# Ugg.. I'm having problems w/ Postfix handing off to Dovecot for Delivery..



## osx-addict (Mar 12, 2010)

I'm getting a permission denied as you can see below :

from /var/log/maillog

```
Mar 12 00:41:53 smtp postfix/pipe[28230]: 6F3644BE5F2: to=<rickf@example.com>, relay=dovecot, delay=1924, delays=1924/0.05/0/0.04, dsn=4.3.0, status=deferred (temporary failure)
Mar 12 00:41:53 smtp postfix/pipe[28231]: A719F4BE5F7: to=<rickf@example.com>, relay=dovecot, delay=1364, delays=1364/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure)
```

Log from /var/log/dovecot.log

```
Mar 12 00:41:53 deliver(rickf@example.com): Fatal: setgid(70000) failed with euid=65534(nobody), gid=65534(nobody), egid=65534(nobody): Operation not permitted
Mar 12 00:41:53 deliver(rickf@example.com): Fatal: setgid(70000) failed with euid=65534(nobody), gid=65534(nobody), egid=65534(nobody): Operation not permitted
```

from /var/log/dovecot-deliver.log

```
Mar 12 00:41:53 deliver(rickf@example.com): Info: auth input: home=/var/spool/vmail/h/70000/70000
Mar 12 00:41:53 deliver(rickf@example.com): Info: auth input: uid=70000
Mar 12 00:41:53 deliver(rickf@example.com): Info: auth input: gid=70000
Mar 12 00:41:53 deliver(rickf@example.com): Info: auth input: mail=maildir:~/Maildir
Mar 12 00:41:53 deliver(rickf@example.com): Info: auth input: home=/var/spool/vmail/h/70000/70000
```

Here's master.cf :

```
smtp      inet  n       -       n       -       -       smtpd 
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

[ ...trimmed... ]

dovecot    unix -        n       n       -       -       pipe
  flags=DORhu user=nobody argv=/usr/local/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m ${extension}
```

Here's main.cf

```
# updated to match tutorial :
# http://www.howtoforge.com/linux_postfix_virtual_hosting
# option notes here : http://www.postfix.org/postconf.5.html

queue_directory            = /var/spool/postfix
command_directory          = /usr/local/sbin
daemon_directory           = /usr/local/libexec/postfix
data_directory             = /var/db/postfix

sendmail_path              = /usr/local/sbin/sendmail
newaliases_path            = /usr/local/bin/newaliases
mailq_path                 = /usr/local/bin/mailq

myhostname                 = localhost
mydomain                   = example.com
myorigin                   = $mydomain
mydestination              =
mynetworks_style           = subnet
relay_domains              = $mydestination, 127.0.0.1

################################################################################
# virtual domains
################################################################################
virtual_mailbox_domains    = pgsql:$config_directory/pgsql-virtual_mailbox_domains.cf
virtual_alias_maps         = pgsql:$config_directory/pgsql-virtual_alias_maps.cf
transport_maps             = pgsql:$config_directory/pgsql-transport.cf
virtual_minimum_uid        = 70000
virtual_uid_maps           = pgsql:$config_directory/pgsql-virtual_uid_maps.cf
virtual_gid_maps           = pgsql:$config_directory/pgsql-virtual_gid_maps.cf
virtual_mailbox_base       = /
virtual_mailbox_maps       = pgsql:$config_directory/pgsql-virtual_mailbox_maps.cf

################################################################################
# dovecot LDA
################################################################################
dovecot_destination_recipient_limit = 1
virtual_transport          = dovecot:

################################################################################
# dovecot SASL
################################################################################
smtpd_sasl_type                = dovecot
smtpd_sasl_path                = private/auth
smtpd_sasl_auth_enable         = yes
# Keep smtpd_sasl_local_domain identical to Dovecot's auth_default_realm: empty.
# Both are empty by default. Let it commented out.
# Read more at: http://wiki.dovecot.org/Authentication/Mechanisms/DigestMD5
smtpd_sasl_local_domain        =
smtpd_sasl_security_options    = noplaintext, noanonymous
#smtpd_sasl_security_options   = noanonymous
#broken_sasl_auth_clients      = yes

################################################################################
# If you want TLS enabled for remote SMTP servers come in to hand off new mail
################################################################################
smtp_tls_security_level        = may
smtpd_tls_security_level       = may
smtp_tls_note_starttls_offer   = yes
smtpd_tls_key_file             = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file            = /etc/ssl/postfix/smtpd.pem
smtpd_tls_CAfile               = /etc/ssl/postfix/smtpd.pem
# log handshaking activity.. Otherwise set to 0...
smtpd_tls_loglevel             = 1
smtpd_tls_received_header      = yes
tls_random_source              = dev:/dev/urandom

################################################################################
# tweak some defaults across the board.
################################################################################
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10

message_size_limit         = 5000000
strict_rfc821_envelopes    = yes
smtpd_delay_reject         = yes
smtpd_helo_required        = yes

header_checks              = regexp:$config_directory/header_checks
body_checks                = regexp:$config_directory/body_checks

################################################################################
# Define Rules to weed the good from the bad...
################################################################################
smtpd_client_restrictions =
              reject_rbl_client,
              check_client_access hash:$config_directory/client_access,
              reject_unauth_pipelining

smtpd_recipient_restrictions =
#              regexp:$config_directory/checks_recipient.regexp,
              check_recipient_access hash:$config_directory/access_recipient,
              permit_mynetworks,
              permit_sasl_authenticated,
              reject_non_fqdn_hostname,
              reject_non_fqdn_sender,
              reject_non_fqdn_recipient,
              reject_unauth_destination,
              reject_unauth_pipelining,
              reject_invalid_hostname,
              reject_unknown_recipient_domain,
              reject_unknown_hostname,
              reject_rbl_client bl.spamcop.net,
              reject_unauth_pipelining,
              reject

smtpd_sender_restrictions =
#              regexp:$config_directory/checks_sender.regexp,
              check_sender_access hash:$config_directory/access_sender,
              permit_sasl_authenticated,
              permit_mynetworks,
              reject_unknown_sender_domain,
              reject_non_fqdn_sender,
              reject_rbl_client,
              reject_unauth_pipelining
```

