DMARC rua unable to send reports via sendmail to local e-mail address?

Question

I've setup a small mail server with Postfix, Dovecot, and MySQL (MariaDB) on Debian. I've also configured TLS with Let's Encrypt. rDNS, DMARC, DKIM, SPF and Fail2Ban are also setup and confirmed to work.

My DMARC record looks like this:

v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;rua=mailto:report@[example].com;fo=1

The issue is that the rua=mailto:report@example.com, which should sporadically send reports to an e-mail address on the same mail server, does not work.

/var/log/mail.log reports:

Jan 18 14:47:05 [hostname] postfix/sendmail[20682]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 18 14:47:05 [hostname] postfix/pipe[20681]: 553A01F977: to=<report@[example].net>, relay=spamassassin, delay=9533, delays=9533/0.01/0/0.3, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )

The permissions on /etc/postfix/main.cf are:

-rwxr-x--- 1 root root 3968 Jan 18 08:36 /etc/postfix/main.cf

What kind of permissions does sendmail need to be able to successfully work? Or is this issue maybe related something else?

I can post configuration files, if needed, but wanted to keep this concise.

Update - 2022-01-26

Unfortunately, the same permission problem still persists, even after changing the permissions of /etc/postfix/main.cf to 754.

Here's an extended excerpt from /var/log/mail.log from this morning, in case that helps to debug this further:

Jan 26 06:17:48 [hostname] postfix/qmgr[18018]: BBF611E00B: from=<noreply-dmarc-support@google.com>, size=3516, nrcpt=1 (queue active)
Jan 26 06:17:48 [hostname] postfix/sendmail[23302]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 26 06:17:48 [hostname] postfix/pipe[23301]: BBF611E00B: to=<report@[example].net>, relay=spamassassin, delay=148779, delays=148779/0.01/0/0.33, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Jan 26 06:27:48 [hostname] postfix/qmgr[18018]: 581341F9AA: from=<noreply-dmarc-support@google.com>, size=3516, nrcpt=1 (queue active)
Jan 26 06:27:48 [hostname] postfix/sendmail[23436]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 26 06:27:48 [hostname] postfix/pipe[23435]: 581341F9AA: to=<report@[example].net>, relay=spamassassin, delay=148788, delays=148788/0.01/0/0.14, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Jan 26 06:38:20 [hostname] postfix/pickup[23498]: 891351FEEF: uid=0 from=<root>
Jan 26 06:38:20 [hostname] postfix/cleanup[23537]: 891351FEEF: message-id=<20230126053820.891351FEEF@[hostname].[example].net>
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: from=<root@[example].net>, size=150485, nrcpt=1 (queue active)
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Jan 26 06:38:20 [hostname] postfix/lmtp[23544]: 891351FEEF: to=<root@[example].net>, orig_to=<root>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.09, delays=0.05/0.01/0.01/0.02, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Jan 26 06:38:20 [hostname] postfix/cleanup[23537]: 9C4C31FEF2: message-id=<20230126053820.9C4C31FEF2@[hostname].[example].net>
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: from=<>, size=3330, nrcpt=1 (queue active)
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Jan 26 06:38:20 [hostname] postfix/bounce[23549]: 891351FEEF: sender non-delivery notification: 9C4C31FEF2
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: removed
Jan 26 06:38:20 [hostname] postfix/lmtp[23544]: 9C4C31FEF2: to=<root@[example].net>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: removed

It should be noted that the user that runs sendmail seems to be root. Running ps aux | grep sendmail, as suggested below, returns:

root     24694  0.0  0.0   6044   888 pts/0    S+   10:40   0:00 grep sendmail

Here are some permissions from /var/spool/postfix:

drwx------ 2 postfix  root     4096 Jan 26 09:27 active
drwx------ 2 postfix  root     4096 Jan 26 06:38 bounce
drwx------ 2 postfix  root     4096 Jan 11 13:59 corrupt
drwx------ 7 postfix  root     4096 Jan 24 12:58 defer
drwx------ 7 postfix  root     4096 Jan 24 12:58 deferred
drwxr-xr-x 2 root     root     4096 Jan 16 11:09 dev
drwxr-xr-x 3 root     root     4096 Jan 18 08:37 etc
drwx------ 2 postfix  root     4096 Jan 11 13:59 flush
drwx------ 2 postfix  root     4096 Jan 11 13:59 hold
drwx------ 2 postfix  root     4096 Jan 26 06:38 incoming
drwxr-xr-x 3 root     root     4096 Jan 11 13:59 lib
drwx-wx--T 2 postfix  postdrop 4096 Jan 26 06:38 maildrop
drwxr-xr-x 2 opendkim postfix  4096 Jan 16 11:37 opendkim
drwxr-xr-x 2 root     root     4096 Jan 16 08:57 pid
drwx------ 2 postfix  root     4096 Jan 18 08:37 private
drwx--s--- 2 postfix  postdrop 4096 Jan 18 08:37 public
drwx------ 2 postfix  root     4096 Jan 11 13:59 saved
drwx------ 2 postfix  root     4096 Jan 11 13:59 trace
drwxr-xr-x 3 root     root     4096 Jan 11 13:59 usr

