Server cannot access the mail storage or cannot start at all
Issue cause
File and user permissions are incorrect
Solution
It is well known that network servers of any kind should not run with higher privileges than they need; in particular, running any server as root is a very risky practice. On the other hand, any mail server needs to bind and listen for connections on privileged ports (<1024), and this action normally requires root privileges.
To solve this problem, starting with version 1.1.0, after binding the privileged ports the AXIGEN daemon will change its user and group to axigen:axigen by default, or some other values specified on the command line.
* Upgrading from version 1.0.x
Versions 1.0.x and previous ones did not drop privileges, so all files and folders created by the server are owned by root. Upon upgrading to version 1.1, users might find that their domain databases (and all the domains and users contained) are no longer available, and that manual registration for these DDBs fails. These error messages are printed in the system log:
* axigen user/group missing
If the axigen user/group does not exist, the server will refuse to load, and will log these lines in the system log:
* Alternate configurations
Under normal operation, the axigen service must be started by root, and will drop its privileges as described. If AXIGEN is started by a regular user, changing the user and group is not permitted by the operating system and the server will exit with this error in the system log:
To solve this problem, starting with version 1.1.0, after binding the privileged ports the AXIGEN daemon will change its user and group to axigen:axigen by default, or some other values specified on the command line.
* Upgrading from version 1.0.x
Versions 1.0.x and previous ones did not drop privileges, so all files and folders created by the server are owned by root. Upon upgrading to version 1.1, users might find that their domain databases (and all the domains and users contained) are no longer available, and that manual registration for these DDBs fails. These error messages are printed in the system log:
ERROR: DomainManager: cannot open DDB '/var/opt/axigen/domains' WARNING: DomainManager: cannot add DDB from location '/var/opt/axigen/domains'Alternatively, DDBs are registered but they contain no domains, or users cannot authenticate:
IMAP:00000003: An error has occured while getting account. User user@example.org cannot be authenticated!To regain access to these DDBs and accounts, proper file ownership must be set. Login in as root and issue a command similar to:
# chown -R axigen:axigen /var/opt/axigen/Repeat these steps for each folder containing domain databases, and for each domain and account storage. After this, register the DDBs again using the WebAdmin or CLI services, save the new configuration, and restart the server.
* axigen user/group missing
If the axigen user/group does not exist, the server will refuse to load, and will log these lines in the system log:
ERROR: User 'axigen' not found ERROR: Group 'axigen' not found INFO: Server exitedIn order to create the axigen user and group, you must login as root and issue these commands (these actions are normally performed by the install package):
# groupadd -f -g 220 axigen # useradd -g axigen -c "AXIGEN Mail Server" -s /bin/false -d "/dev/null" -u 220 axigenNote: It is recommended to keep the user and group ids (220 in the commands above), below 999, since this is the range reserved for system accounts.
* Alternate configurations
Under normal operation, the axigen service must be started by root, and will drop its privileges as described. If AXIGEN is started by a regular user, changing the user and group is not permitted by the operating system and the server will exit with this error in the system log:
ERROR: Cannot drop group privileges from 'users' (id=100) to 'axigen' (id=220): Operation not permittedA regular user wanting to start AXIGEN must specify his own user and group on the command line:
$ axigen -u john -g usersOf course, when started like this AXIGEN will be unable to bind ports below 1024; to remove this limitation, the server binary must be suid root (not recommended):
# ls -l /opt/axigen/bin/axigen -rwxr-x--- 1 root root 19457092 Dec 29 16:41 /opt/axigen/bin/axigen # chmod 4555 /opt/axigen/bin/axigenNote: Before doing this, make sure you understand the full security implications of suid root binaries.