Postfix and dovecot and mysql for mail sever.

[msplsh]

In relation to your SSL problem, "fullchain.pem" seems like the chain file for the cert. Does it actually have the cert in it?

Run
openssl x509 -in /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem -text -noout | grep Subject:

and if it doesn't have your domain in it after the "CN=" part in any of the resulting lines, then that's just the chain CA file you have to append to your cert (create a new file for this).

 

[jasonhirsh]

I had it working for years in conjunction wit something called Maia that handles spam and the like. (https://www.purplehat.org/?p=736 Portions of it that provided a web control page went away.
The developed man new guide (https://www.purplehat.org/?p=1446). which unfortanlely was moving away from [FILE}mysql[/FILE] and Apache (both of which I used for other things. and introduced Rspamsd. I was trying to walk a line in between and the kine of left my unsupervised

My service auth looks like this

service auth {
   unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix
  }
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
        mode = 0660
        user = postfix
        group = postfix
}
    unix_listener auth-userdb {
        mode = 0660
        user = vscan
         group = vscan
  }
  }

(oooooh using code tab helps me with blank lines )

I also have

unix_listener /var/spool/postfix/private/dovecot-lmtp

in my imap and lmtp which sort of seemed correct as a transfer again


I think I REALLY scewed up my ssl certificates. which I working on


Doe my authsction make any sense to you??

Thanks again

 

[jasonhirsh]

Everything looks fine in the dovecot-sql.conf.ext, except for the fact that you put your password to the database in the cut/paste. Maybe go back and edit that post.

I'm thinking if Dovecot can't find the passdb, there's more mismatched brackets? (Assuming you uncommented "!include auth-sql.conf.ext" in "10-auth.conf" and those files are in the same directory of /usr/local/etc/dovecot/conf.d/ and the SQL config referenced in auth-sql.conf.ext is in /usr/local/etc/dovecot/dovecot-sql.conf.ext )

fixed the password issue

 

[jasonhirsh]

went back an checked. uncommented, yes, same dircertory , yes.. sql config, yes. same directory -- yes. {} brackets resolve. .....98% cure. are all system still broke. I am completely redoing the certtcates. see if that helps

 

[jasonhirsh]

I have had this feeling that my ssl was messed up. so I redid SSL and for the time being I am using self assigned using
Openssl. I THINK I have changed all the reference to the certs but I am getting the following

postfix/master[17437]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
Apr 21 00:11:20 triggerfish postfix/master[17437]: warning: process /usr/local/libexec/postfix/smtpd pid 65060 exit status 1
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Error: auth-client: conn unix:login (uid=0): Timeout waiting for handshake from auth server. my pid=65048, input bytes=0
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=186.159.102.85, lip=209.160.64.187, session=<XVwGg5MWyee6n2ZV>
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Error: auth-client: conn unix:login (uid=0): Timeout waiting for handshake from auth server. my pid=65055, input bytes=0
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Error: auth-client: conn unix:login (uid=0): Timeout waiting for handshake from auth server. my pid=65052, input bytes=0
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=186.159.102.85, lip=209.160.64.187, session=<PY0Ig5MW0ee6n2ZV>
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=186.159.102.85, lip=209.160.65.133, session=<FkEHg5MWz+e6n2ZV>
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Error: auth-client: conn unix:login (uid=0): Timeout waiting for handshake from auth server. my pid=65054, input bytes=0
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=186.159.102.85, lip=209.160.65.133, session=<pKIHg5MW0Oe6n2ZV>
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=186.159.102.85, lip=209.160.64.187, session=<8rc5hJMW4ue6n2ZV>
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Error: auth-client: conn unix:login (uid=0): Timeout waiting for handshake from auth server. my pid=65056, input bytes=0
Apr 21 00:11:34 triggerfish dovecot[64673]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=186.159.102.85, lip=209.160.65.133, session=<WDAKg5MW0ue6n2ZV>
Apr 21 00:11:36 triggerfish dovecot[64673]: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one
Apr 21 00:11:36 triggerfish dovecot[64671]: master: Error: service(auth): command startup failed, throttling for 60.000 secs

Ok with self assigned I di not have or did not know what I was supposed to use for a CA-CRT. with self assigned certifiates. So I imaginethet is a major problem since is AUTH


just as a side not I see an error involving postfix/smtpd which I assumed means the SMTP Daemon. Doesn't LMTP replace SMTP or is that just for Dovecot

 

[msplsh]

SMTP and LMTP should be handled by Postfix and delivered to mbox/maildirs that Dovecot reads. I also don't think whatever Dovecot does with LMTP is enabled unless you turned it on in the "protocols =" section in dovecot.conf.

