Dovecot - auth error permission denied

Question

The following log file arises off my current maillog:

Apr 24 17:44:48 h2290750 dovecot: auth: Error: pgsql: Connect failed to mail: could not connect to server: Permission denied
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011Is the server running on host "localhost" (::1) and accepting
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011TCP/IP connections on port 5432?
Apr 24 17:44:48 h2290750 dovecot: auth: Error: could not connect to server: Permission denied
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011Is the server running on host "localhost" (127.0.0.1) and accepting
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011TCP/IP connections on port 5432?

I checked that the postgresql server is listening on port 5432. And my pg_hba.conf looks like this.

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# Mail stuff
host    mail            mailreader      127.0.0.1/32            md5
host    mail            mailreader      ::1/128                 md5
# "local" is for Unix domain socket connections only
local   all             all                                     md5
# IPv4 local connections:
host    all             all             127.0.0.1/32            ident
# IPv6 local connections:
host    all             all             ::1/128                 ident
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     postgres                                peer
#host    replication     postgres        127.0.0.1/32            ident
#host    replication     postgres        ::1/128                 ident

The connection configuration of my dovecot-sql.conf:

driver = pgsql
connect = host=localhost dbname=mail user=mailreader password=secret
default_pass_scheme = SHA512
password_query = SELECT email as user, password, 'maildir:/home/mail'||maildir as userdb_mail FROM users WHERE email = '%u'

Any suggestions? Maybe I need to hash the secret, so that dovecot pushes a md5-hashed password to pgsql?

Edit: psql -U mailreader -d mail leaves me with a SQL prompt within database mail

Answer 1

Connect failed to mail: could not connect to server: Permission denied Is the server running on host "localhost" (::1) and accepting

was actually hinting at a SELinux problem. After examining the audit.log I found the following line, repeatedly appearing.

type=AVC msg=audit(1398759363.514:635): avc: denied { open } for pid=12779 comm="auth" name="auth-token-secret.dat.tmp" dev=md1 ino=11927980 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:dovecot_var_run_t:s0 tclass=file

After havning installed the policy core utils using this command:

yum install policycoreutils-python

I was able to create an excpetion for SELinux with the audit2allow command:

grep auth_t /var/log/audit/audit.log | audit2allow -M postgreylocal

Thereafter the exception can be loaded into SELinux using:

semodule -i postgreylocal.pp

And thats it. Running like a charm.

Answer 2

From the looks of it, your user for postgres, mailreader, doesn't have access to the postgres database mail.

Once you fix that, it will start to work for you.

Answer 3

This part of the message:

Connect failed to mail: could not connect to server: Permission denied
Is the server running on host "localhost" (::1) and accepting

hints at a SELinux permission problem. That's when SELinux forbids initiating a TCP connection from your dovecot process.

See SELinux won't let dovecot connect to postgresql on fedora-selinux-list for a sample policy that is reported to work.

The gist of it seems to be:

module dovecotauthfixes 1.0;

require {
       type dovecot_auth_t;
       type postgresql_port_t;
       type postgresql_tmp_t;
       type postgresql_t;
       class sock_file write;
       class tcp_socket name_connect;
       class unix_stream_socket connectto;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;