Loading ...
Sorry, an error occurred while loading the content.
 

postfix/virtual and dovecot/deliver

Expand Messages
  • Stephen Holmes
    I ve had to use dovecot/deliver for mail delivery because postfix/virtual continues to give... mail postfix/virtual[1063]: fatal: open
    Message 1 of 12 , Sep 30, 2008
      I've had to use dovecot/deliver for mail delivery because
      postfix/virtual continues to give...

      mail postfix/virtual[1063]: fatal: open /etc/postfix/mysql/virtual-mailbox-maps.cf: Permission denied

      ...errors in the logged output. It doesn't show this error when I set
      virtual_transport=dovecot and simple aliasing works fine with dovecot.
      The vmail folder, which holds my domain.tld/usernames sits on an NFS
      server and is mapped to the mailserver (mail.gallopinggreen.com) to its
      local /vmail folder. Both root and vmail can read/write to this
      folder. The /vmail folder is owned by vmail.vmail and I have gid and
      uid in main.cf set to static:vmail.

      I have had some useful pointers from mouss (thanks!) but I still can't
      resolve the issue.

      Any ideas? I'm a postfix noob I'm afraid!
      Steve.


      --
      s t e p h e n h o l m e s

      mail: stephen@...
      cell: +353 86 833 5027
      web: http://www.gallopinggreen.com
    • Wietse Venema
      ... The Postfix virtual delivery agent opens such files before it gives up root privileges. Normally, root can open all files. Your system is not normal.
      Message 2 of 12 , Sep 30, 2008
        Stephen Holmes:
        > I've had to use dovecot/deliver for mail delivery because
        > postfix/virtual continues to give...
        >
        > mail postfix/virtual[1063]: fatal: open /etc/postfix/mysql/virtual-mailbox-maps.cf: Permission denied

        The Postfix virtual delivery agent opens such files before it
        gives up root privileges.

        Normally, root can open all files. Your system is not normal.

        Typically this is the result of interference from "security"
        software such as Selinux, Apparmor, etc.

        Wietse
      • Stephen Holmes
        ... Thanks Wietse, I did notice that my NFS was exporting with a root_squash, but changing that to no_root_squash returned the permissions, but strangely not
        Message 3 of 12 , Sep 30, 2008
          Wietse Venema wrote:
          > Stephen Holmes:
          >
          >> I've had to use dovecot/deliver for mail delivery because
          >> postfix/virtual continues to give...
          >>
          >> mail postfix/virtual[1063]: fatal: open /etc/postfix/mysql/virtual-mailbox-maps.cf: Permission denied
          >>
          >
          > The Postfix virtual delivery agent opens such files before it
          > gives up root privileges.
          >
          > Normally, root can open all files. Your system is not normal.
          >
          > Typically this is the result of interference from "security"
          > software such as Selinux, Apparmor, etc.
          >
          Thanks Wietse, I did notice that my NFS was exporting with a
          root_squash, but changing that to no_root_squash returned the
          permissions, but strangely not to the postfix system. When I see this
          error, is it referring to (a) access to the .cf file itself or (b)
          access to the folder galloping.com/stephen (with /vmail prefixed) ?


          --
          s t e p h e n h o l m e s

          mail: stephen@...
          cell: +353 86 833 5027
          web: http://www.gallopinggreen.com
        • Wietse Venema
          ... The error message is for the file name in the error message. If /etc/postfix/mysql/virtual-mailbox-maps.cf is a symlink into some other file system that
          Message 4 of 12 , Sep 30, 2008
            Stephen Holmes:
            > >> mail postfix/virtual[1063]: fatal: open /etc/postfix/mysql/virtual-mailbox-maps.cf: Permission denied
            ...
            > When I see this
            > error, is it referring to (a) access to the .cf file itself or (b)
            > access to the folder galloping.com/stephen (with /vmail prefixed) ?

            The error message is for the file name in the error message.

            If /etc/postfix/mysql/virtual-mailbox-maps.cf is a symlink into
            some other file system that still restricts root privileges, then
            the real file name will be different.

            Wietse
          • Stephen Holmes
            ... Hmm, then it gets stranger. /etc/postfix/mysql/virtual-mailbox-maps.cf is a file in the local file system, as are the postfix binaries and in fact the
            Message 5 of 12 , Sep 30, 2008
              Wietse Venema wrote:
              > Stephen Holmes:
              >
              >>>> mail postfix/virtual[1063]: fatal: open /etc/postfix/mysql/virtual-mailbox-maps.cf: Permission denied
              >>>>
              > ...
              >
              >> When I see this
              >> error, is it referring to (a) access to the .cf file itself or (b)
              >> access to the folder galloping.com/stephen (with /vmail prefixed) ?
              >>
              >
              > The error message is for the file name in the error message.
              >
              > If /etc/postfix/mysql/virtual-mailbox-maps.cf is a symlink into
              > some other file system that still restricts root privileges, then
              > the real file name will be different.
              >
              Hmm, then it gets stranger. /etc/postfix/mysql/virtual-mailbox-maps.cf
              is a file in the local file system, as are the postfix binaries and in
              fact the /var/spool/postfix queues. All that's hosted on the remote NFS
              server is the actual user mailboxes. The MySQL files are root
              accessible, as are the other postfix files in /etc. The dovecot agent
              has no problems, so I guess my question is what persmissions are
              required for the mysql .cf files, and the /vmail folder.

