel: [ 1911.535753] audit: type=1400 audit(1485895114.003:179): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/dovecot/dovecot-lda" pid=7446 comm="apparmor_parser"
kernel: [ 1911.544771] audit: type=1400 audit(1485895114.015:180): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail" pid=7446 comm="apparmor_parser"
​

Is that unconfined normal?

 

[Panagiotis]

I did experience the same problem with the latest update on Onyx 17.0.17 Update #21 on Ubuntu 16.04 Latest. I came up to this error after checking the postfix log. The problem is that everything was working fine and after an update this error occured. All messages where kept in queue and couldn't even have proper connection through SMTP. Plesk repair mail, repair installation didn't work.
This workaround fixed it:
Unable to receive an e-mails with Dovecot: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied

From my understanding if i restart or the next update comes up i will have to do the workaround again, since everything was working fine and after the latest updates this error emerged. We are hosting clients who need to access their e-mails and get alerts for new orders and stuff.

Of course another problem is with the ssl that even though it's not expired i have to go in and renew it every now and then so mail clients will recognise it. It looks like we have a frontend platform to manage our clients but instead of keeps our hands free, it keeps our hands tied and we have to do more and more the manual way as we would without a management platform.
If you can't provide stable releases that won't brake things do not advertise as the all-in-one solution that works on many platforms. Simply say for instance "Better to use an external mail server", "AWStats will probably not work unless you find the workaround", "We still have many issues with SSL Protocols and how to manage them".

I mean we get this annoying "Plesk Onyx 17.5 is now available" but even the release we are using (supposably stable) is not working for the basics. I know this post is not for complaints but when you spend so many time trying to find where the error was for a simple thing like mail when you haven't done anything and your reputation is compromised, you feel a bit angry.

 

[raykai]

im geting the same error now on Onyx 17.0.17 Update #21 on Ubuntu 16.04 was working fine befor this oudate.

Apr  5 13:14:01 vps102464 kernel: [ 4456.582145] audit: type=1400 audit(1491416041.971:270): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=4997 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Apr  5 13:22:03 vps102464 kernel: [ 4938.512557] audit: type=1400 audit(1491416523.894:271): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/imap" pid=6598 comm="imap" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/imap-login"
Apr  5 13:22:03 vps102464 kernel: [ 4938.512579] audit: type=1400 audit(1491416523.894:272): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/imap-login" pid=6598 comm="imap" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/imap"
Apr  5 13:22:03 vps102464 kernel: [ 4938.515167] audit: type=1400 audit(1491416523.898:273): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=4997 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

any fix for plesk ?

Why has this broken down once again ?

i mean Onyx 17.0.17 Update #21 on Ubuntu 16.04 is suppose to be stable no ?

 

[IgorG]

BTW, FAQ - AppArmor

Anyway, could someone submit good report here - Reports ?

 

[B_P]

I just filed a report: Issues with AppArmor

 

[TorbHo]

Today we had the same problem again with one of our servers Ubuntu 16.04.6 LTS‬, Plesk Onyx Version 17.8.11 Update #70.

After the following commands, the problem was resolved:

service apparmor stop
service apparmor teardown
postqueue -f

Could the bug be back again after updating?