Postfix and dovecot and mysql for mail sever.

[VladiBG]

symbolic link works ok.
Your ssl_ca is wrong. You are missing "<" at line24 in front of the filepath in /usr/local/etc/dovecot/conf.d/10-ssl.conf

change this

ssl_ca = /usr/local/etc/letsencrypt/live/kasdivi.com/cert.pem

to this

ssl_ca = </usr/local/etc/letsencrypt/live/kasdivi.com/cert.pem

And again having config files without comments is bad for reading them. If you just want to see your current config you can use doveconf

 

[jasonhirsh]

I have this has my current 10-ssl.conf

SSL settings
#
# SSL/TLS support: yes, no, required. https://doc.dovecot.org/admin_manual/ssl/
# ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cn
ssl_cert = </usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
ssl_key = </usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)

ssl_ca = </usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to se
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/local/etc/ssl/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
#
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
# version, and LATEST matches with the latest version supported by library.
#ssl_min_protocol = TLSv1.2
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!M
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DE
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521-384-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
#ssl_options =

todays erros

dovecot[99147]: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one
Apr 19 13:22:16 triggerfish dovecot[99145]: master: Error: service(auth): command startup failed, throttling for 8.000 secs
Apr 19 13:22:16 triggerfish dovecot[99147]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<b0VRVHYWk+rIBpdM>
Apr 19 13:22:16 triggerfish dovecot[99147]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<uaBTVHYWlerIBpdM>
Apr 19 13:22:17 triggerfish dovecot[99147]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.64.187, session=<TCxVVHYWmerIBpdM>
Apr 19 13:22:19 triggerfish postfix/submission/smtpd[96702]: disconnect from unknown[8.219.142.130] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 19 13:22:24 triggerfish dovecot[99147]: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one
Apr 19 13:22:24 triggerfish dovecot[99145]: master: Error: service(auth): command startup failed, throttling for 16.000 secs
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=200.6.151.76, lip=209.160.64.187, session=<Yz/KVHYWl+rIBpdM>
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<Zj/KVHYWlurIBpdM>
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<ZT/KVHYWlOrIBpdM>
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<bD/KVHYWkurIBpdM>
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 7 secs): user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<cj/KVHYWmurIBpdM>
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 7 secs): user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<dD/KVHYWmOrIBpdM>
Apr 19 13:22:24 triggerfish dovecot[99147]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 7 secs): user=<>, rip=200.6.151.76, lip=209.160.64.187, session=<fD/KVHYWm+rIBpdM>
Apr 19 13:22:25 triggerfish dovecot[99147]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<qX7PVHYWpurIBpdM>
Apr 19 13:22:25 triggerfish dovecot[99147]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<O9LPVHYWqerIBpdM>
Apr 19 13:22:25 triggerfish dovecot[99147]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.64.187, session=<rh/QVHYWq+rIBpdM>
Apr 19 13:22:40 triggerfish dovecot[99147]: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one
Apr 19 13:22:40 triggerfish dovecot[99145]: master: Error: service(auth): command startup failed, throttling for 32.000 secs

 

[VladiBG]

which auth backend you are using inside your 10-auth.conf? At the end of the config file there's different options like system,sql,passwdfile etc.
Check which one you are using for example if it's auth-sql.conf.ext then check it's content.

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

 

[jasonhirsh]

using !include auth-sql.conf.ext.

whose content is

Authentication for SQL users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.SQL.txt>
passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
# driver = prefetch
#}
userdb {
driver = sql
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
# If you don't have any user-specific settings, you can avoid the user_query1
# by using userdb static instead of userdb sql, for example:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
#driver = static
#args = uid=vmail gid=vmail home=
#}

following the track I checked out dovecot-sql.conf.ext and got this which appears in order

