[pfx] postfix database, aliases, permissions, configuration issue, help requested, perplexed

[David Mehler via Postfix-users]

Hello,

I'm trying to migrate to a new setup, Debian 12 with Postfix 3.7 and
Dovecot 2.3 using virtual mailbox domains. There are no local everyone
is virtual. The first problem I'm seeing is the Postfix process is
exiting:

#systemctl status postfix
? postfix.service - Postfix Mail Transport Agent
     Loaded: loaded (/lib/systemd/system/postfix.service; enabled; preset: e>
     Active: active (exited) since Wed 2023-07-19 15:02:03 EDT; 4s ago

I suspect this is occurring because of this:

2023-07-19T15:19:58.474716-04:00 hostname postfix/master[41002]:
warning: process /usr/lib/postfix/sbin/smtpd pid 41013 exit status 1

A few lines earlier:

2023-07-19T15:19:57.473608-04:00 hostname postfix/proxymap[41014]:
warning: request for unapproved table: "unix:passwd.byname"
2023-07-19T15:19:57.473797-04:00 hostname postfix/proxymap[41014]:
warning: to approve this table for read-only access, list
proxy:unix:passwd.byname in main.cf:proxy_read_maps
2023-07-19T15:19:57.474399-04:00 hostname postfix/smtpd[41013]: fatal:
proxymap service is not configured for table "unix:passwd.byname"

I don't have that table listed in my proxy configuration.

I'm also getting errors when atempting to access my sql aliases.cf
configuration. That looks like this and it's looking like others:

2023-07-19T15:20:02.693395-04:00 hostname postfix/proxymap[41014]:
error: open /etc/postfix/sql/aliases.cf: Permission denied
2023-07-19T15:20:02.700548-04:00 hostname postfix/proxymap[41014]:
error: open /etc/postfix/sql/domains.cf: Permission denied
2023-07-19T15:20:02.701021-04:00 hostname postfix/proxymap[41014]:
warning: mysql:/etc/postfix/sql/aliases.cf is unavailable. open
/etc/postfix/sql/aliases.cf: Permission denied
2023-07-19T15:20:02.701791-04:00 hostname postfix/cleanup[41032]:
warning: proxy:mysql:/etc/postfix/sql/aliases.cf lookup error for
"r...@mail.example.com"

I'm seeing issues with postfix local trying to get in to this whenever
it does it tries to send to r...@mail.example.com.

Given the above I would think anything wouldn't be working since
domains.cf can't be found then receiving any email shouldn't work,
sent a test message through and it does, if I send to a non-aliases
address i.e. r...@domain.com does not work, yet u...@domain.com goes
through just fine. Here's my master.cf file and a postconf -n output.
Here's also a permissions of /etc/postfix/sql/*.cf.

Any help appreciated.
Thanks.
Dave.

#cat master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
#smtp      inet  n       -       y       -       -       smtpd
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n -   y       -       -       smtpd
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
#     Instead of specifying complex smtpd_<xxx>_restrictions here,
#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
#     here, and specify mua_<xxx>_restrictions in main.cf (where
#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_relay_restrictions=$mua_relay_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o cleanup_service_name=submission-header-cleanup
  -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable submissions for loopback clients only, or for any client.
#127.0.0.1:submissions inet n  -       y       -       -       smtpd
#submissions     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submissions
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#     Instead of specifying complex smtpd_<xxx>_restrictions here,
#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
#     here, and specify mua_<xxx>_restrictions in main.cf (where
#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
#  -o smtpd_client_restrictions=
#  -o smtpd_helo_restrictions=
#  -o smtpd_sender_restrictions=
#  -o smtpd_relay_restrictions=
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
submission-header-cleanup unix n - n    -       0       cleanup
    -o header_checks=regexp:/etc/postfix/submission_header_cleanup

#postconf -n
append_dot_mydomain = no
biff = no
compatibility_level = 3.7
disable_vrfy_command = yes
inet_interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
mailbox_size_limit = 0
message_size_limit = 52428800
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
proxy_read_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
proxy:mysql:/etc/postfix/sql/accounts.cf
proxy:mysql:/etc/postfix/sql/domains.cf
proxy:mysql:/etc/postfix/sql/recipient-access.cf
proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
proxy:mysql:/etc/postfix/sql/tls-policy.cf
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = permit_mynetworks reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_recipient_restrictions = check_recipient_access
proxy:mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/example.com/example.com.fullchain.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_key_file = /etc/ssl/example.com/example.com.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

#ls -la /etc/postfix/sql
total 32
drwxr-xr-x 2 root root 4096 Jul 19 15:18 ./
drwxr-xr-x 5 root root 4096 Jul 19 16:52 ../
-rw-r--r-- 1 root root  194 Jul 19 13:12 accounts.cf
-rw-r--r-- 1 root root  562 Jul 19 15:18 aliases.cf
-rw-r--r-- 1 root root  152 Jul 17 11:18 domains.cf
-rw-r--r-- 1 root root  237 Jul 19 13:14 recipient-access.cf
-rw-r--r-- 1 root root  390 Jul 19 13:18 sender-login-maps.cf
-rw-r--r-- 1 root root  166 Jul 17 11:20 tls-policy.cf
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org