New dovecot server, authentication confusion

Jeff Abrahamson jeff at p27.eu
Sun Jan 24 19:50:11 EET 2021


On 24/01/2021 15:42, Jeff Abrahamson wrote:
>
> I've set up a new dovecot+postfix instance with virtual (not system)
> users.
>
> [...]

Thanks to several responses here (many thanks!) and much further
hacking, I have moved further.

I now have two problems that I'm hitting my head on.  (I've posted my
config below.)

  * Delivery has a permission error, but I don't see what is causing it.
  * Authorisation on sending is failing.

1.  Delivery

I send mail to jeff at mobilitains.fr, which I think should be an
authorised user.

    Jan 24 17:19:02 nantes-m1 postfix/qmgr[8025]: 8640AA0C71:
    from=<jeff at p27.eu>, size=4737, nrcpt=1 (queue active)
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
    mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
    (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
    dir owned by 4000:4000 mode=0755)
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
    mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
    (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
    dir owned by 4000:4000 mode=0755)
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error: Mailbox INBOX:
    Failed to autocreate mailbox: Internal error occurred. Refer to
    server log for more information. [2021-01-24 17:19:02]
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>:
    msgid=<45693641-2b61-815d-6129-feb9c4e3608a at p27.eu>: save failed to
    open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox:
    Internal error occurred. Refer to server log for more information.
    [2021-01-24 17:19:02]
    Jan 24 17:19:02 nantes-m1 postfix/local[10626]: 8640AA0C71:
    to=<jeff at nantes-m1.p27.eu>, orig_to=<jeff at mobilitains.fr>,
    relay=local, delay=593, delays=593/0.01/0/0.02, dsn=4.3.0,
    status=deferred (temporary failure. Command output: lda(jeff):
    Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
    Permission denied )

Now I know what the words mean: it wants to create the mail directory
where I've asked it to, in /var/mail/vmail/%d/%n/mail, and it's hitting
a permission error, because that directory is owned by vmail and that
bit of dovecot, apparently, doesn't have permission to read/write
there.  I can see that some dovecot processes run as vmail, others as
dovecot or dovenull, still others as root (!).  I'm unclear after much
reading of docs what I /should/ see here and what I should change.

    [T] jeff at nantes-m1:postfix $ ps axfu | grep dovec
    root         607  0.0  0.3   4612  3360 ?        Ss   10:12   0:00
    /usr/sbin/dovecot -F
    dovecot      637  0.0  0.1   4248  1072 ?        S    10:12   0:00 
    \_ dovecot/anvil
    root        9852  0.0  0.2   4388  2940 ?        S    16:54   0:00 
    \_ dovecot/log
    dovecot     9907  0.0  0.2   4396  2828 ?        S    16:54   0:00 
    \_ dovecot/stats
    root        9908  0.0  0.4   5664  4188 ?        S    16:54   0:00 
    \_ dovecot/config
    dovenull    9976  0.0  0.6   8476  6584 ?        S    16:58   0:00 
    \_ dovecot/imap-login
    vmail       9978  0.0  0.5   6940  5572 ?        S    16:58   0:00 
    \_ dovecot/imap
    dovenull   10023  0.0  0.6   8472  6584 ?        S    17:04   0:00 
    \_ dovecot/imap-login
    vmail      10024  0.0  0.5   6884  5516 ?        S    17:04   0:00 
    \_ dovecot/imap
    jeff       10952  0.0  0.0   8904   672 pts/1    S+   17:33   0:00 
    |           \_ grep --color=auto dovec
    [T] jeff at nantes-m1:postfix $

2.  Authorisation on sending

Using thunderbird I try to send an email from my workstation as
jeff at mobilitains.fr (myself, as this host sees it) to another user
(myself somewhere else).