I don't know what the purpose is of having two client unix-listeners in auth.

You still have this problem:

auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one

Which kind of makes me think it's not pulling in the configuration files properly.

In order to get to auth-sql.conf.ext you need in:
/usr/local/etc/dovecot/dovecot.conf: "!include conf.d/*.conf"
/usr/local/etc/dovecot/conf.d/10-auth.conf: "!include auth-sql.conf.ext"

and all three of those files and /conf.d need to be readable by the Dovecot user

 

[msplsh]

The certificate is empty:

There's something messed up with your files. I would check permissions and ACLs.

sudo -u dovecot test -r /usr/local/etc/dovecot/conf.d/auth-sql.conf.ext
echo $?

 

[jasonhirsh]

I decided that I am an idiot. ()duuuh). and went back to basics and stepped back from letsencrypt for the moment

I went back and used the a simple ssl configuration based on openssl. Lets see how that goes

 

[jasonhirsh]

There's something messed up with your files. I would check permissions and ACLs.

sudo -u dovecot test -r /usr/local/etc/dovecot/conf.d/auth-sql.conf.ext
echo $?

Ok simple sort of works except for

Error: conn unix:auth-worker (uid=143): auth-worker<1>: pam(jason@kasdivi.com,186.159.102.85,<25bsFrEWscq6n2ZV>): pam_authenticate() failed: Authentication error (/etc/pam.d/dovecot missing?)

I THINK(?). that this means I still have an issued in the conf.d files

 

[jasonhirsh]

I cleaned the PAM issue whichwasa types with the path to the ca-file.

SMTP and LMTP should be handled by Postfix and delivered to mbox/maildirs that Dovecot reads. I also don't think whatever Dovecot does with LMTP is enabled unless you turned it on in the "protocols =" section in dovecot.conf.

I don't know what the purpose is of having two client unix-listeners in auth.

You still have this problem:


Which kind of makes me think it's not pulling in the configuration files properly.

In order to get to auth-sql.conf.ext you need in:
/usr/local/etc/dovecot/dovecot.conf: "!include conf.d/*.conf"
/usr/local/etc/dovecot/conf.d/10-auth.conf: "!include auth-sql.conf.ext"

and all three of those files and /conf.d need to be readable by the Dovecot user

Went boack through these and

n order to get to auth-sql.conf.ext you need in:
/usr/local/etc/dovecot/dovecot.conf: "!include conf.d/*.conf"

yes

/usr/local/etc/dovecot/conf.d/10-auth.conf: "!include auth-sql.conf.ext"

yes

and all three of those files and /conf.d need to be readable by the Dovecot user

changed owner ship to the mail group which includes dovecot

meal comes in fine but nothing goes out

postfix/smtpd[9639]: fatal: no SASL authentication mechanisms

which I understand say say my dovecot ssl is still messed p
I checked 10-ssl.conf. and the SSL paths appear good

ssl_cert = </usr/local/etc/openssl/server.crt


ssl_key = </usr/local/etc/openssl/server.key





# If key file is password protected, give the password here. Alternatively


# give it when starting dovecot with -p parameter. Since this file is often


# world-readable, you may want to place this setting instead to a different


# root owned 0600 file by using ssl_key_password = <path.


#ssl_key_password =





# PEM encoded trusted certificate authority. Set this only if you intend to use


# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)


# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)


ssl_ca = </usr/local/etc/openssl/rootCA.crt

I seem toe be going in a circle granted in a smaller radius

 

[msplsh]

which I understand say say my dovecot ssl is still messed p

No, SASL is not SSL.

Do you also have Postfix getting auth data from SQL?

 

[jasonhirsh]

duh right. damn. do my dovecot is still a mess

 

[jasonhirsh]

FINALLY.

The issue was , as I think you said with dovecot and 10-master.conf


If you want a copy with all the comment from core files will bd happy to provide