New dovecot server, authentication confusion

Sun Jan 24 21:54:50 EET 2021

On 2021-01-24 18:50, Jeff Abrahamson wrote:
> On 24/01/2021 15:42, Jeff Abrahamson wrote:
> 
>> I've set up a new dovecot+postfix instance with virtual (not system)
>> users.
>> [...]
> 
> Thanks to several responses here (many thanks!) and much further
> hacking, I have moved further.
> 
> I now have two problems that I'm hitting my head on.  (I've posted my
> config below.)
> 
>  	* Delivery has a permission error, but I don't see what is causing
> it.
> 
> 	* Authorisation on sending is failing.
> 
> 1.  Delivery
> 
> I send mail to jeff at mobilitains.fr, which I think should be an
> authorised user.
> 
>> Jan 24 17:19:02 nantes-m1 postfix/qmgr[8025]: 8640AA0C71:
>> from=<jeff at p27.eu>, size=4737, nrcpt=1 (queue active)
>> Jan 24 17:19:02 nantes-m1 dovecot:
>> lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
>> mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
>> (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
>> dir owned by 4000:4000 mode=0755)
>> Jan 24 17:19:02 nantes-m1 dovecot:
>> lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
>> mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
>> (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
>> dir owned by 4000:4000 mode=0755)
This looks to me as if dovecot lda is trying to deliver as user jeff
(uid 1000) instead of the configured uid 4000 from static userdb.
Try to set auth_debug = yes and/or mail_debug = yes to see whats going 
on.
>> Jan 24 17:19:02 nantes-m1 dovecot:
>> lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error: Mailbox INBOX:
>> Failed to autocreate mailbox: Internal error occurred. Refer to
>> server log for more information. [2021-01-24 17:19:02]
>> Jan 24 17:19:02 nantes-m1 dovecot:
>> lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>:
>> msgid=<45693641-2b61-815d-6129-feb9c4e3608a at p27.eu>: save failed to
>> open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox:
>> Internal error occurred. Refer to server log for more information.
>> [2021-01-24 17:19:02]
>> Jan 24 17:19:02 nantes-m1 postfix/local[10626]: 8640AA0C71:
>> to=<jeff at nantes-m1.p27.eu>, orig_to=<jeff at mobilitains.fr>,
>> relay=local, delay=593, delays=593/0.01/0/0.02, dsn=4.3.0,
>> status=deferred (temporary failure. Command output: lda(jeff):
>> Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
>> Permission denied )
for this see 
https://doc.dovecot.org/installation_guide/upgrading/from-2.2-to-2.3/?highlight=stats%20writer
> 
> Now I know what the words mean: it wants to create the mail directory
> where I've asked it to, in /var/mail/vmail/%d/%n/mail, and it's
> hitting a permission error, because that directory is owned by vmail
> and that bit of dovecot, apparently, doesn't have permission to
> read/write there.  I can see that some dovecot processes run as vmail,
> others as dovecot or dovenull, still others as root (!).  I'm unclear
> after much reading of docs what I _should_ see here and what I should
> change.
> 
>> [T] jeff at nantes-m1:postfix $ ps axfu | grep dovec
>> root         607  0.0  0.3   4612  3360 ?        Ss   10:12   0:00
>> /usr/sbin/dovecot -F
>> dovecot      637  0.0  0.1   4248  1072 ?        S    10:12   0:00
>> \_ dovecot/anvil
>> root        9852  0.0  0.2   4388  2940 ?        S    16:54   0:00
>> \_ dovecot/log
>> dovecot     9907  0.0  0.2   4396  2828 ?        S    16:54   0:00
>> \_ dovecot/stats
>> root        9908  0.0  0.4   5664  4188 ?        S    16:54   0:00
>> \_ dovecot/config
>> dovenull    9976  0.0  0.6   8476  6584 ?        S    16:58   0:00
>> \_ dovecot/imap-login
>> vmail       9978  0.0  0.5   6940  5572 ?        S    16:58   0:00
>> \_ dovecot/imap
>> dovenull   10023  0.0  0.6   8472  6584 ?        S    17:04   0:00
>> \_ dovecot/imap-login
>> vmail      10024  0.0  0.5   6884  5516 ?        S    17:04   0:00
>> \_ dovecot/imap
>> jeff       10952  0.0  0.0   8904   672 pts/1    S+   17:33   0:00
>> |           \_ grep --color=auto dovec
>> [T] jeff at nantes-m1:postfix $
> 
> 2.  Authorisation on sending
> 
> Using thunderbird I try to send an email from my workstation as
> jeff at mobilitains.fr (myself, as this host sees it) to another user
> (myself somewhere else).
> 
>> Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: connect
>> from 10.244.88.92.rev.sfr.net[92.88.244.10]
>> Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: Anonymous
>> TLS connection established from
>> 10.244.88.92.rev.sfr.net[92.88.244.10]: TLSv1 with cipher
>> ECDHE-RSA-AES128-SHA (128/128 bits)
>> Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: warning:
>> SASL: Connect to private/auth failed: No such file or directory
You configured postfix with smtpd_sasl_path = private/auth but dovecot
is configured to create the socket as
> service auth {
> unix_listener /var/spool/postfix/private/dovecot-auth {
> group = postfix
> mode = 0600
> user = postfix
> }
you need to fix either postfix or dovecot configuration.
>> Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: fatal: no
>> SASL authentication mechanisms
I have set auth_mechanisms in 10-auth.conf to auth_mechanisms = plain 
login
see also postfix documentation 
http://www.postfix.org/SASL_README.html#server_dovecot
>> Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: process
>> /usr/lib/postfix/sbin/smtpd pid 10971 exit status 1
>> Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning:
>> /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
> 
> So I'm failing to connect, but the error about private/auth is quite
> unclear to me.  I think what I've configured is that plaintext auth is
> disabled unless on a SSL/TLS connection, and SSL/TLS connections are
> required, so plaintext over SSL/TLS is the rule.  There's an error
> related to smtpd startup, though I'm unclear what that means, since
> postfix is running.  I think it means it can't run smtpd to send the
> mail, but why and where configured is unclear to me.

-- 
  Christian Kivalo