Join Log in
Score:-1
St4rb0y avatar Server

DMARC rua unable to send reports via sendmail to local e-mail address?

pr flag
St4rb0y

I've setup a small mail server with Postfix, Dovecot, and MySQL (MariaDB) on Debian. I've also configured TLS with Let's Encrypt. rDNS, DMARC, DKIM, SPF and Fail2Ban are also setup and confirmed to work.

My DMARC record looks like this:

v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;rua=mailto:report@[example].com;fo=1

The issue is that the rua=mailto:[email protected], which should sporadically send reports to an e-mail address on the same mail server, does not work.

/var/log/mail.log reports:

Jan 18 14:47:05 [hostname] postfix/sendmail[20682]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 18 14:47:05 [hostname] postfix/pipe[20681]: 553A01F977: to=<report@[example].net>, relay=spamassassin, delay=9533, delays=9533/0.01/0/0.3, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )

The permissions on /etc/postfix/main.cf are:

-rwxr-x--- 1 root root 3968 Jan 18 08:36 /etc/postfix/main.cf

What kind of permissions does sendmail need to be able to successfully work? Or is this issue maybe related something else?

I can post configuration files, if needed, but wanted to keep this concise.

Update - 2022-01-26

Unfortunately, the same permission problem still persists, even after changing the permissions of /etc/postfix/main.cf to 754.

Here's an extended excerpt from /var/log/mail.log from this morning, in case that helps to debug this further:

Jan 26 06:17:48 [hostname] postfix/qmgr[18018]: BBF611E00B: from=<[email protected]>, size=3516, nrcpt=1 (queue active)
Jan 26 06:17:48 [hostname] postfix/sendmail[23302]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 26 06:17:48 [hostname] postfix/pipe[23301]: BBF611E00B: to=<report@[example].net>, relay=spamassassin, delay=148779, delays=148779/0.01/0/0.33, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Jan 26 06:27:48 [hostname] postfix/qmgr[18018]: 581341F9AA: from=<[email protected]>, size=3516, nrcpt=1 (queue active)
Jan 26 06:27:48 [hostname] postfix/sendmail[23436]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 26 06:27:48 [hostname] postfix/pipe[23435]: 581341F9AA: to=<report@[example].net>, relay=spamassassin, delay=148788, delays=148788/0.01/0/0.14, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Jan 26 06:38:20 [hostname] postfix/pickup[23498]: 891351FEEF: uid=0 from=<root>
Jan 26 06:38:20 [hostname] postfix/cleanup[23537]: 891351FEEF: message-id=<20230126053820.891351FEEF@[hostname].[example].net>
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: from=<root@[example].net>, size=150485, nrcpt=1 (queue active)
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Jan 26 06:38:20 [hostname] postfix/lmtp[23544]: 891351FEEF: to=<root@[example].net>, orig_to=<root>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.09, delays=0.05/0.01/0.01/0.02, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Jan 26 06:38:20 [hostname] postfix/cleanup[23537]: 9C4C31FEF2: message-id=<20230126053820.9C4C31FEF2@[hostname].[example].net>
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: from=<>, size=3330, nrcpt=1 (queue active)
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Jan 26 06:38:20 [hostname] postfix/bounce[23549]: 891351FEEF: sender non-delivery notification: 9C4C31FEF2
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: removed
Jan 26 06:38:20 [hostname] postfix/lmtp[23544]: 9C4C31FEF2: to=<root@[example].net>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: removed

It should be noted that the user that runs sendmail seems to be root. Running ps aux | grep sendmail, as suggested below, returns:

root     24694  0.0  0.0   6044   888 pts/0    S+   10:40   0:00 grep sendmail

Here are some permissions from /var/spool/postfix:

drwx------ 2 postfix  root     4096 Jan 26 09:27 active
drwx------ 2 postfix  root     4096 Jan 26 06:38 bounce
drwx------ 2 postfix  root     4096 Jan 11 13:59 corrupt
drwx------ 7 postfix  root     4096 Jan 24 12:58 defer
drwx------ 7 postfix  root     4096 Jan 24 12:58 deferred
drwxr-xr-x 2 root     root     4096 Jan 16 11:09 dev
drwxr-xr-x 3 root     root     4096 Jan 18 08:37 etc
drwx------ 2 postfix  root     4096 Jan 11 13:59 flush
drwx------ 2 postfix  root     4096 Jan 11 13:59 hold
drwx------ 2 postfix  root     4096 Jan 26 06:38 incoming
drwxr-xr-x 3 root     root     4096 Jan 11 13:59 lib
drwx-wx--T 2 postfix  postdrop 4096 Jan 26 06:38 maildrop
drwxr-xr-x 2 opendkim postfix  4096 Jan 16 11:37 opendkim
drwxr-xr-x 2 root     root     4096 Jan 16 08:57 pid
drwx------ 2 postfix  root     4096 Jan 18 08:37 private
drwx--s--- 2 postfix  postdrop 4096 Jan 18 08:37 public
drwx------ 2 postfix  root     4096 Jan 11 13:59 saved
drwx------ 2 postfix  root     4096 Jan 11 13:59 trace
drwxr-xr-x 3 root     root     4096 Jan 11 13:59 usr

