You are not logged in.

#1 2020-08-18 11:46:16

ysmiraak
Member
Registered: 2020-08-18
Posts: 2

postfixadmin can't login through dovecot

About 4 months ago I set up a mail server for our startup mostly following https://wiki.archlinux.org/index.php/Vi … _Roundcube.
The setup has been working for a while, although I don't use postfixadmin very often, and today I found that I can't login to it anymore.

Here's the gist.
- The mail server (postfix and dovecot) works: I can send and receive emails;
- The webserver works: I can open postfixadmin;
- PostfixAdmin login failed.

Some context:
I usually do a system update once a week or two weeks.
I don't know exaclty when the problem occurred (since I don't use postfixadmin very often), so debugging this problem has been difficult.
I searched the internet, and surprisingly can't find any similar problems, so I came here for help.
First time posting, please be forgiving big_smile

The only thing that shows up in the uwsgi journal when I tried to login (with any account) is:

PostfixAdmin login failed (username: ..., ip_address: ...)

I tried to redo the setup step to create a superadmin, and this showed up:

dovecotpw password encryption failed. STDERR output: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 25: ssl_cert: Can't open file /etc/letsencrypt/live/dev.albatros-coding.de/fullchain.pem: Permission denied

So it seems the problem is that dovecotpw (/usr/bin/doveadm pw) failed to load dovecot conf because certificate has restricted permission.
However the dovecot service is running properly (I tried restart/reload all the related services, even rebooted the system a few times).
Afaik dovecot loaded the conf file when it was running as root so it had no problem,
but when postfixadmin tried to call doveadm (for encrypting password with dovecot, i suppose),
doveadm failed to load the conf file because the privilege had been dropped.
I don't how how it was working before,
but I think maybe doveadm wasn't supposed to load the conf file if the dovecot service was running?

That's as much as I can find out.
Any help is appreciated, thanks!

postfixadmin version: 3.2.4-1
/etc/webapps/postfixadmin/config.local.php

<?php

$CONF['configured'] = true;

// correspond to dovecot maildir path /home/vmail/%d/%u
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix_user';
$CONF['database_password'] = '...';
$CONF['database_name'] = 'postfix_db';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';

...

postfix version: 3.5.6-1
/etc/postfix/main.cf

...

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_policy_service unix:private/policy-spf
smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/dev.albatros-coding.de/fullchain.pem
smtpd_tls_key_file  = /etc/letsencrypt/live/dev.albatros-coding.de/privkey.pem
smtpd_sasl_local_domain = $mydomain
smtpd_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_loglevel = 1

...

dovecot version: 2.3.11.3-1
/etc/dovecot/dovecot.conf

protocols = imap pop3
auth_mechanisms = plain
passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}
userdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}

service auth {
    unix_listener /var/spool/postfix/private/auth {
        user  = postfix
        group = postfix
        mode  = 0660
    }
    user = root
}

mail_home = /home/vmail/%d/%n
mail_location = maildir:~

ssl = yes
ssl_cert = </etc/letsencrypt/live/dev.albatros-coding.de/fullchain.pem
ssl_key  = </etc/letsencrypt/live/dev.albatros-coding.de/privkey.pem
ssl_dh   = </etc/dovecot/dh.pem

Offline

#2 2020-08-26 08:48:45

ysmiraak
Member
Registered: 2020-08-18
Posts: 2

Re: postfixadmin can't login through dovecot

Offline

#3 2020-10-30 13:02:15

whoops
Member
Registered: 2009-03-19
Posts: 891

Re: postfixadmin can't login through dovecot

Didn't manage to fix it that way, so I "temporarily" added the users dovecot and postfixadmin (not sure if postfixadmin uses www-data by default, mine runs as user postfixadmin) to the certbot group, which works at the moment.

Offline

Board footer

Powered by FluxBB