Score:1

Postfix / OpenDKIM config on Centos8

cn flag

I've setup Postfix with Dovecot as an integrated mail service for my SaaS app, it worked great as an inbox. The issue started when I started to send emails, it was not signed so I went ahead and installed opendkim and configured it with Postfix, emails going out great signed no issues, but no

I broke the inbound messages. I cannot for the life of it figure out where I went wrong.

maillog:
May 30 22:12:30 dotcom postfix/smtpd[20436]: connect from mail-pj1-f43.google.com[209.85.216.43]
May 30 22:12:30 dotcom postfix/smtpd[20436]: discarding EHLO keywords: CHUNKING
May 30 22:12:31 dotcom postfix/smtpd[20436]: warning: SASL: Connect to smtpd failed: No such file or directory
May 30 22:12:31 dotcom postfix/smtpd[20436]: fatal: no SASL authentication mechanisms
May 30 22:12:32 dotcom postfix/master[19904]: warning: process /usr/libexec/postfix/smtpd pid 20436 exit status 1
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 550
mailbox_size_limit = 0
maximal_backoff_time = 3h
milter_default_action = accept
minimal_backoff_time = 180s
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = dotsoft.co.za
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 129.232.230.173
myorigin = $mydomain
non_fqdn_reject_code = 550
non_smtpd_milters = $smtpd_milters
readme_directory = no
recipient_delimiter = +
smtp_always_send_ehlo = yes
smtp_rcpt_timeout = 15s
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_limit = 40
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unlisted_recipient, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_timeout = 30s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/dotcom.dotsoft.co.za/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/dotcom.dotsoft.co.za/privkey.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

There is nothing in the dovecot log which is weird, see below extract from

dovecot -n:

# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-383.el8.x86_64 x86_64 CentOS Stream release 8 xfs
# Hostname: dotcom.dotsoft.co.za
auth_mechanisms = plain login
first_valid_uid = 1000
log_path = /var/log/dovecot.log
mail_location = maildir:/var/mail/vhosts/%d/%n/
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
postmaster_address = postmaster at dotcom.dotsoft.co.za
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/dotcom.dotsoft.co.za/fullchain.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  driver = static
}
cn flag
There is nothing in the dovecot log which is weird, see below extract from dovecot - n:
cn flag
dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-05-31 10:15:36 SAST; 8min ago Docs: man:dovecot(1)
cn flag
There is only starup and stop logs see below: "May 31 10:15:35 master: Warning: Killed with signal 15 (by pid=175907 uid=0 code=kill) May 31 10:15:36 master: Info: Dovecot v2.3.16 (7e2e900c1a) starting up for imap, pop3, lmtp (core dumps disabled) "
Score:0
fr flag
anx

You have the common configuration for dovecot, putting the socket at /var/spool/postfix/private/auth.

Since your SASL provider is Dovecot (smtpd_sasl_type = dovecot), Postfix is looking for a socket file in its chroot directory. You have to specify a relative path. This would usually be smtpd_sasl_path=private/auth. But your configuration shows this as unchanged from default smtpd_sasl_path=smtpd, hence the error "Connect to smtpd failed". This could not have worked.

If that worked before.. compare against backups, or check your main.cf file for deleted or mangled lines around the smtpd_sasl_* settings. If there was an obvious syntax error in your main.cf file, Postfix would print a warning on startup, so a restart might help pinpoint.


Having auth-related problems disturb (non-authenticating) incoming mail could have been avoided, if you had set smtpd_sasl_auth_enable=yes only for the services that need them, in master.cf, instead of globally in main.cf. Usually that would be below the service configurations for ports smtps or submission, as you will find in common configuration recommendations.

Changing unknown_hostname_reject_code and similar settings is explicitly advised against in Postfix documentation "unless you have a complete understanding of RFC 5321". Even if you do have a reason to change these for specific mail submissions, it is unlikely a good idea for receiving mail from the general internet.

cn flag
Thank you so much!!!!!!!!!!!!!! I had an issue in my main.cf There were two lines that got merged into one: "milter_default_action = acceptsmtpd_sasl_path = private/auth " I merely added a line break, and it's working now. Can't believe I missed that for hours.....
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.