Struggling to get dovecot working with postfix auth
Hi,
I am trying to create an authenticated relay server using Postfix and Dovecot.
However I am having two problems :
(a) If I create a dovecot config entry as follows :
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0666 user = postfix }
Dovecot is unable to create the socket ? I thought surely if dovecot is started as root it should create the socket before dropping privileges ?
(b) The alternative method of TCP SASL is not working either: 250 DSN ehlo localhost 250-foobar.example.com 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN <none_of_your_business> 535 5.7.8 Error: authentication failed:
and in the logs... 2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning: X[X]: SASL PLAIN authentication failed:
postconf
postconf -a cyrus dovecot
postconf -c /etc/postfix-authrelay | fgrep sasl broken_sasl_auth_clients = no cyrus_sasl_config_path = lmtp_sasl_auth_cache_name = lmtp_sasl_auth_cache_time = 90d lmtp_sasl_auth_enable = no lmtp_sasl_auth_soft_bounce = yes lmtp_sasl_mechanism_filter = lmtp_sasl_password_maps = lmtp_sasl_path = lmtp_sasl_security_options = noplaintext, noanonymous lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_sasl_type = cyrus proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map send_cyrus_sasl_authzid = no smtp_sasl_auth_cache_name = smtp_sasl_auth_cache_time = 90d smtp_sasl_auth_enable = no smtp_sasl_auth_soft_bounce = yes smtp_sasl_mechanism_filter = smtp_sasl_password_maps = smtp_sasl_path = smtp_sasl_security_options = noplaintext, noanonymous smtp_sasl_tls_security_options = $smtp_sasl_security_options smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options smtp_sasl_type = cyrus smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks = smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = inet:localhost:7425 smtpd_sasl_security_options = noanonymous smtpd_sasl_service = smtp smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot
DOVECONF
doveconf -n
2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
Pigeonhole version 0.5.1 (d9bc6dfe)
OS: Linux 4.12.14-lp150.12.19-default x86_64
Hostname: test.example.com
managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } service auth { inet_listener { address = 127.0.0.1 port = 7425 } inet_listener { address = ::1 port = 7425 }
If I disable this, dovecot loads fine, but the tcp auth is unusable ?
If I enable this, dovecot is unable to create the socket ?
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
group = postfix
mode = 0666
user = postfix
}
} ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd }
On 11.10.18 11:30, Laura Smith wrote:
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0666 user = postfix }
I suggest using "mode = 0660" instead.
Dovecot is unable to create the socket ?
What exactly do the logs show?
postconf -c /etc/postfix-authrelay | fgrep sasl
As described in http://www.postfix.org/DEBUG_README.html please use "postconf -n".
-Ralph
On Thursday, October 11, 2018 12:07 PM, Ralph Seichter <m16+dovecot@monksofcool.net> wrote:
On 11.10.18 11:30, Laura Smith wrote:
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0666 user = postfix }
I suggest using "mode = 0660" instead.
Makes no difference.
Dovecot is unable to create the socket ?
What exactly do the logs show?
Erm, they show exactly what I posted earlier ?
2018-10-11T12:14:15.467791+01:00 X dovecot: master: Error: bind(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468094+01:00 X dovecot: master: Error: service(auth): net_listen_unix(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468216+01:00 X dovecot: master: Fatal: Failed to start listeners
postconf -c /etc/postfix-authrelay | fgrep sasl
As described inhttp://www.postfix.org/DEBUG_README.html please use "postconf -n".
alias_database = alias_maps = append_dot_mydomain = no authorized_submit_users = command_directory = /usr/sbin compatibility_level = 2 config_directory = /etc/postfix-authrelay daemon_directory = /usr/lib/postfix/bin/ data_directory = /var/lib/postfix-authrelay disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = 198.51.100.168 inet_protocols = ipv4 local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 milter_default_action = accept milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen} milter_protocol = 2 multi_instance_enable = yes multi_instance_name = postfix-authrelay mydestination = mydomain = example.com myhostname = X.example.com mynetworks = 127.0.0.0/8,192.168.107.0/24,192.168.109.0/24 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:8891 parent_domain_matches_subdomains = queue_directory = /var/spool/postfix-authrelay readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_domains = sample_directory = /usr/share/doc/packages/postfix-doc/samples sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_bind_address = 198.51.100.168 smtp_sasl_auth_enable = no smtpd_banner = $myhostname ESMTP smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = inet:localhost:7425 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = ${config_directory}/ssl_certs/star_example_com.pem smtpd_tls_dh1024_param_file = ${config_directory}/ssl_certs/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/ssl_certs/dh512.pem smtpd_tls_eecdh_grade = strong smtpd_tls_key_file = ${config_directory}/ssl_certs/X_workremote_eu.key smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1.2,!TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_security_level = encrypt smtputf8_enable = no tls_eecdh_strong_curve = prime256v1 tls_preempt_cipherlist = yes unknown_local_recipient_reject_code = 550
On 11/10/2018 14:21, Laura Smith wrote:
On Thursday, October 11, 2018 12:07 PM, Ralph Seichter <m16+dovecot@monksofcool.net> wrote:
On 11.10.18 11:30, Laura Smith wrote:
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0666 user = postfix } I suggest using "mode = 0660" instead. Makes no difference.
