Struggling to get dovecot working with postfix auth
Hi,
I am trying to create an authenticated relay server using Postfix and Dovecot.
However I am having two problems :
(a) If I create a dovecot config entry as follows :
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0666 user = postfix }
Dovecot is unable to create the socket ? I thought surely if dovecot is started as root it should create the socket before dropping privileges ?
(b) The alternative method of TCP SASL is not working either: 250 DSN ehlo localhost 250-foobar.example.com 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN <none_of_your_business> 535 5.7.8 Error: authentication failed:
and in the logs... 2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning: X[X]: SASL PLAIN authentication failed:
postconf
DOVECONF
On 11.10.18 11:30, Laura Smith wrote:
I suggest using "mode = 0660" instead.
Dovecot is unable to create the socket ?
What exactly do the logs show?
postconf -c /etc/postfix-authrelay | fgrep sasl
As described in http://www.postfix.org/DEBUG_README.html please use "postconf -n".
-Ralph
On Thursday, October 11, 2018 12:07 PM, Ralph Seichter <m16+dovecot@monksofcool.net> wrote:
Makes no difference.
Dovecot is unable to create the socket ?
What exactly do the logs show?
Erm, they show exactly what I posted earlier ?
2018-10-11T12:14:15.467791+01:00 X dovecot: master: Error: bind(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468094+01:00 X dovecot: master: Error: service(auth): net_listen_unix(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468216+01:00 X dovecot: master: Fatal: Failed to start listeners
alias_database = alias_maps = append_dot_mydomain = no authorized_submit_users = command_directory = /usr/sbin compatibility_level = 2 config_directory = /etc/postfix-authrelay daemon_directory = /usr/lib/postfix/bin/ data_directory = /var/lib/postfix-authrelay disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = 198.51.100.168 inet_protocols = ipv4 local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 milter_default_action = accept milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen} milter_protocol = 2 multi_instance_enable = yes multi_instance_name = postfix-authrelay mydestination = mydomain = example.com myhostname = X.example.com mynetworks = 127.0.0.0/8,192.168.107.0/24,192.168.109.0/24 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:8891 parent_domain_matches_subdomains = queue_directory = /var/spool/postfix-authrelay readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_domains = sample_directory = /usr/share/doc/packages/postfix-doc/samples sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_bind_address = 198.51.100.168 smtp_sasl_auth_enable = no smtpd_banner = $myhostname ESMTP smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = inet:localhost:7425 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = ${config_directory}/ssl_certs/star_example_com.pem smtpd_tls_dh1024_param_file = ${config_directory}/ssl_certs/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/ssl_certs/dh512.pem smtpd_tls_eecdh_grade = strong smtpd_tls_key_file = ${config_directory}/ssl_certs/X_workremote_eu.key smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1.2,!TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_security_level = encrypt smtputf8_enable = no tls_eecdh_strong_curve = prime256v1 tls_preempt_cipherlist = yes unknown_local_recipient_reject_code = 550
On 11.10.18 13:21, Laura Smith wrote:
I suggest using "mode = 0660" instead.
Makes no difference.
That was meant to increase security, not to fix your problem.
What exactly do the logs show?
Erm, they show exactly what I posted earlier ?
No. Earlier, you posted this:
2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning: X[X]: SASL PLAIN authentication failed:
That's just a warning about an authentication failure. Now this:
That's a permission error. Somewhere in your directory hierarchy things are off. See Postfix' set-permissions command.
-Ralph
That's a permission error. Somewhere in your directory hierarchy things are off. See Postfix' set-permissions command.
But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ?
To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
You should probably check few things:
- check dmesg or /var/log/audit/audit.log for any possible security framework problems
- check namei -vl /var/spool/postfix-authrelay/private/dovecot-auth for anything strange
- there is *some* reason the socket is not bound into, dovecot creates these sockets as root.
Aki
On Thursday, October 11, 2018 1:29 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Thanks. It ended up being an AppArmor issue. That's now fixed the socket gets created.
However, the first part of my problem described earlier still exists, namely:
2018-10-11T15:58:41.230340+01:00 X postfix-authrelay/smtpd[21297]: warning: X.example.com[X]: SASL PLAIN authentication failed:
I was hoping going via the socket instead of TCP might fix it, but apparently not. ;-(
IF you see apparmor problems or suspect it might be an apparmor issue:
- run auditd
- check /var/log/audit/audit.log
for this specific case. those socket paths are allowed for dovecot:
/var/spool/postfix/private/auth /var/spool/postfix/private/dovecot-auth /var/spool/postfix/private/dovecot-lmtp
hth
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
On 11.10.18 14:02, Laura Smith wrote:
I use the following on several Dovecot-plus-Postfix servers, and they all work fine:
/etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/dovecot-auth { user = postfix group = postfix mode = 0660 }
/etc/postfix/master.cf
Remove line breaks on the value-side, I only added them for readability!
submission inet n - n - - smtpd -o relay_clientcerts=${indexed}relay_clientcerts -o smtpd_sender_login_maps=${indexed}submission_login_maps -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts, reject_sender_login_mismatch, permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_path=private/dovecot-auth -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=may -o syslog_name=postfix/submission [...]
Note that this configuration only allows authentication via port 587 (submission), not port 25 (smtp). By convention, that's how it should be. Also, I allow authentication using either SASL or client-side SSL certificates, so you could remove all *cert* settings. If you don't use sender login maps, remove those settings as well.
-Ralph
participants (5)
-
Aki Tuomi
-
Laura Smith
-
Marcus Rückert
-
Ralph Seichter
-
Reio Remma