2

On my way to setup a mail server with Postfix and Dovecot on Ubuntu, I can now send mails to other domains. However, I cannot receive from others. In the logs it reads

Jun 14 09:34:35 postfix/smtpd[27426]: connect from mail-wg0-f44.google.com[74.125.82.44]
Jun 14 09:34:35 postfix/smtpd[27426]: warning: SASL: Connect to private/auth failed: Permission denied
Jun 14 09:34:35 postfix/smtpd[27426]: fatal: no SASL authentication mechanisms
Jun 14 09:34:36 postfix/master[18697]: warning: process /usr/lib/postfix/smtpd pid 27426 exit status 1
Jun 14 09:34:36 postfix/master[18697]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

I have no clue where I have a mistake in my configuration. The file auth exists as follows:

srw-rw---- 1 vmail vmail 0 Jun 14 08:51 /var/spool/postfix/private/auth

Here is the output of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost, localhost.$mydomain
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_recipient_domain reject_unknown_sender_domain permit_mynetworks reject_sender_login_mismatch reject_unauth_destination check_recipient_access hash:/etc/postfix/roleaccount_exceptions reject_multi_recipient_bounce reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_helo_access pcre:/etc/postfix/helo_checks check_sender_mx_access cidr:/etc/postfix/bogus_mx permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = proxy:ldap:/etc/postfix/virtual_aliases.cf
virtual_gid_maps = static:10000
virtual_mailbox_domains = $mydomain
virtual_transport = dovecot
virtual_uid_maps = static:10000

and the one of dovecot -n

# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-042stab106.6 x86_64 Ubuntu 14.04.2 LTS ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
mail_location = maildir:/srv/mail/%n
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener auth-master {
    mode = 0600
    user = vmail
  }
}
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lda {
  postmaster_address = postmaster@example.com
}

Any hint is greatly appreciated. Thanks for your help in advance.

Andreas Hahne
  • 35
  • 5

1 Answers1

3

Your postfix haven't access to the auth-daemon socket because of different uid and strict permissions. The easiest way is to change permissions to the 666 (rw-rw-rw-) and check whether the auth become fixed. Then you have to deal with process UIDs/users to restrict auth to only mail software. 

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = vmail
    mode = 0666
#   mode = 0660
    user = vmail
  }
  unix_listener auth-master {
    mode = 0666
#   mode = 0600
    user = vmail
  }
}
sebix
  • 4,313
  • 2
  • 29
  • 47
Kondybas
  • 6,964
  • 2
  • 20
  • 24
  • Thanks for your answer. So, it is the postfix user who needs write access to this file? – Andreas Hahne Jun 14 '15 at 08:42
  • If I had read my book properly, I would have seen that the `postfix` user is used here instead of the `vmail` user. I.e., I changed the user and group, and left the rights as posted. Nevertheless thanks to pointing me to this mistake. – Andreas Hahne Jun 14 '15 at 08:54
  • Both `postfix` and `dovecot` should have an access to the auth-daemon. So you have launch them under single uid with strict permissions or, alternatively, under different uids with weak permissions. As far as auth-socket is not visible from outside the host, you can make it rw-able to all without any problem. – Kondybas Jun 14 '15 at 09:10
  • World-read-write access? Any program at the host, unprivileged users can use that socket. – sebix Jun 14 '15 at 20:46
  • @sebix How many system users do you have on the host in general? How many programs has been installed without root control? – Kondybas Jun 15 '15 at 03:46
  • 1
    @Kondybas In general you can not assume that no other programs and users are on a server. Possibly the server is only dedicated for mail services, but also then it is safer to not do it this way, to reduce damage in case of compromising. – sebix Jun 15 '15 at 08:42
  • 1
    @sebix World-wide offered http/smtp/imap services are way more vulnerable than host-bounded service via FS-socket. For god sake why I have to be worried about local service more than about public ones? – Kondybas Jun 15 '15 at 10:40
  • Traffic on public services is monitored by services like fail2ban to ban bots. This is not the case for local services. – sebix Jul 14 '15 at 20:33