Hello community,
the following problem appears when creating or modifying rules of another user "B" in the g-web app settings-gui within the login-context of user "A":
Assuming:
- user "A" has sufficient access rights to the mailbox of user "B".
- twostep-ruleproc is enabled
If user "B" had a working rules-table before, adding new rules or modifying existing rules of "B" in the login-context of user "A" will render the rules-table of "B" non-functional.
Whereas changing the rules does not issue any error, rule-processing on incoming mails fails with "Insufficient access rights to perform the operation"
The process is reversible, if the rules-table of "B" is rewritten (a simple rename of one rule's name is sufficient) in the login-context of rules-owner "user B".
It's not exactly clear, yet, if the problem is caused by grommunio-web/phpmapi or gromox-rules-processor, but logging shows, that rule-execution is terminated due to a permission-error returned by gromox/ruleproc.cpp exmdb_local_rules_execute(..)
Log #1: delivery of a message from user_a to user_b, rules-table written by owner-user_b, move-rule does apply:
<6>2025-08-26T14:30:20 QID 26/MID 0/before_delivery: from=<user_a@umgfoin.de> subj=<*****Spam***** *****Spam***** Industrielackierer ab 01.09.2025 bundesweit verfügbar – Verstärken Sie Ihr Team mit Erfahrung und Präzision> attachments=0
<6>2025-08-26T14:30:20 QID 26/MID 197713/after_delivery: from=<user_a@umgfoin.de> subj=<*****Spam***** *****Spam***** Industrielackierer ab 01.09.2025 bundesweit verfügbar – Verstärken Sie Ihr Team mit Erfahrung und Präzision> attachments=0
<6>2025-08-26T14:30:20 SMTP message queue-ID: 26, FROM: user_a@umgfoin.de, TO: user_b@umgfoin.de message /var/lib/gromox/user/umgfoin.de/user_b/eml/1756211420.l26.postamt.umgfoin.de was delivered OK
<6>2025-08-26T14:30:20 Rule_Condition RES_CONTENT{FL_SUBSTRING,FL_IGNORECASE,7d001fh,PT_UNICODE{[17]="X-Spam-Flag: Yes,"}}
<6>2025-08-26T14:30:20 Rule_Condition RES_CONTENT{FL_SUBSTRING,FL_IGNORECASE,37001fh,PT_UNICODE{[14]="*****Spam*****"}}
<6>2025-08-26T14:30:20 Rule_Action ACTION_BLOCK{MOVE{same?=1,folder={fid=0x17,mid=0x0,inst=0}}}
Log #2: delivery of a message from user_a to user_b, identical rules-table as above, but re-written through user_a for user_b in g-web settings, move-rule would apply:
<6>2025-08-26T14:32:00 QID 27/MID 0/before_delivery: from=<user_a@umgfoin.de> subj=<*****Spam***** *****Spam***** Industrielackierer ab 01.09.2025 bundesweit verfügbar – Verstärken Sie Ihr Team mit Erfahrung und Präzision> attachments=0
<6>2025-08-26T14:32:00 QID 27/MID 197714/after_delivery: from=<user_a@umgfoin.de> subj=<*****Spam***** *****Spam***** Industrielackierer ab 01.09.2025 bundesweit verfügbar – Verstärken Sie Ihr Team mit Erfahrung und Präzision> attachments=0
<6>2025-08-26T14:32:00 SMTP message queue-ID: 27, FROM: user_a@umgfoin.de, TO: user_b@umgfoin.de message /var/lib/gromox/user/umgfoin.de/user_b/eml/1756211520.l27.postamt.umgfoin.de was delivered OK
<6>2025-08-26T14:32:00 Rule_Condition RES_CONTENT{FL_SUBSTRING,FL_IGNORECASE,7d001fh,PT_UNICODE{[17]="X-Spam-Flag: Yes,"}}
<6>2025-08-26T14:32:00 Rule_Condition RES_CONTENT{FL_SUBSTRING,FL_IGNORECASE,37001fh,PT_UNICODE{[14]="*****Spam*****"}}
<6>2025-08-26T14:32:00 Rule_Action ACTION_BLOCK{MOVE{same?=0,store=1b55fa20aa6611cd9bc800aa002fc45a,user_b@umgfoin.de,/o="KatznvoglDadeifen GmbH"/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=080000001f000000-info},folder=0000000050abd6904589cf489cb9893ddb5dcba601001f000000a5187b6facdcea2ed03c46470000000000170000}}
<2>2025-08-26T14:32:00 TWOSTEP ruleproc unsuccessful: Insufficient access rights to perform the operation
An identical problem has been described some time ago by @MichaelN, but received no further attention.
gromox: git-prime: gromox-2.48-65-gb713f6364
g-web: git-master: grommunio-web-3.14-12-g4650cd656
Best regards,
umgfoin.