This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-sql.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/SQL
#
# For the sql passdb module, you'll need a database with a table that
# contains fields for at least the username and password. If you want to
# use the user@domain syntax, you might want to have a separate domain
# field as well.
#
# If your users all have the same uig/gid, and have predictable home
# directories, you can use the static userdb module to generate the home
# dir based on the username and domain. In this case, you won't need fields
# for home, uid, or gid in the database.
#
# If you prefer to use the sql userdb module, you'll want to add fields
# for home, uid, and gid. Here is an example table:
#
# CREATE TABLE users (
# username VARCHAR(128) NOT NULL,
# domain VARCHAR(128) NOT NULL,
# password VARCHAR(64) NOT NULL,
# home VARCHAR(255) NOT NULL,
# uid INTEGER NOT NULL,
# gid INTEGER NOT NULL,
# active CHAR(1) DEFAULT 'Y' NOT NULL
# );
# Database driver: mysql, pgsql, sqlite
#driver =
# Database connection string. This is driver-specific setting.
#
# HA / round-robin load-balancing is supported by giving multiple host
# settings, like: host=sql1.host.org host=sql2.host.org
#
# pgsql:
# For available options, see the PostgreSQL documentation for the
# PQconnectdb function of libpq.
# Use maxconns=n (default 5) to change how many connections Dovecot can
# create to pgsql.
#
# mysql:
# Basic options emulate PostgreSQL option names:
# host, port, user, password, dbname
#
# But also adds some new settings:
# client_flags - See MySQL manual
# connect_timeout - Connect timeout in seconds (default: 5)
# read_timeout - Read timeout in seconds (default: 30)
# write_timeout - Write timeout in seconds (default: 30)
# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
# ssl_cert, ssl_key - For sending client-side certificates to server
# ssl_cipher - Set minimum allowed cipher security (default: HIG
# ssl_verify_server_cert - Verify that the name in the server SSL certificat
# matches the host (default: no)
# option_file - Read options from the given file instead of
# the default my.cnf location
# option_group - Read options from the given group (default: clien
#
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
# Note that currently you can't use spaces in parameters.
#
# sqlite:
# The path to the database file.
#
# Examples:
# connect = host=192.168.1.1 dbname=users
# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
# connect = /usr/local/etc/dovecot/authdb.sqlite
#
#connect =
# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = MD5
# passdb query to retrieve the password. It can return fields:
# password - The user's password. This field must be returned.
# user - user@domain from the database. Needed with case-insensitive lookups.
# username and domain - An alternative way to represent the "user" field.
#
# The "user" field is often necessary with case-insensitive lookups to avoid
# e.g. "name" and "nAme" logins creating two different mail directories. If
# your user and domain names are in separate fields, you can return "username"
# The query can also return other fields which have a special meaning, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#
# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
# for full list):
# %u = entire user@domain
# %n = user part of user@domain
# %d = domain part of user@domain
#
# Note that these can be used only as input to SQL query. If the query outputs
# any of these substitutions, they're not touched. Otherwise it would be
# difficult to have eg. usernames containing '%' characters.
#
# Example:
# password_query = SELECT userid AS user, pw AS password \
# FROM users WHERE userid = '%u' AND active = 'Y'
#
#password_query = \
# SELECT username, domain, password \
# FROM users WHERE username = '%n' AND domain = '%d'
# userdb query to retrieve the user information. It can return fields:
# uid - System UID (overrides mail_uid setting)
# gid - System GID (overrides mail_gid setting)
# home - Home directory
# mail - Mail location (overrides mail_location setting)
#
# None of these are strictly required. If you use a single UID and GID, and
# home or mail directory fits to a template string, you could use userdb static
# instead. For a list of all fields that can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#
# Examples:
# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where
# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '
#
#user_query = \
# SELECT home, uid, gid \
# FROM users WHERE username = '%n' AND domain = '%d'
# If you wish to avoid two SQL lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
# also have to return userdb fields in password_query prefixed with "userdb_"
# string. For example:
#password_query = \
# SELECT userid AS user, password, \
# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
# FROM users WHERE userid = '%u'
# Query to get a list of all usernames.
#iterate_query = SELECT username AS user FROM users
# MySQL setup
driver = mysql
connect = host=127.0.0.1 dbname=postfix user=postfix password=password
default_pass_scheme = MD5
password_query = SELECT password, CONCAT('*:bytes=', quota) AS userdb_quota_rule
user_query = SELECT '/usr/local/virtual/' as home, 110 AS uid, 110 AS gid, CONCA

 

[VladiBG]

is your mysql up and running?