Here's the addendum with the permission information from /etc/postifx:

drwxr-xr-x  23 root  wheel   736B Dec  2 09:43 ./
drwxr-xr-x  80 root  wheel   2.5K Jan 17 13:17 ../
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 LICENSE
-rw-r--r--   1 root  wheel   1.6K Dec  2 09:43 TLS_LICENSE
-rw-r--r--   1 root  wheel    21K Dec  2 09:43 access
-rw-r--r--   1 root  wheel   9.8K Dec  2 09:43 aliases
-rw-r--r--   1 root  wheel   3.5K Dec  2 09:43 bounce.cf.default
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 canonical
-rw-r--r--   1 root  wheel    44B Dec  2 09:43 custom_header_checks
-rw-r--r--   1 root  wheel    10K Dec  2 09:43 generic
-rw-r--r--   1 root  wheel    23K Dec  2 09:43 header_checks
-rw-r--r--   1 root  wheel    27K Dec  2 09:43 main.cf
-rw-r--r--   1 root  wheel    27K Dec  2 09:43 main.cf.default
-rw-r--r--   1 root  wheel    26K Dec  2 09:43 main.cf.proto
-rw-r--r--   1 root  wheel   6.0K Dec  2 09:43 makedefs.out
-rw-r--r--   1 root  wheel   7.3K Dec  2 09:43 master.cf
-rw-r--r--   1 root  wheel   7.3K Dec  2 09:43 master.cf.default
-rw-r--r--   1 root  wheel   6.1K Dec  2 09:43 master.cf.proto
-rw-r--r--   1 root  wheel    20K Dec  2 09:43 postfix-files
drwxr-xr-x   2 root  wheel    64B Dec  2 09:43 postfix-files.d/
-rw-r--r--   1 root  wheel   6.8K Dec  2 09:43 relocated
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 transport
-rw-r--r--   1 root  wheel    13K Dec  2 09:43 virtual

Thanks, how do I give those to sendmail? I don't think it's a user. — St4rb0y, Jan 18 '23 at 14:40
Please edit the output of `namei -l /etc/postfix/main.cf` into your question. — Gerald Schneider, Jan 22 '23 at 18:29
On your first file listing `main.cf` has around 4kb and is last changed Jan 18th. On the second listing it is suddenly 7k and changed Dec 2nd. That's quite a difference. Are these listings actually from the same server? — Gerald Schneider, Jan 26 '23 at 17:52
@GeraldSchneider I guess 4kb was the default file and 27kb after I edited it. — St4rb0y, Jan 26 '23 at 19:07

score 1 · Answer 1 · answered Jan 25 '23 at 06:36

The error message "fatal: open /etc/postfix/main.cf: Permission denied" suggests that the user that the sendmail process is running as does not have sufficient permissions to read the Postfix configuration file.

The permissions on /etc/postfix/main.cf are set to -rwxr-x--- , which means that the owner (root) has read, write and execute permissions, but the group and other users do not have execute permissions.

It's likely that the user that the sendmail process is running as is not in the root group and therefore does not have execute permissions on the configuration file. You can try adding execute permissions to the group or other users by running the following command:

sudo chmod 754 /etc/postfix/main.cf

This will give read, write, and execute permissions to the owner, read and execute permissions to the group, and read permissions to other users.

It's also important to note that the sendmail process is most likely running under a different user than root, so you should also check the permissions on the /var/spool/postfix directory and subdirectories to make sure the sendmail user has permission to write to the queue directory.

If you don't know the user that the sendmail process is running as, you can use the command "ps aux | grep sendmail" to find it.

It's also possible that this issue is related to something else and you may want to check for any other errors in the mail.log that might give you more insight into what's causing the problem.

Why `754`? It is not an executable. `644` would be more appropriate. — Esa Jokinen, Jan 25 '23 at 07:01
@Raja Gopal Thanks for your extensive reply. The user running `sendmail` seems to be **root**. I've updated my above question with more data, if you want to take a look. — St4rb0y, Jan 26 '23 at 09:47
The user is most certainly not root. The remaining problem is most probably the permissions of the /etc/postfix directory. We won't know unless you provide the information about the permissions, which has been requested repeatedly. — Gerald Schneider, Jan 26 '23 at 13:47
@GeraldSchneider I may have misinterpreted the output of `ps aux | grep sendmail`. You can inspect that above. I've also added the permission information for the */etc/postfix* directory. — St4rb0y, Jan 26 '23 at 16:38

score 0 · Answer 2 · answered Jan 18 '23 at 14:47

0

postfix does not run as the root user, yet you have set the permissions of the config file for root only.

chmod o+r /etc/postfix/main.cf

And of course the other postfix config files.

answered Jan 18 '23 at 14:47

Gerald Schneider

23,274
8
57
89

Unfortunately that didn't resolve my issue. I still get a `Jan 19 05:47:09 [hostname] postfix/sendmail[25773]: fatal: open /etc/postfix/main.cf: Permission denied` error. The file permissions are now reported as: `-rwxr-xr-- 1 root root 3968 Jan 18 08:36 /etc/postfix/main.cf` – St4rb0y Jan 19 '23 at 06:57
2

What are the permissions for `/etc/postifx`? – Ginnungagap Jan 22 '23 at 18:26
@Ginnungagap, most files are reported as `-rw-r--r-- 1 root root`, except **main.cf**. – St4rb0y Jan 23 '23 at 13:37
Please post the output of `ls -alhF /etc/postfix`. – Paul Jan 26 '23 at 13:03
@Paul I've appended the requested information to my answer. – St4rb0y Jan 26 '23 at 16:39

DMARC rua unable to send reports via sendmail to local e-mail address?

2 Answers2