Here's the permissions on the deliver executable..

```
smtp# ls -la /usr/local/lib/dovecot/deliver
-r-sr-x---  1 nobody  nogroup  841600 Mar 11 22:28 /usr/local/lib/dovecot/deliver
```

Here's the dovecot config file:

```
protocols = imaps managesieve

listen = *
disable_plaintext_auth = no

shutdown_clients = yes
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-deliver.log

ssl_cert_file = /etc/ssl/certs/imaps.example.com.cert
ssl_key_file = /etc/ssl/private/imaps.example.com.key

ssl_key_password = XXXXXXXXXX

mail_location = maildir:~/Maildir
mail_privileged_group = mail
mail_debug = yes

dotlock_use_excl = yes
verbose_proctitle = yes

first_valid_uid = 70000
first_valid_gid = 70000

maildir_copy_with_hardlinks = yes

protocol imap {
  imap_client_workarounds = delay-newmail netscape-eoh tb-extra-mailbox-sep
}
  

protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}

protocol lda {
  postmaster_address = postmaster@example.com
  mail_plugins = sieve
  mail_plugin_dir = /usr/local/lib/dovecot/lda
  sendmail_path = /usr/sbin/sendmail
}

auth_username_format = %Lu
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = no

auth default {
  verbose         = yes
  debug           = yes
  debug_passwords = no
  user            = nobody

  mechanisms = cram-md5 login plain
  passdb sql {
    args = /usr/local/etc/dovecot-sql.conf
  }

  userdb sql {
        args = /usr/local/etc/dovecot-sql.conf
  }

  socket listen {
    master {
      path = /var/run/dovecot/auth-master
      mode = 0600
      user = nobody
      group = wheel
    }
    client {
      path = /var/run/dovecot/auth-client
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}


plugin {
  sieve     = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
```

Any ideas on what I've messed up???


----------



## osx-addict (Mar 13, 2010)

Ok.. I ditched using VMM and more or less followed the steps outlined here but converted all MySQL tables/data to Postgres.. All is working fine now!


----------

