DMARC rua unable to send reports via sendmail to local e-mail address?

Question

I've setup a small mail server with Postfix, Dovecot, and MySQL (MariaDB) on Debian. I've also configured TLS with Let's Encrypt. rDNS, DMARC, DKIM, SPF and Fail2Ban are also setup and confirmed to work.

My DMARC record looks like this:

v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;rua=mailto:report@[example].com;fo=1

The issue is that the rua=mailto:[email protected], which should sporadically send reports to an e-mail address on the same mail server, does not work.

/var/log/mail.log reports:

Jan 18 14:47:05 [hostname] postfix/sendmail[20682]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 18 14:47:05 [hostname] postfix/pipe[20681]: 553A01F977: to=<report@[example].net>, relay=spamassassin, delay=9533, delays=9533/0.01/0/0.3, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )

The permissions on /etc/postfix/main.cf are:

-rwxr-x--- 1 root root 3968 Jan 18 08:36 /etc/postfix/main.cf

What kind of permissions does sendmail need to be able to successfully work? Or is this issue maybe related something else?

I can post configuration files, if needed, but wanted to keep this concise.

Update - 2022-01-26

Unfortunately, the same permission problem still persists, even after changing the permissions of /etc/postfix/main.cf to 754.

Here's an extended excerpt from /var/log/mail.log from this morning, in case that helps to debug this further:

Jan 26 06:17:48 [hostname] postfix/qmgr[18018]: BBF611E00B: from=<[email protected]>, size=3516, nrcpt=1 (queue active)
Jan 26 06:17:48 [hostname] postfix/sendmail[23302]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 26 06:17:48 [hostname] postfix/pipe[23301]: BBF611E00B: to=<report@[example].net>, relay=spamassassin, delay=148779, delays=148779/0.01/0/0.33, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Jan 26 06:27:48 [hostname] postfix/qmgr[18018]: 581341F9AA: from=<[email protected]>, size=3516, nrcpt=1 (queue active)
Jan 26 06:27:48 [hostname] postfix/sendmail[23436]: fatal: open /etc/postfix/main.cf: Permission denied
Jan 26 06:27:48 [hostname] postfix/pipe[23435]: 581341F9AA: to=<report@[example].net>, relay=spamassassin, delay=148788, delays=148788/0.01/0/0.14, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Jan 26 06:38:20 [hostname] postfix/pickup[23498]: 891351FEEF: uid=0 from=<root>
Jan 26 06:38:20 [hostname] postfix/cleanup[23537]: 891351FEEF: message-id=<20230126053820.891351FEEF@[hostname].[example].net>
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: from=<root@[example].net>, size=150485, nrcpt=1 (queue active)
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Jan 26 06:38:20 [hostname] postfix/lmtp[23544]: 891351FEEF: to=<root@[example].net>, orig_to=<root>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.09, delays=0.05/0.01/0.01/0.02, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Jan 26 06:38:20 [hostname] postfix/cleanup[23537]: 9C4C31FEF2: message-id=<20230126053820.9C4C31FEF2@[hostname].[example].net>
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: from=<>, size=3330, nrcpt=1 (queue active)
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Jan 26 06:38:20 [hostname] postfix/bounce[23549]: 891351FEEF: sender non-delivery notification: 9C4C31FEF2
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: removed
Jan 26 06:38:20 [hostname] postfix/lmtp[23544]: 9C4C31FEF2: to=<root@[example].net>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Jan 26 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Jan 26 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: removed

It should be noted that the user that runs sendmail seems to be root. Running ps aux | grep sendmail, as suggested below, returns:

root     24694  0.0  0.0   6044   888 pts/0    S+   10:40   0:00 grep sendmail

Here are some permissions from /var/spool/postfix:

drwx------ 2 postfix  root     4096 Jan 26 09:27 active
drwx------ 2 postfix  root     4096 Jan 26 06:38 bounce
drwx------ 2 postfix  root     4096 Jan 11 13:59 corrupt
drwx------ 7 postfix  root     4096 Jan 24 12:58 defer
drwx------ 7 postfix  root     4096 Jan 24 12:58 deferred
drwxr-xr-x 2 root     root     4096 Jan 16 11:09 dev
drwxr-xr-x 3 root     root     4096 Jan 18 08:37 etc
drwx------ 2 postfix  root     4096 Jan 11 13:59 flush
drwx------ 2 postfix  root     4096 Jan 11 13:59 hold
drwx------ 2 postfix  root     4096 Jan 26 06:38 incoming
drwxr-xr-x 3 root     root     4096 Jan 11 13:59 lib
drwx-wx--T 2 postfix  postdrop 4096 Jan 26 06:38 maildrop
drwxr-xr-x 2 opendkim postfix  4096 Jan 16 11:37 opendkim
drwxr-xr-x 2 root     root     4096 Jan 16 08:57 pid
drwx------ 2 postfix  root     4096 Jan 18 08:37 private
drwx--s--- 2 postfix  postdrop 4096 Jan 18 08:37 public
drwx------ 2 postfix  root     4096 Jan 11 13:59 saved
drwx------ 2 postfix  root     4096 Jan 11 13:59 trace
drwxr-xr-x 3 root     root     4096 Jan 11 13:59 usr

