dovecot - Oct 2018 - Struggling to get dovecot working with postfix auth

Hi,

I am trying to create an authenticated relay server using Postfix and Dovecot.

However I am having two problems :

(a) If I create a dovecot config entry as follows :

  unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }

Dovecot is unable to create the socket ?  I thought surely if dovecot is started
as root it should create the socket before dropping privileges ?

(b) The alternative method of TCP SASL is not working either:
250 DSN
ehlo localhost
250-foobar.example.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN <none_of_your_business>
535 5.7.8 Error: authentication failed:

and in the logs...
2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning:
X[X]: SASL PLAIN authentication failed:

####
#### postconf
####
>postconf -a
cyrus
dovecot
> postconf -c /etc/postfix-authrelay | fgrep sasl
broken_sasl_auth_clients = no
cyrus_sasl_config_path lmtp_sasl_auth_cache_name lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter lmtp_sasl_password_maps lmtp_sasl_path
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps
$lmtp_generic_maps $alias_maps $smtpd_client_restrictions
$smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions
$smtpd_recipient_restrictions
$address_verify_sender_dependent_default_transport_maps
$address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps
$fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps
$lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps
$mailbox_command_maps $mailbox_transport_maps
$postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps
$sender_dependent_default_transport_maps $sender_dependent_relayhost_maps
$smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps
$smtp_sasl_password_maps $smtp_tls_policy_maps
$smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps
$virtual_uid_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
$address_verify_map $postscreen_cache_map
send_cyrus_sasl_authzid = no
smtp_sasl_auth_cache_name smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter smtp_sasl_password_maps smtp_sasl_path
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_relay_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = inet:localhost:7425
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtp
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot




####
#### DOVECONF
####
> doveconf -n
# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.1 (d9bc6dfe)
# OS: Linux 4.12.14-lp150.12.19-default x86_64
# Hostname: test.example.com
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix }
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
  inet_listener {
    address = 127.0.0.1
    port = 7425
  }
  inet_listener {
    address = ::1
    port = 7425
  }
# If I disable this, dovecot loads fine, but the tcp auth is unusable ?
# If I enable this, dovecot is unable to create the socket ?
#  unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
#    group = postfix
#    mode = 0666
#    user = postfix
#  }
}
ssl = no
ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW
at STRENGTH
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
  driver = passwd
}

On 11.10.18 11:30, Laura Smith wrote:
> unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
>   group = postfix
>   mode = 0666
>   user = postfix
> }
I suggest using "mode = 0660" instead.
> Dovecot is unable to create the socket ?
What exactly do the logs show?
> postconf -c /etc/postfix-authrelay | fgrep sasl
As described in http://www.postfix.org/DEBUG_README.html please use
"postconf -n".

-Ralph

On Thursday, October 11, 2018 12:07 PM, Ralph Seichter <m16+dovecot at
monksofcool.net> wrote:
> On 11.10.18 11:30, Laura Smith wrote:
>
> > unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
> > group = postfix
> > mode = 0666
> > user = postfix
> > }
>
> I suggest using "mode = 0660" instead.
Makes no difference.
>
> > Dovecot is unable to create the socket ?
>
> What exactly do the logs show?

Erm, they show exactly what I posted earlier ?

2018-10-11T12:14:15.467791+01:00 X dovecot: master: Error:
bind(/var/spool/postfix-authrelay/private/dovecot-auth) failed: Permission
denied
2018-10-11T12:14:15.468094+01:00 X dovecot: master: Error: service(auth):
net_listen_unix(/var/spool/postfix-authrelay/private/dovecot-auth) failed:
Permission denied
2018-10-11T12:14:15.468216+01:00 X dovecot: master: Fatal: Failed to start
listeners

>
> > postconf -c /etc/postfix-authrelay | fgrep sasl
>
> As described inhttp://www.postfix.org/DEBUG_README.html please use
> "postconf -n".
>
alias_database alias_maps append_dot_mydomain = no
authorized_submit_users command_directory = /usr/sbin
compatibility_level = 2
config_directory = /etc/postfix-authrelay
daemon_directory = /usr/lib/postfix/bin/
data_directory = /var/lib/postfix-authrelay
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = 198.51.100.168
inet_protocols = ipv4
local_recipient_maps local_transport = error:5.1.1 Mailbox unavailable
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
milter_default_action = accept
milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen}
milter_protocol = 2
multi_instance_enable = yes
multi_instance_name = postfix-authrelay
mydestination mydomain = example.com
myhostname = X.example.com
mynetworks = 127.0.0.0/8,192.168.107.0/24,192.168.109.0/24
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:8891
parent_domain_matches_subdomains queue_directory = /var/spool/postfix-authrelay
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_domains sample_directory = /usr/share/doc/packages/postfix-doc/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 198.51.100.168
smtp_sasl_auth_enable = no
smtpd_banner = $myhostname ESMTP
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions    
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_relay_restrictions    
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = inet:localhost:7425
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = ${config_directory}/ssl_certs/star_example_com.pem
smtpd_tls_dh1024_param_file = ${config_directory}/ssl_certs/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/ssl_certs/dh512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = ${config_directory}/ssl_certs/X_workremote_eu.key
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2,!TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_security_level = encrypt
smtputf8_enable = no
tls_eecdh_strong_curve = prime256v1
tls_preempt_cipherlist = yes
unknown_local_recipient_reject_code = 550