colin
/
uninsane
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

blog: postfix: show how to fix permissions errors

This commit is contained in:
Colin 2022-04-06 08:51:42 +00:00
parent dea118f1d3
commit 3ed127ff10
1 changed files with 52 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
content/blog/2022-04-05-systemd-nspawn-postfix.md
View File

@ -50,7 +50,7 @@ using the `--network-veth` flag, systemd will create a NAT'd network and expose
we can then forward ports across the NAT just like you would forward ports from your router to your PC/server (port 25 here is the SMTP port):
```sh
[root /]$ systemd-nspawn -b --network-veth -p 25:25 -D /opt/postfix
[root@host /]# systemd-nspawn -b --network-veth -p 25:25 -D /opt/postfix
postfix login: root
Password: <enter it>
@ -108,6 +108,25 @@ update the database mappings and then restart the services:
[root@postfix /]# postfix set-permissions
```
the `postfix` Arch package includes the `/var/spool` files which are now owned by `vmail`, and Arch fixes package permissions on each boot.
so for these changes to take effect, you'll need to edit `lib/systemd/system/postfix.service` to apply `set-permissions` on each boot:
```diff
- ExecStart=/usr/bin/postfix start
+ ExecStart=/usr/bin/bash -c '/usr/bin/postfix set-permissions && /usr/bin/postfix start'
```
because systemd limits postfix's ability to write outside of `/var/spool`, you'll need to change which files postfix tries to enforce permissions.
in `etc/postfix/postfix-files`, comment out every line which starts with one of:
- `$config_directory`
- `$daemon_directoy`
- `$sample_directory`
- `$readme_directory`
- `$html_directory`
- `$shlib_directory`
- `$manpage_directory`
since Arch manages these (correctly), you're not really losing anything.
run that `nc` command again: this time mail should show up in `/var/spool/mail/vmail`,
and that file should be owned by the `vmail` user instead of `root`.
@ -178,11 +197,13 @@ this message should be signed
```
then add a SPF DNS record and a DMARC record to receive delivery reports.
if you're running a large mail server it would be good to install `opendmarc` to send delivery reports to *other* servers (like me!), but i'll skip that here.
if you're running a large mail server it would be good to install `opendmarc` to send delivery reports to *other* servers (like mine!), but i'll skip that here.
throw in the MX record, and your zone file should look like this:
```zone
```asm
; mailserver shares an IP with the rest of uninsane.org.
@ MX 10 uninsane.org.
; Sender Policy Framework:
; +mx => mail passes if it originated from the MX
; +a => mail passes if it originated from the A address of this domain
@ -206,8 +227,10 @@ mx1._domainkey TXT "v=DKIM1; k=rsa; s=email; p=<big long string>"
; pct = sampling ratio for punishing failures (default 100 for 100%)
; rf = report format
; ri = report interval
_dmarc TXT ("v=DMARC1;p=quarantine;sp=reject;fo=1:d:s;"
"rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org")
_dmarc TXT (
"v=DMARC1;p=quarantine;sp=reject;fo=1:d:s;"
"rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org"
)
```
## Validation
@ -216,12 +239,35 @@ validate your DMARC record (and DKIM, SPF if you want): <https://dmarcian.com/dm
try sending/receiving mail: <https://www.appmaildev.com/en/dkim>.
if these fail, check `journalctl -u postfix`. if there's _nothing_ showing traffic, it may be that your ISP blocks port 25.
if these fail, check `journalctl -u postfix`. if there's no indication of traffic, it may be that your ISP blocks port 25.
you can check for that with `nc -vz gmail.com 25` (will exit 0 if the port is open, hang if the port is blocked).
in my case, Centurylink blocks both port 25 outbound _and_ inbound, meaning that i can't even use this setup to _receive_ mail.
for this case, i'll explore running postfix on a non-standard port and using a mail forwarder or transparent proxy in a subsequent blog post.
if these are working, instruct systemd to launch the container when the host boots.
with the container running:
```sh
[root@host /]# ln -s /opt/postfix /var/lib/machines/postfix
[root@host /]# machinectl enable postfix
[root@host /]# systemctl enable machines.target
```
populate `/etc/systemd/nspawn/postfix.nspawn` (you may need to create the directory) with the settings we used earlier:
```toml
[Network]
VirtualEthernet=on
Port=25:25
```
then you can stop the machine, restart it, and administer it:
```sh
[root@host /]# machinectl stop postfix
[root@host /]# machinectl start postfix
[root@host /]# machinectl login postfix
```
once it's stable, consider disabling password login for root.
<!--
Notes: