Quota Warning Notifications for Full Mailboxes Not Working (Dovecot / Open-Xchange)
Problem:
Quota warning notifications for full mailboxes are not sent as expected.
In the system logs, Dovecot reports a permission error while processing the quota warning configuration.
The following error can be found in the /var/log/syslog:
root@mailUCS:~ # zgrep 'Permission denied' /var/log/syslog
/var/log/syslog.2.gz:Jan 7 13:18:38 srvmail dovecot: quota-warning: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/90-acl.conf line 0: Couldn't open include file /etc/dovecot/conf.d/30-ox-push-notifications.conf: Permission denied
As a result, quota warning handling in Dovecot fails and no notification emails are generated.
Root Cause
This issue is caused by incorrect file ownership and/or permissions of the Dovecot configuration file used for Open-Xchange push notifications.
The problem is tracked in the Univention Bugzilla:
Dovecot processes quota warnings using the effective user/group of the Dovecot service. If the referenced configuration file is not readable by the expected group, Dovecot aborts processing with a Permission denied error.
Investigation and Analysis
The affected configuration file is:
/etc/dovecot/conf.d/30-ox-push-notifications.conf
Default file permissions:
ls -lsa /etc/dovecot/conf.d/30-ox-push-notifications.conf
4 -rw-r----- 1 root dovecot 853 Dez 20 09:56 30-ox-push-notifications.conf
Although the file is readable by the dovecot group, the quota warning mechanism expects the file to be accessible by the dovemail group instead.
The intended ownership and permissions are defined in the Univention template metadata:
cat /etc/univention/templates/info/univention-mail-dovecot-ox.info
Relevant excerpt:
Type: file
File: etc/dovecot/conf.d/30-ox-push-notifications.conf
Variables: ox/cfg/server.properties/com.openexchange.rest.services.basic-auth.login
Variables: ox/cfg/server.properties/com.openexchange.rest.services.basic-auth.password
User: root
Group: dovecot
Mode: 640
Due to the incorrect group assignment, Dovecot is unable to read the configuration file during quota warning execution.
Possible Workarounds:
Option 1: Correct File Ownership Manually (Quick Fix)
Adjust the group ownership of the configuration file so it is readable by the dovemail group:
chown :dovemail /etc/dovecot/conf.d/30-ox-push-notifications.conf
Verify the result:
ls -lah /etc/dovecot/conf.d/30-ox-push-notifications.conf
-rw-r----- 1 root dovemail 853 Jan 18 22:14 /etc/dovecot/conf.d/30-ox-push-notifications.conf
This change immediately restores quota warning functionality but may be overwritten by future UCR commits or package updates.
Option 2: Fix via Univention Template:
To ensure the correct permissions are applied, update the template info file.
Edit the following file:
vim /etc/univention/templates/info/univention-mail-dovecot-ox.info
Update the relevant section as shown below:
Type: file
File: etc/dovecot/conf.d/30-ox-push-notifications.conf
Variables: ox/cfg/server.properties/com.openexchange.rest.services.basic-auth.login
Variables: ox/cfg/server.properties/com.openexchange.rest.services.basic-auth.password
User: root
Group: dovemail
Mode: 644
Apply the changes using UCR:
ucr commit /etc/dovecot/conf.d/30-ox-push-notifications.conf
This ensures that the configuration file is regenerated with the correct ownership and permissions and remains consistent across updates.
Verify the result:
ls -lah /etc/dovecot/conf.d/30-ox-push-notifications.conf
-rw-r--r-- 1 root dovemail 853 Jan 18 22:14 /etc/dovecot/conf.d/30-ox-push-notifications.conf
Conclusion
Quota warning notifications may fail if Dovecot cannot access the Open-Xchange push notification configuration due to incorrect file permissions.
Correcting the group ownership to dovemail, preferably via the Univention template mechanism, resolves the issue and prevents reoccurrence.