Here's the addendum with the permission information from /etc/postifx:

drwxr-xr-x  23 root  wheel   736B Dec  2 09:43 ./
drwxr-xr-x  80 root  wheel   2.5K Jan 17 13:17 ../
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 LICENSE
-rw-r--r--   1 root  wheel   1.6K Dec  2 09:43 TLS_LICENSE
-rw-r--r--   1 root  wheel    21K Dec  2 09:43 access
-rw-r--r--   1 root  wheel   9.8K Dec  2 09:43 aliases
-rw-r--r--   1 root  wheel   3.5K Dec  2 09:43 bounce.cf.default
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 canonical
-rw-r--r--   1 root  wheel    44B Dec  2 09:43 custom_header_checks
-rw-r--r--   1 root  wheel    10K Dec  2 09:43 generic
-rw-r--r--   1 root  wheel    23K Dec  2 09:43 header_checks
-rw-r--r--   1 root  wheel    27K Dec  2 09:43 main.cf
-rw-r--r--   1 root  wheel    27K Dec  2 09:43 main.cf.default
-rw-r--r--   1 root  wheel    26K Dec  2 09:43 main.cf.proto
-rw-r--r--   1 root  wheel   6.0K Dec  2 09:43 makedefs.out
-rw-r--r--   1 root  wheel   7.3K Dec  2 09:43 master.cf
-rw-r--r--   1 root  wheel   7.3K Dec  2 09:43 master.cf.default
-rw-r--r--   1 root  wheel   6.1K Dec  2 09:43 master.cf.proto
-rw-r--r--   1 root  wheel    20K Dec  2 09:43 postfix-files
drwxr-xr-x   2 root  wheel    64B Dec  2 09:43 postfix-files.d/
-rw-r--r--   1 root  wheel   6.8K Dec  2 09:43 relocated
-rw-r--r--   1 root  wheel    12K Dec  2 09:43 transport
-rw-r--r--   1 root  wheel    13K Dec  2 09:43 virtual

Thanks, how do I give those to sendmail? I don't think it's a user. — St4rb0y, Commented Jan 18, 2023 at 14:40
Please edit the output of namei -l /etc/postfix/main.cf into your question. — Gerald Schneider, Commented Jan 22, 2023 at 18:29
On your first file listing main.cf has around 4kb and is last changed Jan 18th. On the second listing it is suddenly 7k and changed Dec 2nd. That's quite a difference. Are these listings actually from the same server? — Gerald Schneider, Commented Jan 26, 2023 at 17:52
@GeraldSchneider I guess 4kb was the default file and 27kb after I edited it. — St4rb0y, Commented Jan 26, 2023 at 19:07

Raja Gopal · Accepted Answer · 2023-01-25 06:36:10Z

The error message "fatal: open /etc/postfix/main.cf: Permission denied" suggests that the user that the sendmail process is running as does not have sufficient permissions to read the Postfix configuration file.

The permissions on /etc/postfix/main.cf are set to -rwxr-x--- , which means that the owner (root) has read, write and execute permissions, but the group and other users do not have execute permissions.

It's likely that the user that the sendmail process is running as is not in the root group and therefore does not have execute permissions on the configuration file. You can try adding execute permissions to the group or other users by running the following command:

sudo chmod 754 /etc/postfix/main.cf

This will give read, write, and execute permissions to the owner, read and execute permissions to the group, and read permissions to other users.

It's also important to note that the sendmail process is most likely running under a different user than root, so you should also check the permissions on the /var/spool/postfix directory and subdirectories to make sure the sendmail user has permission to write to the queue directory.

If you don't know the user that the sendmail process is running as, you can use the command "ps aux | grep sendmail" to find it.

It's also possible that this issue is related to something else and you may want to check for any other errors in the mail.log that might give you more insight into what's causing the problem.

Why 754? It is not an executable. 644 would be more appropriate. — Esa Jokinen, Commented Jan 25, 2023 at 7:01
@Raja Gopal Thanks for your extensive reply. The user running sendmail seems to be root. I've updated my above question with more data, if you want to take a look. — St4rb0y, Commented Jan 26, 2023 at 9:47
The user is most certainly not root. The remaining problem is most probably the permissions of the /etc/postfix directory. We won't know unless you provide the information about the permissions, which has been requested repeatedly. — Gerald Schneider, Commented Jan 26, 2023 at 13:47
@GeraldSchneider I may have misinterpreted the output of ps aux | grep sendmail. You can inspect that above. I've also added the permission information for the /etc/postfix directory. — St4rb0y, Commented Jan 26, 2023 at 16:38

Gerald Schneider · Accepted Answer · 2023-01-18 14:47:23Z

0

postfix does not run as the root user, yet you have set the permissions of the config file for root only.

chmod o+r /etc/postfix/main.cf

And of course the other postfix config files.

answered Jan 18, 2023 at 14:47

Gerald Schneider

25.3k8 gold badges61 silver badges90 bronze badges

Unfortunately that didn't resolve my issue. I still get a Jan 19 05:47:09 [hostname] postfix/sendmail[25773]: fatal: open /etc/postfix/main.cf: Permission denied error. The file permissions are now reported as: -rwxr-xr-- 1 root root 3968 Jan 18 08:36 /etc/postfix/main.cf
– St4rb0y
Commented Jan 19, 2023 at 6:57
2

What are the permissions for /etc/postifx?
– Ginnungagap
Commented Jan 22, 2023 at 18:26
@Ginnungagap, most files are reported as -rw-r--r-- 1 root root, except main.cf.
– St4rb0y
Commented Jan 23, 2023 at 13:37
Please post the output of ls -alhF /etc/postfix.
– Paul
Commented Jan 26, 2023 at 13:03
@Paul I've appended the requested information to my answer.
– St4rb0y
Commented Jan 26, 2023 at 16:39

Add a comment |

Stack Exchange Network

DMARC rua unable to send reports via sendmail to local e-mail address?

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
email-server
sendmail
dmarc
.

Hot Network Questions

DMARC rua unable to send reports via sendmail to local e-mail address?

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged email-serversendmaildmarc.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
email-server
sendmail
dmarc
.