On 11.10.18 14:02, Laura Smith wrote:
To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
I use the following on several Dovecot-plus-Postfix servers, and they all work fine:
# /etc/dovecot/conf.d/10-master.conf unix_listener /var/spool/postfix/private/dovecot-auth { user = postfix group = postfix mode = 0660 }
# /etc/postfix/master.cf # Remove line breaks on the value-side, I only added them for readability! submission inet n - n - - smtpd -o relay_clientcerts=${indexed}relay_clientcerts -o smtpd_sender_login_maps=${indexed}submission_login_maps -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts, reject_sender_login_mismatch, permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_path=private/dovecot-auth -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=may -o syslog_name=postfix/submission [...]
Note that this configuration only allows authentication via port 587 (submission), not port 25 (smtp). By convention, that's how it should be. Also, I allow authentication using either SASL or client-side SSL certificates, so you could remove all *cert* settings. If you don't use sender login maps, remove those settings as well.
-Ralph