New dovecot server, authentication confusion
Jeff Abrahamson
jeff at p27.eu
Sun Jan 24 19:50:11 EET 2021
On 24/01/2021 15:42, Jeff Abrahamson wrote:
>
> I've set up a new dovecot+postfix instance with virtual (not system)
> users.
>
> [...]
Thanks to several responses here (many thanks!) and much further
hacking, I have moved further.
I now have two problems that I'm hitting my head on. (I've posted my
config below.)
* Delivery has a permission error, but I don't see what is causing it.
* Authorisation on sending is failing.
1. Delivery
I send mail to jeff at mobilitains.fr, which I think should be an
authorised user.
Jan 24 17:19:02 nantes-m1 postfix/qmgr[8025]: 8640AA0C71:
from=<jeff at p27.eu>, size=4737, nrcpt=1 (queue active)
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
(euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
dir owned by 4000:4000 mode=0755)
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
(euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
dir owned by 4000:4000 mode=0755)
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error: Mailbox INBOX:
Failed to autocreate mailbox: Internal error occurred. Refer to
server log for more information. [2021-01-24 17:19:02]
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>:
msgid=<45693641-2b61-815d-6129-feb9c4e3608a at p27.eu>: save failed to
open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox:
Internal error occurred. Refer to server log for more information.
[2021-01-24 17:19:02]
Jan 24 17:19:02 nantes-m1 postfix/local[10626]: 8640AA0C71:
to=<jeff at nantes-m1.p27.eu>, orig_to=<jeff at mobilitains.fr>,
relay=local, delay=593, delays=593/0.01/0/0.02, dsn=4.3.0,
status=deferred (temporary failure. Command output: lda(jeff):
Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
Permission denied )
Now I know what the words mean: it wants to create the mail directory
where I've asked it to, in /var/mail/vmail/%d/%n/mail, and it's hitting
a permission error, because that directory is owned by vmail and that
bit of dovecot, apparently, doesn't have permission to read/write
there. I can see that some dovecot processes run as vmail, others as
dovecot or dovenull, still others as root (!). I'm unclear after much
reading of docs what I /should/ see here and what I should change.
[T] jeff at nantes-m1:postfix $ ps axfu | grep dovec
root 607 0.0 0.3 4612 3360 ? Ss 10:12 0:00
/usr/sbin/dovecot -F
dovecot 637 0.0 0.1 4248 1072 ? S 10:12 0:00
\_ dovecot/anvil
root 9852 0.0 0.2 4388 2940 ? S 16:54 0:00
\_ dovecot/log
dovecot 9907 0.0 0.2 4396 2828 ? S 16:54 0:00
\_ dovecot/stats
root 9908 0.0 0.4 5664 4188 ? S 16:54 0:00
\_ dovecot/config
dovenull 9976 0.0 0.6 8476 6584 ? S 16:58 0:00
\_ dovecot/imap-login
vmail 9978 0.0 0.5 6940 5572 ? S 16:58 0:00
\_ dovecot/imap
dovenull 10023 0.0 0.6 8472 6584 ? S 17:04 0:00
\_ dovecot/imap-login
vmail 10024 0.0 0.5 6884 5516 ? S 17:04 0:00
\_ dovecot/imap
jeff 10952 0.0 0.0 8904 672 pts/1 S+ 17:33 0:00
| \_ grep --color=auto dovec
[T] jeff at nantes-m1:postfix $
2. Authorisation on sending
Using thunderbird I try to send an email from my workstation as
jeff at mobilitains.fr (myself, as this host sees it) to another user
(myself somewhere else).
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: connect
from 10.244.88.92.rev.sfr.net[92.88.244.10]
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: Anonymous
TLS connection established from
10.244.88.92.rev.sfr.net[92.88.244.10]: TLSv1 with cipher
ECDHE-RSA-AES128-SHA (128/128 bits)
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: warning:
SASL: Connect to private/auth failed: No such file or directory
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: fatal: no
SASL authentication mechanisms
Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: process
/usr/lib/postfix/sbin/smtpd pid 10971 exit status 1
Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning:
/usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
So I'm failing to connect, but the error about private/auth is quite
unclear to me. I think what I've configured is that plaintext auth is
disabled unless on a SSL/TLS connection, and SSL/TLS connections are
required, so plaintext over SSL/TLS is the rule. There's an error
related to smtpd startup, though I'm unclear what that means, since
postfix is running. I think it means it can't run smtpd to send the
mail, but why and where configured is unclear to me.
[T] jeff at nantes-m1:conf.d $ *cat 10-auth.conf | grep -vE '^#' | uniq*
disable_plaintext_auth = yes
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_mechanisms = plain
!include auth-passwdfile.conf.ext
[T] jeff at nantes-m1:conf.d $
[T] jeff at nantes-m1:conf.d $ *cat auth-passwdfile.conf.ext *
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
#
# This is heavily modified from the ubuntu dovecot distribution file.
passdb {
driver = passwd-file
# args = scheme=CRYPT username_format=%u /etc/dovecot/users
# args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db
args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
deny = no
master = no
pass = no
skip = never
result_failure = continue
result_internalfail = continue
result_success = return-ok
}
userdb {
driver = static
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
}
[T] jeff at nantes-m1:conf.d $
My config:
[T] jeff at nantes-m1:~ $ *doveconf -n*
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS ext4
# Hostname: nantes-m1.p27.eu
auth_debug = yes
auth_verbose = yes
mail_home = /var/mail/vmail/%d/%n
mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
driver = passwd-file
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = " imap"
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0600
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
ssl_cipher_list =
ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
driver = static
}
verbose_ssl = yes
protocol lda {
deliver_log_format = msgid=%m: %$
mail_plugins = sieve
postmaster_address = postmaster@{{ primary_domain }}
quota_full_tempfail = yes
rejection_reason = Your message to <%t> was automatically
rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags
mail_max_userip_connections = 20
}
[T] jeff at nantes-m1:~ $
[T] jeff at nantes-m1:postfix $ postconf -Mf
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
...
--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
http://p27.eu/jeff/
http://transport-nantes.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210124/18b685ef/attachment-0001.html>
More information about the dovecot
mailing list