Hi,
I am trying to create an authenticated relay server using Postfix and Dovecot.
However I am having two problems :
(a) If I create a dovecot config entry as follows :
unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
group = postfix
mode = 0666
user = postfix
}
Dovecot is unable to create the socket ? I thought surely if dovecot is started
as root it should create the socket before dropping privileges ?
(b) The alternative method of TCP SASL is not working either:
250 DSN
ehlo localhost
250-foobar.example.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN <none_of_your_business>
535 5.7.8 Error: authentication failed:
and in the logs...
2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning:
X[X]: SASL PLAIN authentication failed:
####
#### postconf
####
>postconf -a
cyrus
dovecot
> postconf -c /etc/postfix-authrelay | fgrep sasl
broken_sasl_auth_clients = no
cyrus_sasl_config_path lmtp_sasl_auth_cache_name lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter lmtp_sasl_password_maps lmtp_sasl_path
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps
$lmtp_generic_maps $alias_maps $smtpd_client_restrictions
$smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions
$smtpd_recipient_restrictions
$address_verify_sender_dependent_default_transport_maps
$address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps
$fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps
$lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps
$mailbox_command_maps $mailbox_transport_maps
$postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps
$sender_dependent_default_transport_maps $sender_dependent_relayhost_maps
$smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps
$smtp_sasl_password_maps $smtp_tls_policy_maps
$smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps
$virtual_uid_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
$address_verify_map $postscreen_cache_map
send_cyrus_sasl_authzid = no
smtp_sasl_auth_cache_name smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter smtp_sasl_password_maps smtp_sasl_path
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_relay_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = inet:localhost:7425
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtp
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
####
#### DOVECONF
####
> doveconf -n
# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.1 (d9bc6dfe)
# OS: Linux 4.12.14-lp150.12.19-default x86_64
# Hostname: test.example.com
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
driver = pam
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
inet_listener {
address = 127.0.0.1
port = 7425
}
inet_listener {
address = ::1
port = 7425
}
# If I disable this, dovecot loads fine, but the tcp auth is unusable ?
# If I enable this, dovecot is unable to create the socket ?
# unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
# group = postfix
# mode = 0666
# user = postfix
# }
}
ssl = no
ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW
at STRENGTH
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
On 11.10.18 11:30, Laura Smith wrote:> unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { > group = postfix > mode = 0666 > user = postfix > }I suggest using "mode = 0660" instead.> Dovecot is unable to create the socket ?What exactly do the logs show?> postconf -c /etc/postfix-authrelay | fgrep saslAs described in http://www.postfix.org/DEBUG_README.html please use "postconf -n". -Ralph
On Thursday, October 11, 2018 12:07 PM, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:> On 11.10.18 11:30, Laura Smith wrote: > > > unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > I suggest using "mode = 0660" instead.Makes no difference.> > > Dovecot is unable to create the socket ? > > What exactly do the logs show?Erm, they show exactly what I posted earlier ? 2018-10-11T12:14:15.467791+01:00 X dovecot: master: Error: bind(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468094+01:00 X dovecot: master: Error: service(auth): net_listen_unix(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission denied 2018-10-11T12:14:15.468216+01:00 X dovecot: master: Fatal: Failed to start listeners> > > postconf -c /etc/postfix-authrelay | fgrep sasl > > As described inhttp://www.postfix.org/DEBUG_README.html please use > "postconf -n". >alias_database alias_maps append_dot_mydomain = no authorized_submit_users command_directory = /usr/sbin compatibility_level = 2 config_directory = /etc/postfix-authrelay daemon_directory = /usr/lib/postfix/bin/ data_directory = /var/lib/postfix-authrelay disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = 198.51.100.168 inet_protocols = ipv4 local_recipient_maps local_transport = error:5.1.1 Mailbox unavailable mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 milter_default_action = accept milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen} milter_protocol = 2 multi_instance_enable = yes multi_instance_name = postfix-authrelay mydestination mydomain = example.com myhostname = X.example.com mynetworks = 127.0.0.0/8,192.168.107.0/24,192.168.109.0/24 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:8891 parent_domain_matches_subdomains queue_directory = /var/spool/postfix-authrelay readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_domains sample_directory = /usr/share/doc/packages/postfix-doc/samples sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_bind_address = 198.51.100.168 smtp_sasl_auth_enable = no smtpd_banner = $myhostname ESMTP smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_relay_restrictions permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = inet:localhost:7425 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = ${config_directory}/ssl_certs/star_example_com.pem smtpd_tls_dh1024_param_file = ${config_directory}/ssl_certs/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/ssl_certs/dh512.pem smtpd_tls_eecdh_grade = strong smtpd_tls_key_file = ${config_directory}/ssl_certs/X_workremote_eu.key smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1.2,!TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_security_level = encrypt smtputf8_enable = no tls_eecdh_strong_curve = prime256v1 tls_preempt_cipherlist = yes unknown_local_recipient_reject_code = 550