> That's a permission error. Somewhere in your directory hierarchy things > are off. See Postfix' set-permissions command. >But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ? To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?
> On 11 October 2018 at 15:02 Laura Smith <n5d9xq3ti233xiyif2vp at protonmail.ch> wrote: > > > > That's a permission error. Somewhere in your directory hierarchy things > > are off. See Postfix' set-permissions command. > > > > But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ? > > To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ?You should probably check few things: 1. check dmesg or /var/log/audit/audit.log for any possible security framework problems 2. check namei -vl /var/spool/postfix-authrelay/private/dovecot-auth for anything strange 3. there is *some* reason the socket is not bound into, dovecot creates these sockets as root. Aki
On 11.10.18 14:02, Laura Smith wrote:> To me, it seems dovecot is not behaving correctly, because if it is > not using root to access the directory then it is not going to be able > to chmod the socket later is it ?I use the following on several Dovecot-plus-Postfix servers, and they all work fine: # /etc/dovecot/conf.d/10-master.conf unix_listener /var/spool/postfix/private/dovecot-auth { user = postfix group = postfix mode = 0660 } # /etc/postfix/master.cf # Remove line breaks on the value-side, I only added them for readability! submission inet n - n - - smtpd -o relay_clientcerts=${indexed}relay_clientcerts -o smtpd_sender_login_maps=${indexed}submission_login_maps -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_helo_restrictions -o smtpd_sender_restrictions -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts, reject_sender_login_mismatch, permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_path=private/dovecot-auth -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=may -o syslog_name=postfix/submission [...] Note that this configuration only allows authentication via port 587 (submission), not port 25 (smtp). By convention, that's how it should be. Also, I allow authentication using either SASL or client-side SSL certificates, so you could remove all *cert* settings. If you don't use sender login maps, remove those settings as well. -Ralph
On Thursday, October 11, 2018 1:29 PM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> > On 11 October 2018 at 15:02 Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch wrote: > > > > > That's a permission error. Somewhere in your directory hierarchy things > > > are off. See Postfix' set-permissions command. > > > > But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ? > > To me, it seems dovecot is not behaving correctly, because if it is not using root to access the directory then it is not going to be able to chmod the socket later is it ? > > You should probably check few things: > > 1. check dmesg or /var/log/audit/audit.log for any possible security framework problems > 2. check namei -vl /var/spool/postfix-authrelay/private/dovecot-auth for anything strange > 3. there is some reason the socket is not bound into, dovecot creates these sockets as root. > > Aki >Thanks. It ended up being an AppArmor issue. That's now fixed the socket gets created. However, the first part of my problem described earlier still exists, namely: 2018-10-11T15:58:41.230340+01:00 X postfix-authrelay/smtpd[21297]: warning: X.example.com[X]: SASL PLAIN authentication failed: I was hoping going via the socket instead of TCP might fix it, but apparently not. ;-(