blog: postfix: show how to fix permissions errors
This commit is contained in:
parent
dea118f1d3
commit
3ed127ff10
|
@ -50,7 +50,7 @@ using the `--network-veth` flag, systemd will create a NAT'd network and expose
|
|||
we can then forward ports across the NAT just like you would forward ports from your router to your PC/server (port 25 here is the SMTP port):
|
||||
|
||||
```sh
|
||||
[root /]$ systemd-nspawn -b --network-veth -p 25:25 -D /opt/postfix
|
||||
[root@host /]# systemd-nspawn -b --network-veth -p 25:25 -D /opt/postfix
|
||||
postfix login: root
|
||||
Password: <enter it>
|
||||
|
||||
|
@ -108,6 +108,25 @@ update the database mappings and then restart the services:
|
|||
[root@postfix /]# postfix set-permissions
|
||||
```
|
||||
|
||||
the `postfix` Arch package includes the `/var/spool` files which are now owned by `vmail`, and Arch fixes package permissions on each boot.
|
||||
so for these changes to take effect, you'll need to edit `lib/systemd/system/postfix.service` to apply `set-permissions` on each boot:
|
||||
|
||||
```diff
|
||||
- ExecStart=/usr/bin/postfix start
|
||||
+ ExecStart=/usr/bin/bash -c '/usr/bin/postfix set-permissions && /usr/bin/postfix start'
|
||||
```
|
||||
because systemd limits postfix's ability to write outside of `/var/spool`, you'll need to change which files postfix tries to enforce permissions.
|
||||
in `etc/postfix/postfix-files`, comment out every line which starts with one of:
|
||||
- `$config_directory`
|
||||
- `$daemon_directoy`
|
||||
- `$sample_directory`
|
||||
- `$readme_directory`
|
||||
- `$html_directory`
|
||||
- `$shlib_directory`
|
||||
- `$manpage_directory`
|
||||
|
||||
since Arch manages these (correctly), you're not really losing anything.
|
||||
|
||||
run that `nc` command again: this time mail should show up in `/var/spool/mail/vmail`,
|
||||
and that file should be owned by the `vmail` user instead of `root`.
|
||||
|
||||
|
@ -178,11 +197,13 @@ this message should be signed
|
|||
```
|
||||
|
||||
then add a SPF DNS record and a DMARC record to receive delivery reports.
|
||||
if you're running a large mail server it would be good to install `opendmarc` to send delivery reports to *other* servers (like me!), but i'll skip that here.
|
||||
if you're running a large mail server it would be good to install `opendmarc` to send delivery reports to *other* servers (like mine!), but i'll skip that here.
|
||||
throw in the MX record, and your zone file should look like this:
|
||||
|
||||
```zone
|
||||
```asm
|
||||
; mailserver shares an IP with the rest of uninsane.org.
|
||||
@ MX 10 uninsane.org.
|
||||
|
||||
; Sender Policy Framework:
|
||||
; +mx => mail passes if it originated from the MX
|
||||
; +a => mail passes if it originated from the A address of this domain
|
||||
|
@ -206,8 +227,10 @@ mx1._domainkey TXT "v=DKIM1; k=rsa; s=email; p=<big long string>"
|
|||
; pct = sampling ratio for punishing failures (default 100 for 100%)
|
||||
; rf = report format
|
||||
; ri = report interval
|
||||
_dmarc TXT ("v=DMARC1;p=quarantine;sp=reject;fo=1:d:s;"
|
||||
"rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org")
|
||||
_dmarc TXT (
|
||||
"v=DMARC1;p=quarantine;sp=reject;fo=1:d:s;"
|
||||
"rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org"
|
||||
)
|
||||
```
|
||||
|
||||
## Validation
|
||||
|
@ -216,12 +239,35 @@ validate your DMARC record (and DKIM, SPF if you want): <https://dmarcian.com/dm
|
|||
|
||||
try sending/receiving mail: <https://www.appmaildev.com/en/dkim>.
|
||||
|
||||
if these fail, check `journalctl -u postfix`. if there's _nothing_ showing traffic, it may be that your ISP blocks port 25.
|
||||
if these fail, check `journalctl -u postfix`. if there's no indication of traffic, it may be that your ISP blocks port 25.
|
||||
you can check for that with `nc -vz gmail.com 25` (will exit 0 if the port is open, hang if the port is blocked).
|
||||
|
||||
in my case, Centurylink blocks both port 25 outbound _and_ inbound, meaning that i can't even use this setup to _receive_ mail.
|
||||
for this case, i'll explore running postfix on a non-standard port and using a mail forwarder or transparent proxy in a subsequent blog post.
|
||||
|
||||
if these are working, instruct systemd to launch the container when the host boots.
|
||||
with the container running:
|
||||
```sh
|
||||
[root@host /]# ln -s /opt/postfix /var/lib/machines/postfix
|
||||
[root@host /]# machinectl enable postfix
|
||||
[root@host /]# systemctl enable machines.target
|
||||
```
|
||||
|
||||
populate `/etc/systemd/nspawn/postfix.nspawn` (you may need to create the directory) with the settings we used earlier:
|
||||
```toml
|
||||
[Network]
|
||||
VirtualEthernet=on
|
||||
Port=25:25
|
||||
```
|
||||
|
||||
then you can stop the machine, restart it, and administer it:
|
||||
```sh
|
||||
[root@host /]# machinectl stop postfix
|
||||
[root@host /]# machinectl start postfix
|
||||
[root@host /]# machinectl login postfix
|
||||
```
|
||||
|
||||
once it's stable, consider disabling password login for root.
|
||||
|
||||
<!--
|
||||
Notes:
|
||||
|
|
Loading…
Reference in New Issue