Here's the addendum with the permission information from /etc/postifx:

drwxr-xr-x  23 root  wheel   736B Dec  2 09:43 ./
drwxr-xr-x  80 root  wheel   2.5K Jan 17 13:17 ../
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 LICENSE
-rw-r--r--   1 root  wheel   1.6K Dec  2 09:43 TLS_LICENSE
-rw-r--r--   1 root  wheel    21K Dec  2 09:43 access
-rw-r--r--   1 root  wheel   9.8K Dec  2 09:43 aliases
-rw-r--r--   1 root  wheel   3.5K Dec  2 09:43 bounce.cf.default
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 canonical
-rw-r--r--   1 root  wheel    44B Dec  2 09:43 custom_header_checks
-rw-r--r--   1 root  wheel    10K Dec  2 09:43 generic
-rw-r--r--   1 root  wheel    23K Dec  2 09:43 header_checks
-rw-r--r--   1 root  wheel    27K Dec  2 09:43 main.cf
-rw-r--r--   1 root  wheel    27K Dec  2 09:43 main.cf.default
-rw-r--r--   1 root  wheel    26K Dec  2 09:43 main.cf.proto
-rw-r--r--   1 root  wheel   6.0K Dec  2 09:43 makedefs.out
-rw-r--r--   1 root  wheel   7.3K Dec  2 09:43 master.cf
-rw-r--r--   1 root  wheel   7.3K Dec  2 09:43 master.cf.default
-rw-r--r--   1 root  wheel   6.1K Dec  2 09:43 master.cf.proto
-rw-r--r--   1 root  wheel    20K Dec  2 09:43 postfix-files
drwxr-xr-x   2 root  wheel    64B Dec  2 09:43 postfix-files.d/
-rw-r--r--   1 root  wheel   6.8K Dec  2 09:43 relocated
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 transport
-rw-r--r--   1 root  wheel    13K Dec  2 09:43 virtual
194
2 + 5
in flag
Gerald Schneider
Read permissions on the config file would be helpful.
0
Reply
St4rb0y avatar
pr flag
St4rb0y
Thanks, how do I give those to sendmail? I don't think it's a user.
0
Reply
in flag
Gerald Schneider
Please edit the output of `namei -l /etc/postfix/main.cf` into your question.
1
Reply
in flag
Gerald Schneider
On your first file listing `main.cf` has around 4kb and is last changed Jan 18th. On the second listing it is suddenly 7k and changed Dec 2nd. That's quite a difference. Are these listings actually from the same server?
0
Reply
St4rb0y avatar
pr flag
St4rb0y
@GeraldSchneider I guess 4kb was the default file and 27kb after I edited it.
0
Reply
Score:1
Raja Gopal avatar Server
ph flag
Raja Gopal

The error message "fatal: open /etc/postfix/main.cf: Permission denied" suggests that the user that the sendmail process is running as does not have sufficient permissions to read the Postfix configuration file.

The permissions on /etc/postfix/main.cf are set to -rwxr-x--- , which means that the owner (root) has read, write and execute permissions, but the group and other users do not have execute permissions.

It's likely that the user that the sendmail process is running as is not in the root group and therefore does not have execute permissions on the configuration file. You can try adding execute permissions to the group or other users by running the following command:

sudo chmod 754 /etc/postfix/main.cf

This will give read, write, and execute permissions to the owner, read and execute permissions to the group, and read permissions to other users.

It's also important to note that the sendmail process is most likely running under a different user than root, so you should also check the permissions on the /var/spool/postfix directory and subdirectories to make sure the sendmail user has permission to write to the queue directory.

If you don't know the user that the sendmail process is running as, you can use the command "ps aux | grep sendmail" to find it.

It's also possible that this issue is related to something else and you may want to check for any other errors in the mail.log that might give you more insight into what's causing the problem.

+ 4
jp flag
Esa Jokinen
Why `754`? It is not an executable. `644` would be more appropriate.
2
Reply
St4rb0y avatar
pr flag
St4rb0y
@Raja Gopal Thanks for your extensive reply. The user running `sendmail` seems to be **root**. I've updated my above question with more data, if you want to take a look.
0
Reply
in flag
Gerald Schneider
The user is most certainly not root. The remaining problem is most probably the permissions of the /etc/postfix directory. We won't know unless you provide the information about the permissions, which has been requested repeatedly.
1
Reply
St4rb0y avatar
pr flag
St4rb0y
@GeraldSchneider I may have misinterpreted the output of `ps aux | grep sendmail`. You can inspect that above. I've also added the permission information for the */etc/postfix* directory.
0
Reply
Score:0
avatar Server
in flag
Gerald Schneider

postfix does not run as the root user, yet you have set the permissions of the config file for root only.

chmod o+r /etc/postfix/main.cf

And of course the other postfix config files.

+ 5
St4rb0y avatar
pr flag
St4rb0y
Unfortunately that didn't resolve my issue. I still get a `Jan 19 05:47:09 [hostname] postfix/sendmail[25773]: fatal: open /etc/postfix/main.cf: Permission denied` error. The file permissions are now reported as: `-rwxr-xr-- 1 root root 3968 Jan 18 08:36 /etc/postfix/main.cf`
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
What are the permissions for `/etc/postifx`?
2
Reply
St4rb0y avatar
pr flag
St4rb0y
@Ginnungagap, most files are reported as `-rw-r--r-- 1 root root`, except **main.cf**.
0
Reply
Paul avatar
cn flag
Paul
Please post the output of `ls -alhF /etc/postfix`.
0
Reply
St4rb0y avatar
pr flag
St4rb0y
@Paul I've appended the requested information to my answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.