Hi, I am trying to create an authenticated relay server using Postfix and Dovecot. However I am having two problems : (a) If I create a dovecot config entry as follows : unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0666 user = postfix } Dovecot is unable to create the socket ? I thought surely if dovecot is started as root it should create the socket before dropping privileges ? (b) The alternative method of TCP SASL is not working either: 250 DSN ehlo localhost 250-foobar.example.com 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN <none_of_your_business> 535 5.7.8 Error: authentication failed: and in the logs... 2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning: X[X]: SASL PLAIN authentication failed: #### #### postconf ####>postconf -acyrus dovecot> postconf -c /etc/postfix-authrelay | fgrep saslbroken_sasl_auth_clients = no cyrus_sasl_config_path lmtp_sasl_auth_cache_name lmtp_sasl_auth_cache_time = 90d lmtp_sasl_auth_enable = no lmtp_sasl_auth_soft_bounce = yes lmtp_sasl_mechanism_filter lmtp_sasl_password_maps lmtp_sasl_path lmtp_sasl_security_options = noplaintext, noanonymous lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_sasl_type = cyrus proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map send_cyrus_sasl_authzid = no smtp_sasl_auth_cache_name smtp_sasl_auth_cache_time = 90d smtp_sasl_auth_enable = no smtp_sasl_auth_soft_bounce = yes smtp_sasl_mechanism_filter smtp_sasl_password_maps smtp_sasl_path smtp_sasl_security_options = noplaintext, noanonymous smtp_sasl_tls_security_options = $smtp_sasl_security_options smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options smtp_sasl_type = cyrus smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = inet:localhost:7425 smtpd_sasl_security_options = noanonymous smtpd_sasl_service = smtp smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot #### #### DOVECONF ####> doveconf -n# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.1 (d9bc6dfe) # OS: Linux 4.12.14-lp150.12.19-default x86_64 # Hostname: test.example.com managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } service auth { inet_listener { address = 127.0.0.1 port = 7425 } inet_listener { address = ::1 port = 7425 } # If I disable this, dovecot loads fine, but the tcp auth is unusable ? # If I enable this, dovecot is unable to create the socket ? # unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { # group = postfix # mode = 0666 # user = postfix # } } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd }
On 11.10.18 11:30, Laura Smith wrote:> unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { > group = postfix > mode = 0666 > user = postfix > }I suggest using "mode = 0660" instead.> Dovecot is unable to create the socket ?What exactly do the logs show?> postconf -c /etc/postfix-authrelay | fgrep saslAs described in http://www.postfix.org/DEBUG_README.html please use "postconf -n". -Ralph
On Thursday, October 11, 2018 12:07 PM, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:> On 11.10.18 11:30, Laura Smith wrote: > > > unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > I suggest using "mode = 0660" instead.Makes no difference.> > > Dovecot is unable to create the socket ? > > What exactly do the logs show?Erm, they show exactly what I posted earlier ? 2018-10-11T12:14:15.467791+01:00 X dovecot: master: Error: bind(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468094+01:00 X dovecot: master: Error: service(auth): net_listen_unix(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468216+01:00 X dovecot: master: Fatal: Failed to start listeners> > > postconf -c /etc/postfix-authrelay | fgrep sasl > > As described inhttp://www.postfix.org/DEBUG_README.html please use > "postconf -n". >alias_database alias_maps append_dot_mydomain = no authorized_submit_users command_directory = /usr/sbin compatibility_level = 2 config_directory = /etc/postfix-authrelay daemon_directory = /usr/lib/postfix/bin/ data_directory = /var/lib/postfix-authrelay disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = 198.51.100.168 inet_protocols = ipv4 local_recipient_maps local_transport = error:5.1.1 Mailbox unavailable mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 milter_default_action = accept milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen} milter_protocol = 2 multi_instance_enable = yes multi_instance_name = postfix-authrelay mydestination mydomain = example.com myhostname = X.example.com mynetworks = 127.0.0.0/8,192.168.107.0/24,192.168.109.0/24 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:8891 parent_domain_matches_subdomains queue_directory = /var/spool/postfix-authrelay readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_domains sample_directory = /usr/share/doc/packages/postfix-doc/samples sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_bind_address = 198.51.100.168 smtp_sasl_auth_enable = no smtpd_banner = $myhostname ESMTP smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = inet:localhost:7425 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = ${config_directory}/ssl_certs/star_example_com.pem smtpd_tls_dh1024_param_file = ${config_directory}/ssl_certs/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/ssl_certs/dh512.pem smtpd_tls_eecdh_grade = strong smtpd_tls_key_file = ${config_directory}/ssl_certs/X_workremote_eu.key smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1.2,!TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_security_level = encrypt smtputf8_enable = no tls_eecdh_strong_curve = prime256v1 tls_preempt_cipherlist = yes unknown_local_recipient_reject_code = 550