Also hide/remove the password when you post config files.

 

[jasonhirsh]

Yes mysql. is. I will try to better with password after 5 days people Arte pretty much welcome to mu POS server

 

[VladiBG]

double check your query.

This is not the full query for mysql

password_query = SELECT password, CONCAT('*:bytes=', quota) AS userdb_quota_rule

I'm using postgresql and my query is a bit different. For mysql it should look like something like:

password_query = SELECT password, CONCAT('*:bytes=', quota) AS userdb_quota_rule FROM mailbox WHERE username = '%u' AND active = '1'

Here's some guide for dovecot with mysql:

FreeBSD Mail Server – Page 5 – Dovecot Setup

Dovecot is a very fast, very reliable, and easily configured POP3/IMAP server application. You can read more about it by visiting their website at This tutorial uses version 2.3.21_3 Enable the Dov…

www.purplehat.org

 

[jasonhirsh]

double check your query.

This is not the full query for mysql

cut and paste mistake

driver = mysql


connect = host=127.0.0.1 dbname=postfix user=postfix password=password


default_pass_scheme = MD5


password_query = SELECT password, CONCAT('*:bytes=', quota) AS userdb_quota_rule FROM mailbox WHERE username = '%u' AND active = '1'


user_query = SELECT '/usr/local/virtual/' as home, 110 AS uid, 110 AS gid, CONCAT('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u'

 

[jasonhirsh]

on th guide.. that has been my guide . I originally used v2. and was trying to update o V3 while retaining Apache letsencrpt and mysq. The recommended guide does not and Rspams. appear to one a whole brave new world

 

[msplsh]

password query needs to return username, domain, and password (SELECT username, domain,password) in the returning table?

 

[msplsh]

Ok what I have now for 10-master.conf[/FILE}. is the following.

This sample has plenty of very bad errors either in the file or in the copy/paste

1. lmtp section encapsulates three unix_listeners instead of these being inside "service auth"
2. There are two sections containing "auth-userdb", one inside lmtp where I believe it does not belong
3. "service imap" has an extra closing bracket after its declaration

 

[richardtoohey2]

Do you have a suggestion for such an editor.. ? I am still dead in water with similar errors

vim offers this functionality but think you are having enough “fun” without trying to learn vim.

Other suggestions here but mostly GUI editors:

Text editor with bracket matching

I'm currently working on a website with some heavy javascript usage. I have a missing bracket somewhere, and I wanted to use an editor with bracket matching to help me find it. I read that gEdit supposedly does this, but I'm not seeing it. Is it supposed to be automatic, or must you do...

ubuntuforums.org

 

[msplsh]

Nedit. Very simple requirements

 

[jasonhirsh]

I have been having fun with “ee”

 

[jasonhirsh]

This sample has plenty of very bad errors either in the file or in the copy/paste

1. lmtp section encapsulates three unix_listeners instead of these being inside "service auth"
2. There are two sections containing "auth-userdb", one inside lmtp where I believe it does not belong
3. "service imap" has an extra closing bracket after its declaration

Thanks I will take a look at source. I have been cuttin.g pasting and taking blank lines ou

 

[richardtoohey2]

I have been having fun with “ee”

It doesn’t have any bracket-matching feature that might help you when editing the configuration files.

 

[jasonhirsh]

It doesn’t have any bracket-matching feature that might help you when editing the configuration files.

sarcasm

 

[richardtoohey2]

sarcasm

? You asked for information about an editor that offered bracket-matching and I answered including that ee doesn’t appear to offer that functionality. Oh well

 

[jasonhirsh]

? You asked for information about an editor that offered bracket-matching and I answered including that ee doesn’t appear to offer that functionality. Oh well

and I thanked you for it. I know ee doesn't have. It is why I asked for alternatives. which you gratefully provided. I will explore it after dealing with my core problem,// Right now I am getting what appears to be contradictory opinions on my configuration files

