Trouble With Postfix/Spam Assassin

Who owns /etc/postfix and /etc/postfix/main.cf? Usually postfix runs as the user/group mail/mail or vmail/vmail. If that user can't access /etc/postfix/main.cf, you'll get this error.

sudo chmod -R o-rwx /etc/postfix

This is probably your mistake… You usually always want directories to have permissions 0755 (drwxr-xr-x). This command made EVERY directory and file in /etc/postfix, inclusive, have permissions of d[unknown][unknown]---.

Just for reference:

drwx r-x r-x
 ^^^ ^^^ ^^^
  |   |   |
  |   |   +--  other permissions ("other" = anyone but owner)           
  |   +------- group permissions
  +----------- owner permissions

My guess is that either /etc/postfix or /etc/postfix/main.cf is not owned by the postfix user (mail/mail) and the permissions for "other" are 0 (---).

You can fix this with these commands:

sudo find /etc/postfix -type d -exec chmod 0755 {} \;  # to fix the directories
sudo find /etc/postfix -type f -exec chmod 0644 {} \;  # to fix files
sudo chmod 0755 /etc/postfix

• The \; is necessary in the find commands.
• 0755 -> drwxr-xr-x.
• 0644 -> -rw-r--r--.

-- sw

Thank you for the reply, but it still does not work for me. I ran all commands you listed, as well as:

sudo chowm -R vmail:vmail /etc/postfix

I also tried setting it to the 'postfix' user and group, but I found that when changing the users and groups to anything other than root, I get errors like:

Feb 5 17:30:07 mail postfix/postfix-script[4769]: warning: not owned by root: /etc/postfix/./main.cf.orig
Feb 5 17:30:07 mail postfix/postfix-script[4770]: warning: not owned by root: /etc/postfix/./master.cf.proto
Feb 5 17:30:07 mail postfix/postfix-script[4771]: warning: not owned by root: /etc/postfix/./postfix-files
Feb 5 17:30:07 mail postfix/postfix-script[4937]: starting the Postfix mail system
Feb 5 17:30:07 mail postfix/master[4939]: daemon started -- version 3.6.4, configuration /etc/postfix
Feb 5 17:30:07 mail postfix/qmgr[4941]: warning: /etc/postfix/dynamicmaps.cf: file is owned or writable by non-root users -- skipping this file
Feb 5 17:30:07 mail postfix/pickup[4940]: warning: /etc/postfix/dynamicmaps.cf: file is owned or writable by non-root users -- skipping this file

I also found that chaning the user/group of /etc/postfix causes me not to be able to send mail as well.

Feb 5 17:30:07 mail postfix/postfix-script[4769]: warning: not owned by root: /etc/postfix/./main.cf.orig
Feb 5 17:30:07 mail postfix/postfix-script[4770]: warning: not owned by root: /etc/postfix/./master.cf.proto
Feb 5 17:30:07 mail postfix/postfix-script[4771]: warning: not owned by root: /etc/postfix/./postfix-files

These are innocuous…you can ignore them…they are basically sample files (master.cf.proto), backup files (main.cf.orig) and a list of installed files (postfix-file…this file is part of the package). If this message bothers you, change their ownership root/root and their permissions to 0644 (-rw-r--r--).

Feb 5 17:30:07 mail postfix/qmgr[4941]: warning: /etc/postfix/dynamicmaps.cf: file is owned or writable by non-root users -- skipping this file
Feb 5 17:30:07 mail postfix/pickup[4940]: warning: /etc/postfix/dynamicmaps.cf: file is owned or writable by non-root users -- skipping this file'

You should make this file owned by root/root & have permissions 0644 (-rw-r--r--).

I also found that changing the user/group of /etc/postfix causes me not to be able to send mail as well.

Patient: Doc, it hurts when I do this…
Doctor: Don't do that.

-- sw

Hilarious.. :D

I'm in the same boat as you, setting up an email service on my existing nextcloud sys. Tired of yahoo and gmail scraping everything and sending me reminders from my emails.

Followed same guide as you and in same boat. It seems the problem lies with the instructions specifying how to configure spamassassin to run. The docs you refer to that I also used specify creating a user spamd to run the spamassassin service. Adding spamassassin to main.cf apparently means spamassassin scans the message or something in the 'pipe' and then tries to send the mail again.

The PROBLEM seems to be, the spamd account, after scanning for spam, is trying to send mail again or pass it back into pipe WITHOUT the rights/permissions needed to do it. The instructions don't seem to add the spamd account to any other groups so it looks like the spamd ONLY has permissions to spamassassin service and NOTHING else.

My original error message in the log stated that it didn't have permissions to main.cf in /etc/postfix.

Feb 10 15:29:22 hostname postfix/pipe[8437]: 26E5520437: to=user@hostname.com, relay=spamassassin, delay=187, delays=186/0.03/0/0.42, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )

Fixed by adding r to 'other' for main.cf permissions

ls -lad /etc/postfix /etc/postfix/main.cf
drwxr-xr-x 5 root root 4096 Feb 10 06:35 /etc/postfix
-rw-r----- 1 root root 3849 Feb 8 14:34 /etc/postfix/main.cf
sudo chmod 644 /etc/postfix/main.cf
ls -lad /etc/postfix /etc/postfix/main.cf
drwxr-xr-x 5 root root 4096 Feb 10 06:35 /etc/postfix
-rw-r--r-- 1 root root 3849 Feb 8 14:34 /etc/postfix/main.cf

Now have a new error in the mail.log with more permissions..

Feb 10 16:29:22 hostname postfix/sendmail[9200]: fatal: /etc/postfix/dynamicmaps.cf: file open failed: Permission denied

Solving this by modifying file permissions seems to be impractical. May need to figure out a group or something to add the spamd user too. Not sure which group though. May need to open support tix at the very least to update their docs, the one you and I used that linode put up on setting up. If someone in community can help with this, that would be great too.

Docs didn't say where in main.cf to add spamassassin to pipe chain in main.cf. I put my entry as the 1st pipe entry thinking if it was spam, not pass it further in the chain. Maybe adding to end of pipe in main.cf? Anyone try that?