Ubuntu – Can’t receive mail with dovecot + postfix setup

dovecotemail-serverpostfixUbuntu

First time setting up my own mail server on a machine running the latest Ubuntu

After looking around i decided on dovecot + postfix and Virtual users with mailboxes in /var/mail/vmail/%d/%n

For the most part, i followed the Taking back email tutorial series found here

I noticed that when i try to connect via IMAP to me@mydomain.com the correct directory structure is created so /var/mail/vmail/mydomain.com/me exists and has the needed files in it.

However, when i receive mail on that server through SMTP, there seems to be a point in the whole chain of commands from Postfix to Dovecot where the domain part %d becomes empty and thus it tries to access and create wrong the directories and fail with this error:

Jan 25 17:47:35 lda(me): Debug: Effective uid=1000, gid=1000, home=/home/me
Jan 25 17:47:35 lda(me): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/vmail//me/mail:LAYOUT=fs
Jan 25 17:47:35 lda(me): Debug: fs: root=/var/mail/vmail//me/mail, index=, indexpvt=, control=, inbox=/var/mail/vmail//me/mail, alt=
Jan 25 17:47:35 lda(me): Debug: Namespace : /var/mail/vmail//me/mail doesn't exist yet, using default permissions
Jan 25 17:47:35 lda(me): Debug: Namespace : Using permissions from /var/mail/vmail//me/mail: mode=0700 gid=default
Jan 25 17:47:35 lda(me): Error: User initialization failed: Namespace '': mkdir(/var/mail/vmail//me/mail) failed: Permission denied (euid=1000(me) egid=1000(me) missing +w perm: /var/mail/vmail/, we're not in group 5000(vmail), dir owned by 5000:5000 mode=0775)
Jan 25 17:47:35 lda(me): Fatal: Invalid user settings. Refer to server log for more information.

/var/mail/vmail is owned by vmail:vmail (5000) and even though it shouldn't be necessary, i temporarily added user me to the vmail group.

I'm not sure how to proceed to debug this, i have turned on verbose modes for everything i could find from postfix to dovecot but from the logs that i get i can't pinpoint the exact source of the problem.

Here is the relevant part of my postfix master.cf 

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver
  -f ${sender} -d ${recipient}

Any kind of help or suggestion is greatly appreciated

Update 1

It turns out that there was a mailbox_command that wasn't correctly set in postfix so i changed it from 

#mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}"

to

mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -f "${SENDER}" -d "${RECIPIENT}"

And now i don't get the permission denied error, but i'm still unable to receive emails

mail location settings are:

mail_home = /var/mail/vmail/%d/%n
mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs

The contents of virtual-mailbox-users is:

me@mydomain.com       mydomain.com/me

And yup i did postmap that file after every modification

I noticed a few other warnings/errors:

Jan 25 20:43:29 linux2-dkhalife postfix/smtpd[8277]: warning: SASL: Connect to private/dovecot-auth failed: Connection refused
Jan 25 20:43:29 linux2-dkhalife postfix/smtpd[8277]: fatal: no SASL authentication mechanisms
Jan 25 20:42:26 linux2-dkhalife postfix/smtpd[8274]: warning: connect to Milter service unix:/var/spool/postfix/spamassassin/spamd.sock: No such file or directory
Jan 25 20:42:26 linux2-dkhalife postfix/smtpd[8274]: warning: connect to Milter service unix:/var/run/clamav/clamav-milter.ctl: No such file or directory
Jan 25 20:42:26 linux2-dkhalife postfix/smtpd[8274]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

Update 2

doveconf -n outputs version 2.2.18 and the following :

auth_mechanisms = plain login
mail_debug = yes
mail_home = /var/mail/vmail/%d/%n
mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
mail_privileged_group = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db
  driver = passwd-file
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_after = /var/mail/vmail/sieve-after
  sieve_before = /var/mail/vmail/sieve-before
  sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/ssl/private/mail_mydomain_com.pem
ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = </etc/ssl/private/mail_mydomain_com.key
userdb {
  args = uid=5000 gid=5000 home=/var/mail/vmail/%d/%n
  driver = static
}
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
  mail_max_userip_connections = 10
}
protocol pop3 {
  mail_max_userip_connections = 10
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
  deliver_log_format = msgid=%m: %$
  mail_plugins = sieve
  postmaster_address = postmaster@mydomain.com
  quota_full_tempfail = yes
  rejection_reason = Your message to <%t> was automatically rejected:%n%r
}

postconf -n outputs version 2.11.3 and the following :

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
config_directory = /etc/postfix
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -f "${SENDER}" -d "${RECIPIENT}"
mailbox_size_limit = 0
message_size_limit = 104857600
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = mydomain.com, myotherdomain.ca, localhost
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 10.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = $smtpd_milters
readme_directory = no
recipient_delimiter = +
relay_destination_concurrency_limit = 1
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit
smtpd_milters = unix:/var/spool/postfix/spamassassin/spamd.sock unix:/var/run/clamav/clamav-milter.ctl unix:/var/run/opendkim/opendkim.sock
smtpd_recipient_restrictions = reject_unknown_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/spool/postfix/private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/mail_mydomain_com.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/mail_mydomain_com.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_transport = dovecot

Best Answer

First your smtpd_sasl_path is both wrong and wrongly specified. In dovecot.conf you set it to /var/spool/postfix/private/auth so in Postfix that should be smtpd_sasl_path = private/auth (not .../dovecot-auth). Notice how this is a relative path, relative to Postfix's chroot dir. Restart Postfix and the SASL errors should be gone.

Second, it looks like you are mixing virtual mail hosting and "canonical" mail hosting. Your virtual domains must not be set in mydestination, otherwise you run into problems like "mail loops back to myself". Decide what kind of mail hosting setup you want and configure Postfix and Dovecot accordingly. Don't try to mix and match configuration directives in the hopes that some combination will randomly yield a workable result.

These two issues are probably the root of your problem. Dovecot's error message hints at that:

Jan 25 17:47:35 lda(dany): Error: User initialization failed: Namespace '':
  mkdir(/var/mail/vmail//dany/mail) failed:
  Permission denied (euid=1000(dany) egid=1000(dany) missing +w perm:
  /var/mail/vmail/, we're not in group 5000(vmail), dir owned by 5000:5000 mode=0775)

This is because Postfix tries to deliver mail using mailbox_command (Dovecot's LDA deliver) as the user that receives the message (dany) but that user of course has no business writing to /var/mail/vmail as it is a virtual user.

I am going to assume you want proper virtual mail hosting, as discussed, for example, in http://www.postfix.org/VIRTUAL_README.html.

  • Your Dovecot mail_location setting should just be mail_location = maildir:~/mail:LAYOUT=fs (and ask yourself if you really want LAYOUT=fs instead of the default Maildir++ layout). Also don't set mail_home both globally and in the userdb. Just drop the mail_home directive altogether, it is not needed for your setup.

  • Consequently you don't need a mailbox_command in Postfix since you are using a virtual transport (virtual_transport = dovecot) and have defined a dovecot service in master.cf. See next point.

  • These days I would go with LMTP instead of Dovecot's LDA deliver. Easier to get right, better performance and it even gives you recipient verification for cheap. See http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP for how to implement LMTP.

  • Be sure that the permissions of /var/mail/vmail are correct. The vmail directory and all subdirectories should be owned by UID 5000 and GID 5000 and nobody else. Don't put any other users in that group.

This is what I can say so far, having looked at your config and the error messages. Try fixing the above issues and see where that gets you.

Related Topic