Struggling to get dovecot working with postfix auth

[Ralph Seichter]

On 11.10.18 14:02, Laura Smith wrote:

> To me, it seems dovecot is not behaving correctly, because if it is
> not using root to access the directory then it is not going to be able
> to chmod the socket later is it ?

I use the following on several Dovecot-plus-Postfix servers, and they
all work fine:

  # /etc/dovecot/conf.d/10-master.conf
  unix_listener /var/spool/postfix/private/dovecot-auth {
    user = postfix
    group = postfix
    mode = 0660
  }

  # /etc/postfix/master.cf
  # Remove line breaks on the value-side, I only added them for readability!
  submission  inet  n  -  n  -  -  smtpd
   -o relay_clientcerts=${indexed}relay_clientcerts
   -o smtpd_sender_login_maps=${indexed}submission_login_maps
   -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts,
                                permit_sasl_authenticated,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts,
                               permit_sasl_authenticated,reject
   -o smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts,
                                   reject_sender_login_mismatch,
                                   permit_sasl_authenticated,reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_path=private/dovecot-auth
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_tls_security_level=may
   -o syslog_name=postfix/submission
   [...]

Note that this configuration only allows authentication via port 587
(submission), not port 25 (smtp). By convention, that's how it should
be. Also, I allow authentication using either SASL or client-side SSL
certificates, so you could remove all *cert* settings. If you don't use
sender login maps, remove those settings as well.

-Ralph