Do you have SELinux or the like running on the system?
Good luck, Reio
On 11.10.18 13:21, Laura Smith wrote:
I suggest using "mode = 0660" instead.
Makes no difference.
That was meant to increase security, not to fix your problem.
What exactly do the logs show?
Erm, they show exactly what I posted earlier ?
No. Earlier, you posted this:
2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning: X[X]: SASL PLAIN authentication failed:
That's just a warning about an authentication failure. Now this:
2018-10-11T12:14:15.467791+01:00 X dovecot: master: Error: bind(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468094+01:00 X dovecot: master: Error: service(auth): net_listen_unix(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468216+01:00 X dovecot: master: Fatal: Failed to start listeners
That's a permission error. Somewhere in your directory hierarchy things are off. See Postfix' set-permissions command.
-Ralph
That's a permission error. Somewhere in your directory hierarchy things are off. See Postfix' set-permissions command.
But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ?
To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
On 11 October 2018 at 15:02 Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> wrote:
That's a permission error. Somewhere in your directory hierarchy things are off. See Postfix' set-permissions command.
But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ?
To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
You should probably check few things:
- check dmesg or /var/log/audit/audit.log for any possible security framework problems
- check namei -vl /var/spool/postfix-authrelay/private/dovecot-auth for anything strange
- there is *some* reason the socket is not bound into, dovecot creates these sockets as root.
Aki
On Thursday, October 11, 2018 1:29 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 11 October 2018 at 15:02 Laura Smith n5d9xq3ti233xiyif2vp@protonmail.ch wrote:
That's a permission error. Somewhere in your directory hierarchy things are off. See Postfix' set-permissions command.
But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ? To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
You should probably check few things:
check dmesg or /var/log/audit/audit.log for any possible security framework problems
check namei -vl /var/spool/postfix-authrelay/private/dovecot-auth for anything strange
there is some reason the socket is not bound into, dovecot creates these sockets as root.
Aki
Thanks. It ended up being an AppArmor issue. That's now fixed the socket gets created.
However, the first part of my problem described earlier still exists, namely:
2018-10-11T15:58:41.230340+01:00 X postfix-authrelay/smtpd[21297]: warning: X.example.com[X]: SASL PLAIN authentication failed:
I was hoping going via the socket instead of TCP might fix it, but apparently not. ;-(
IF you see apparmor problems or suspect it might be an apparmor issue:
- run auditd
- check /var/log/audit/audit.log
for this specific case. those socket paths are allowed for dovecot:
/var/spool/postfix/private/auth /var/spool/postfix/private/dovecot-auth /var/spool/postfix/private/dovecot-lmtp
hth
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
On 11.10.18 14:02, Laura Smith wrote:
To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
I use the following on several Dovecot-plus-Postfix servers, and they all work fine:
/etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/dovecot-auth { user = postfix group = postfix mode = 0660 }
/etc/postfix/master.cf
Remove line breaks on the value-side, I only added them for readability!
submission inet n - n - - smtpd -o relay_clientcerts=${indexed}relay_clientcerts -o smtpd_sender_login_maps=${indexed}submission_login_maps -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts, reject_sender_login_mismatch, permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_path=private/dovecot-auth -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=may -o syslog_name=postfix/submission [...]
Note that this configuration only allows authentication via port 587 (submission), not port 25 (smtp). By convention, that's how it should be. Also, I allow authentication using either SASL or client-side SSL certificates, so you could remove all *cert* settings. If you don't use sender login maps, remove those settings as well.
-Ralph
participants (5)
-
Aki Tuomi
-
Laura Smith
-
Marcus Rückert
-
Ralph Seichter
-
Reio Remma