Snappymail permissions issue again

pluto · May 18, 2026, 3:58am

On accessing the webmail address on a Hestia server, I’m immediately shown
SnappyMail can not access the data folder “/var/lib/snappymail/data/”

I’ve checked and reset the ownership as per previous posts.
chown -R hestiamail:www-data /etc/snappymail/data

When that didn’t work I tried to set sensible permissions
find /var/lib/snappymail/data/ -type d -exec chmod 755 {} +
find /var/lib/snappymail/data/ -type f -exec chmod 644 {} +

That’s also not working. I’ve temporarily set the webmail client back to roundcube. If anyone has a fix, please share. Will keep looking myself too.

pluto · May 18, 2026, 4:24am

Not sure if its related, but v-add-sys-snappymail is also timing out at this command.
wget ``https://snappymail.eu/repository/latest.tar.gz`` --retry-connrefused --quiet -O /var/lib/snappymail/snappymail-latest.tar.gz

Was trying to install on a separate server to verify if it was broken on all of them.

This URL is working. Last update was in 2024
https://github.com/the-djmaze/snappymail/releases/download/v2.38.2/snappymail-2.38.2.tar.gz

sahsanu · May 18, 2026, 8:12am

The problem is not permissions, but a new directive added to the systemd service in the latest sury’s PHP versions.

❯ systemctl cat php8.4-fpm.service | grep -E '^Protect|^Private|Restrict'
ProtectSystem=full
PrivateDevices=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true

Specifically, ProtectSystem=full mounts /usr, /boot, /efi, and /etc as read-only for invoked processes, and in this case the issue is /etc.

I’ve created a script to add an exception for /etc/snappymail/data/. Basically, the script creates an override conf for the default PHP version and adds the following directive:

[Service]
ReadWritePaths=/etc/snappymail/data/

To fix the issue:

curl -fsSLm30 https://7j.gg/fixsnap | sudo bash -s --

pluto · May 19, 2026, 1:34am

Wow, nice detective work. I would not have found that. I figured it must have been a recent update, but as snappymail hasn’t updated since 2024, I couldn’t figure it out.

I’ve always been a bit sceptical of how snappymail put the data file in /etc/ … for me that should just be config, so the sury decision actually seems correct. But as that’s a symlink to /var/lib/snappymail/data maybe we could use that path instead?

Might even be time to look for a replacement to snappymail as its development seems to have stalled. cypht?

sahsanu · May 19, 2026, 3:06am

Yes, indeed, you can do it right now:

rm /var/lib/snappymail/data
mv /etc/snappymail/data /var/lib/snappymail/

Implementing it in Hestia will require a few extra steps: modifying the add/delete scripts and other places that reference /etc/snappymail/, as well as creating a migration script during Hestia update for existing configs. It’s not difficult, but it needs to be done… unless we use the workaround for the phpX.Y-fpm systemd service.

Cypht looks good, and so does Nexmail, but I haven’t checked whether it’s easy to automate the installation or include the password change plugin.

sahsanu · May 24, 2026, 5:43pm

I’ve created this PR to move SnappyMail conf file from /etc/snappymail/ to /var/lib/snappymail/ and fixed a couple of bugs related to SnappyMail too.

github.com/hestiacp/hestiacp

refactor(snappymail): move config to /var/lib/snappymail and support hardened PHP-FPM (#5344)

main ← sahsanu:fix-snappymail-with-new-php-services

opened 05:41PM - 24 May 26 UTC

sahsanu

+47 -46

**1.-** Move SnappyMail configuration and data to `/var/lib/snappymail` to suppo…rt recent PHP-FPM systemd hardening changes (`ProtectSystem=full`). With newer PHP versions, keeping SnappyMail data under `/etc/snappymail` causes permission errors. While a systemd override using `ReadWritePaths=/etc/snappymail/data` is possible, migrating the configuration avoids additional overrides and ensures compatibility with newer and hardened PHP-FPM services. **2.-** Update SnappyMail download URL from snappymail.eu to GitHub releases because snappymail.eu has been unavailable for several days, making installations impossible. This change restores reliable installation by switching to the official GitHub release distribution. **3.-** Replaced `/etc/snappymail` to `/var/lib/snappymail` in several scripts and functions. **4.-** Fix SnappyMail plugin configuration issues: - Preserve indentation in sed replacements for hestia_host and hestia_port - Fix hestia_port sed command which was incorrectly replacing with hestia_host - Use correct argv index ($argv[5]) for BACKEND_PORT, previously using $argv[4] (DB password) - Cast hestia_port to int so json_encode writes it as a number instead of a string - Fix json_decode call to use file_get_contents() instead of passing a file path directly Modified files: ``` bin/v-add-sys-snappymail bin/v-change-sys-hostname bin/v-change-sys-port bin/v-delete-sys-snappymail docs/docs/server-administration/email.md func/upgrade.sh install/common/snappymail/install.php install/upgrade/versions/1.9.5.sh ``` Tested in Debian 12; Fresh install and upgrade from Hestia 1.9.4. Post in forum: https://forum.hestiacp.com/t/snappymail-permissions-issue-again/21771 Fixes #5337