              I know this environment is "mine" and possibly strange (though I see no
              reason why hosting potentially large mailboxes on remote storage NAS/SAN
              etc would be strange), but is there are way to enable more verbose
              debugging to nail this one?

              Thanks for your help thus far - I'm definitely getting the hang of this
              stuff ;-)

              --
              s t e p h e n h o l m e s

              mail: stephen@...
              cell: +353 86 833 5027
              web: http://www.gallopinggreen.com
            • Wietse Venema
              ... If root can do cat /etc/postfix/mysql/virtual-mailbox-maps.cf but the Postfix virtual delivery agent running as root can open the file, then you have
              Message 6 of 12 , Sep 30, 2008
                Stephen Holmes:
                > Hmm, then it gets stranger. /etc/postfix/mysql/virtual-mailbox-maps.cf
                > is a file in the local file system, as are the postfix binaries and in
                > fact the /var/spool/postfix queues. All that's hosted on the remote NFS
                > server is the actual user mailboxes. The MySQL files are root
                > accessible, as are the other postfix files in /etc. The dovecot agent
                > has no problems, so I guess my question is what persmissions are
                > required for the mysql .cf files, and the /vmail folder.

                If root can do "cat /etc/postfix/mysql/virtual-mailbox-maps.cf"
                but the Postfix virtual delivery agent running as root can open
                the file, then you have something that interferes with file system
                access, like Selinux, Apparmor, Systrace, and so on. Configuring
                such systems is outside the scope of Postfix.

                Wietse
              • Wietse Venema
                ... can - cannot
                Message 7 of 12 , Sep 30, 2008
                  Wietse Venema:
                  > Stephen Holmes:
                  > > Hmm, then it gets stranger. /etc/postfix/mysql/virtual-mailbox-maps.cf
                  > > is a file in the local file system, as are the postfix binaries and in
                  > > fact the /var/spool/postfix queues. All that's hosted on the remote NFS
                  > > server is the actual user mailboxes. The MySQL files are root
                  > > accessible, as are the other postfix files in /etc. The dovecot agent
                  > > has no problems, so I guess my question is what persmissions are
                  > > required for the mysql .cf files, and the /vmail folder.
                  >
                  > If root can do "cat /etc/postfix/mysql/virtual-mailbox-maps.cf"
                  > but the Postfix virtual delivery agent running as root can open

                  can -> cannot

                  > the file, then you have something that interferes with file system
                  > access, like Selinux, Apparmor, Systrace, and so on. Configuring
                  > such systems is outside the scope of Postfix.
                  >
                  > Wietse
                  >
                  >
                • Stephen Holmes
                  Wietse Venema wrote ... Thanks Wietse. It s a pretty slim install (actually inside a Xen VM) and running at init level 3 - it s primary function is as an
                  Message 8 of 12 , Sep 30, 2008
                    Wietse Venema wrote
                    > If root can do "cat /etc/postfix/mysql/virtual-mailbox-maps.cf"
                    > but the Postfix virtual delivery agent running as root can open
                    > the file, then you have something that interferes with file system
                    > access, like Selinux, Apparmor, Systrace, and so on. Configuring
                    > such systems is outside the scope of Postfix.
                    >
                    > Wietse
                    >
                    Thanks Wietse. It's a pretty slim install (actually inside a Xen VM)
                    and running at init level 3 - it's primary function is as an email
                    server (hence the mailboxes on an NFS share). I'll check the filesystem
                    and process persmissions and see if I can track it down. Definitely no
                    AppArmor/SE Linux involved. Will let you know if I solve it. Thanks
                    again!

                    --
                    s t e p h e n h o l m e s

                    mail: stephen@...
                    cell: +353 86 833 5027
                    web: http://www.gallopinggreen.com
                  • Wietse Venema
                    Wietse Venema ... can - cannot ... You could attach a system call tracer to the virtual(8) daemon process to see the exact kernel response to the open() call.
                    Message 9 of 12 , Sep 30, 2008
                      Wietse Venema
                      > If root can do "cat /etc/postfix/mysql/virtual-mailbox-maps.cf"
                      > but the Postfix virtual delivery agent running as root can open

                      can -> cannot

                      > the file, then you have something that interferes with file system
                      > access, like Selinux, Apparmor, Systrace, and so on. Configuring
                      > such systems is outside the scope of Postfix.