 

[jasonhirsh]

This sample has plenty of very bad errors either in the file or in the copy/paste

1. lmtp section encapsulates three unix_listeners instead of these being inside "service auth"
2. There are two sections containing "auth-userdb", one inside lmtp where I believe it does not belong
3. "service imap" has an extra closing bracket after its declaration

I assume you are referring to

unix_listener auth-userdb {


mode = 0660


user = vscan


group = vscan


}


unix_listener /var/spool/postfix/private/auth {


mode = 0660


user = postfix


group = postfix


}

ok I am losing touch with reality. too much code bur does what section it is calledout actually manner,, Its all going to the same data base

 

[msplsh]

I assume you are referring to


ok I am losing touch with reality. too much code bur does what section it is calledout actually manner,, Its all going to the same data base

Because your setup doesn't work and mine does?

 

[jasonhirsh]

Because your setup doesn't work and mine does?

This sample has plenty of very bad errors either in the file or in the copy/paste

1. lmtp section encapsulates three unix_listeners instead of these being inside "service auth"
2. There are two sections containing "auth-userdb", one inside lmtp where I believe it does not belong
3. "service imap" has an extra closing bracket after its declaration

Problem is, some files have so many comments in them that they obscure the actual running config. What I do is keep the original config file with a .sample or .dist suffix, and then diff that against the new version. That way I get a clean diff of the new settings or defaults, but still have a config file that is 95% smaller than the fully-commented one.

This sample has plenty of very bad errors either in the file or in the copy/paste

1. lmtp section encapsulates three unix_listeners instead of these being inside "service auth"
2. There are two sections containing "auth-userdb", one inside lmtp where I believe it does not belong
3. "service imap" has an extra closing bracket after its declaration

Ok following these leads

here is my new improved 10-master.conf

auth_mechansims = plain login
service imap-login {
inet_listener imap {}
net_listener imaps {}
}
service pop3-login {
inet_listener pop3 {}
inet_listener pop3s {}
}
service submission-login {
inet_listener submission {}
inet_listener submissions {}
}
service lmtp {
vs_limit = 16
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0660
user = postfix
group = postfix
}
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
}
service imap {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0660
user = postfix
group = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0660
user = vscan
group = vscan
}

}

service auth-worker {
}
service dict {
unix_listener dict {
}
]

 

[jasonhirsh]

very valid point. just another sign my frustration. I had it al working till io tried to update the server for better spam control.....I have unix_listener /var/spool/postfix/private/dovecot-lmtp. O really dont fully understand LMTP. If it is a meesag tramsport is that feasible.?

I really think I also have an SSL issue with the cerificates meaning I have two problems at one which I cant a[[ear tp trouble shoot separately

This iis turning into a major learning process and I have a lot of info to work though

Just whining. The only good part is that postfix is still handling incoming mail.

 

[msplsh]

Dovecot is really, really picky, but on the flip side, once it works you pretty much know you set everything correctly.

LMTP is for services to enqueue mail. That's why the samples say "don't expose to internet."

My service auth section looks like this, having the path specified twice in the SASL socket declaration.

service auth {
    unix_listener auth-userdb {
        # I guess this just defaults to... something
    }
    unix_listener /var/spool/postfix/private/auth {
        path = /var/spool/postfix/private/auth
        user = postfix
        group = postfix
        mode = 0660
    }
}

Don't forget that you'll need to put Dovecot in Postfix's group in order to read that SASL unix socket.

Dovecot doesn't need a submission login? Sending mail goes through Postfix.

 

[msplsh]

dovecot[99147]: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one

Everything looks fine in the dovecot-sql.conf.ext, except for the fact that you put your password to the database in the cut/paste. Maybe go back and edit that post.

I'm thinking if Dovecot can't find the passdb, there's more mismatched brackets? (Assuming you uncommented "!include auth-sql.conf.ext" in "10-auth.conf" and those files are in the same directory of /usr/local/etc/dovecot/conf.d/ and the SQL config referenced in auth-sql.conf.ext is in /usr/local/etc/dovecot/dovecot-sql.conf.ext )