    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: connect
    from 10.244.88.92.rev.sfr.net[92.88.244.10]
    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: Anonymous
    TLS connection established from
    10.244.88.92.rev.sfr.net[92.88.244.10]: TLSv1 with cipher
    ECDHE-RSA-AES128-SHA (128/128 bits)
    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: warning:
    SASL: Connect to private/auth failed: No such file or directory
    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: fatal: no
    SASL authentication mechanisms
    Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: process
    /usr/lib/postfix/sbin/smtpd pid 10971 exit status 1
    Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning:
    /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

So I'm failing to connect, but the error about private/auth is quite
unclear to me.  I think what I've configured is that plaintext auth is
disabled unless on a SSL/TLS connection, and SSL/TLS connections are
required, so plaintext over SSL/TLS is the rule.  There's an error
related to smtpd startup, though I'm unclear what that means, since
postfix is running.  I think it means it can't run smtpd to send the
mail, but why and where configured is unclear to me.

    [T] jeff at nantes-m1:conf.d $ *cat 10-auth.conf | grep -vE '^#' | uniq*

    disable_plaintext_auth = yes

    auth_username_chars =
    abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

    auth_mechanisms = plain

    !include auth-passwdfile.conf.ext
    [T] jeff at nantes-m1:conf.d $
    [T] jeff at nantes-m1:conf.d $ *cat auth-passwdfile.conf.ext *
    # Authentication for passwd-file users. Included from 10-auth.conf.
    #
    # passwd-like file with specified location.
    # <doc/wiki/AuthDatabase.PasswdFile.txt>
    #
    # This is heavily modified from the ubuntu dovecot distribution file.

    passdb {
      driver = passwd-file
      # args = scheme=CRYPT username_format=%u /etc/dovecot/users
      # args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db
      args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
      deny = no
      master = no
      pass = no
      skip = never
      result_failure = continue
      result_internalfail = continue
      result_success = return-ok
    }

    userdb {
        driver = static
        args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
    }

    [T] jeff at nantes-m1:conf.d $

My config:

    [T] jeff at nantes-m1:~ $ *doveconf -n*
    # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.5.7.2 ()
    # OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS ext4
    # Hostname: nantes-m1.p27.eu
    auth_debug = yes
    auth_verbose = yes
    mail_home = /var/mail/vmail/%d/%n
    mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
    mail_privileged_group = mail
    namespace inbox {
      inbox = yes
      location =
      mailbox Archive {
        auto = subscribe
        special_use = \Archive
      }
      mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
      }
      mailbox Junk {
        auto = subscribe
        special_use = \Junk
      }
      mailbox Sent {
        auto = subscribe
        special_use = \Sent
      }
      mailbox Trash {
        auto = subscribe
        special_use = \Trash
      }
      prefix =
    }
    passdb {
      args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
      driver = passwd-file
    }
    plugin {
      sieve = file:~/sieve;active=~/.dovecot.sieve
      sieve_after = /var/mail/vmail/sieve-after
      sieve_before = /var/mail/vmail/sieve-before
      sieve_dir = ~/sieve
    }
    protocols = " imap"
    service auth {
      unix_listener /var/spool/postfix/private/dovecot-auth {
        group = postfix
        mode = 0600
        user = postfix
      }
    }
    service imap-login {
      inet_listener imaps {
        port = 993
        ssl = yes
      }
    }
    ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
    ssl_cipher_list =
    ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
    ssl_client_ca_dir = /etc/ssl/certs
    ssl_dh = # hidden, use -P to show it
    ssl_key = # hidden, use -P to show it
    userdb {
      args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
      driver = static
    }
    verbose_ssl = yes
    protocol lda {
      deliver_log_format = msgid=%m: %$
      mail_plugins = sieve
      postmaster_address = postmaster@{{ primary_domain }}
      quota_full_tempfail = yes
      rejection_reason = Your message to <%t> was automatically
    rejected:%n%r
    }
    protocol imap {
      imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
    tb-lsub-flags
      mail_max_userip_connections = 20
    }
    [T] jeff at nantes-m1:~ $
    [T] jeff at nantes-m1:postfix $ postconf -Mf
    smtp       inet  n       -       y       -       -       smtpd
    submission inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
    smtps      inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_reject_unlisted_recipient=no
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
    ...

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210124/18b685ef/attachment-0001.html>


More information about the dovecot mailing list