                      Stephen Holmes:
                      > Thanks Wietse. It's a pretty slim install (actually inside a Xen VM)
                      > and running at init level 3 - it's primary function is as an email
                      > server (hence the mailboxes on an NFS share). I'll check the filesystem
                      > and process persmissions and see if I can track it down. Definitely no
                      > AppArmor/SE Linux involved. Will let you know if I solve it. Thanks
                      > again!

                      You could attach a system call tracer to the virtual(8) daemon process
                      to see the exact kernel response to the open() call.

                      See http://www.postfix.org/DEBUG_README.html#auto_trace for examples.

                      Wietse
                    • Mark Watts
                      ... You said earlier that you were running CentOS 5.2. As per a standard install, SELinux defaults to ON. If it is on (/usr/sbin/selinuxenabled returns 1 if
                      Message 10 of 12 , Oct 1, 2008
                        On Wednesday 01 October 2008 00:28:37 Stephen Holmes wrote:
                        > Wietse Venema wrote
                        >
                        > > If root can do "cat /etc/postfix/mysql/virtual-mailbox-maps.cf"
                        > > but the Postfix virtual delivery agent running as root can open
                        > > the file, then you have something that interferes with file system
                        > > access, like Selinux, Apparmor, Systrace, and so on. Configuring
                        > > such systems is outside the scope of Postfix.
                        > >
                        > > Wietse
                        >
                        > Thanks Wietse. It's a pretty slim install (actually inside a Xen VM)
                        > and running at init level 3 - it's primary function is as an email
                        > server (hence the mailboxes on an NFS share). I'll check the filesystem
                        > and process persmissions and see if I can track it down. Definitely no
                        > AppArmor/SE Linux involved. Will let you know if I solve it. Thanks
                        > again!

                        You said earlier that you were running CentOS 5.2. As per a standard install,
                        SELinux defaults to ON.

                        If it is on (/usr/sbin/selinuxenabled returns 1 if its on, 0 if its disabled),
                        you have two choices:

                        1) Disable SELinux

                        Edit /etc/sysconfig/selinx and change:

                        SELINUX=enforcing
                        to
                        SELINUX=permissive
                        or SELINUX=disabled

                        Then reboot and retry.

                        2) Fix your SELinux context on /etc/postfix/mysql/

                        If you use "ls -laZ /etc/postfix" I suspect you will see that the config files
                        are "system_u:object_r:postfix_etc_t" and any scripts
                        are "system_u:object_r:postfix_exec_t". I suspect your /etc/postfic/mysql
                        directory is neither.

                        Reset your SELinux context on that directory with:

                        chcon -R system_u:object_r:postfix_etc_t /etc/postfix/mysql

                        Mark.

                        --
                        Mark Watts BSc RHCE MBCS
                        Senior Systems Engineer
                        QinetiQ Applied Technologies
                        GPG Key: http://www.linux-corner.info/mwatts.gpg
                      • mouss
                        ... for this particular problem, he is using Suse (see the Problem with virtual mailboxes short thread) and he said Apparmor isn t installed.
                        Message 11 of 12 , Oct 1, 2008
                          Mark Watts wrote:
                          >
                          > You said earlier that you were running CentOS 5.2. As per a standard install,
                          > SELinux defaults to ON.

                          for this particular problem, he is using Suse (see the "Problem with
                          virtual mailboxes" short thread) and he said Apparmor isn't installed.


                          >
                          > [snip]
                        • Mark Watts
                          ... Humm, I wonder where I read CentOS then. Sorry for the noise... -- Mark Watts BSc RHCE MBCS Senior Systems Engineer QinetiQ Applied Technologies GPG Key:
                          Message 12 of 12 , Oct 1, 2008
                            On Wednesday 01 October 2008 09:28:47 mouss wrote:
                            > Mark Watts wrote:
                            > > You said earlier that you were running CentOS 5.2. As per a standard
                            > > install, SELinux defaults to ON.
                            >
                            > for this particular problem, he is using Suse (see the "Problem with
                            > virtual mailboxes" short thread) and he said Apparmor isn't installed.
                            >
                            > > [snip]

                            Humm, I wonder where I read CentOS then.
                            Sorry for the noise...

                            --
                            Mark Watts BSc RHCE MBCS
                            Senior Systems Engineer
                            QinetiQ Applied Technologies
                            GPG Key: http://www.linux-corner.info/mwatts.gpg
                          Your message has been successfully submitted and would be delivered to recipients shortly.