✓ Solved

DMARC rua unable to send reports via sendmail to local e-mail address?

I've setup a small mail server with Postfix, Dovecot, and MySQL (MariaDB) on Debian. I've also configured TLS with Let's Encrypt. rDNS, DMARC, DKIM, SPF and Fail2Ban are also setup and confirmed to work.

My DMARC record looks like this:

v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;rua=mailto:report@[example].com;fo=1

The issue is that the rua=mailto:report@example.com, which should sporadically send reports to an e-mail address on the same mail server, does not work.

/var/log/mail.log reports:

Feb 1 06:17:48 [hostname] postfix/qmgr[18018]: BBF611E00B: from=noreply-dmarc-support@google.com, size=3516, nrcpt=1 (queue active)
Feb 1 06:17:48 [hostname] postfix/sendmail[23302]: fatal: open /etc/postfix/main.cf: Permission denied
Feb 1 06:17:48 [hostname] postfix/pipe[23301]: BBF611E00B: to=<report@[example].net>, relay=spamassassin, delay=148779, delays=148779/0.01/0/0.33, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Feb 1 06:27:48 [hostname] postfix/qmgr[18018]: 581341F9AA: from=noreply-dmarc-support@google.com, size=3516, nrcpt=1 (queue active)
Feb 1 06:27:48 [hostname] postfix/sendmail[23436]: fatal: open /etc/postfix/main.cf: Permission denied
Feb 1 06:27:48 [hostname] postfix/pipe[23435]: 581341F9AA: to=<report@[example].net>, relay=spamassassin, delay=148788, delays=148788/0.01/0/0.14, dsn=4.3.0, status=deferred (temporary failure. Command output: sendmail: fatal: open /etc/postfix/main.cf: Permission denied )
Feb 1 06:38:20 [hostname] postfix/pickup[23498]: 891351FEEF: uid=0 from=<root>
Feb 1 06:38:20 [hostname] postfix/cleanup[23537]: 891351FEEF: message-id=<20230126053820.891351FEEF@[hostname].[example].net>
Feb 1 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: from=<root@[example].net>, size=150485, nrcpt=1 (queue active)
Feb 1 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Feb 1 06:38:20 [hostname] postfix/lmtp[23544]: 891351FEEF: to=<root@[example].net>, orig_to=<root>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.09, delays=0.05/0.01/0.01/0.02, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Feb 1 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Feb 1 06:38:20 [hostname] postfix/cleanup[23537]: 9C4C31FEF2: message-id=<20230126053820.9C4C31FEF2@[hostname].[example].net>
Feb 1 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: from=<>, size=3330, nrcpt=1 (queue active)
Feb 1 06:38:20 [hostname] dovecot: lmtp(23545): Connect from local
Feb 1 06:38:20 [hostname] postfix/bounce[23549]: 891351FEEF: sender non-delivery notification: 9C4C31FEF2
Feb 1 06:38:20 [hostname] postfix/qmgr[18018]: 891351FEEF: removed
Feb 1 06:38:20 [hostname] postfix/lmtp[23544]: 9C4C31FEF2: to=<root@[example].net>, relay=[hostname].[example].net[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (host [hostname].[example].net[private/dovecot-lmtp] said: 550 5.1.1 <root@[example].net> User doesn't exist: root@[example].net (in reply to RCPT TO command))
Feb 1 06:38:20 [hostname] dovecot: lmtp(23545): Disconnect from local: Client has quit the connection (state=READY)
Feb 1 06:38:20 [hostname] postfix/qmgr[18018]: 9C4C31FEF2: removed</root@[example].net></root@[example].net></root@[example].net></root></root@[example].net></root@[example].net></root></report@[example].net></report@[example].net>

The permissions in /etc/postfix/ are:

drwxr-xr-x 23 root wheel 736B Dec 2 09:43 ./
drwxr-xr-x 80 root wheel 2.5K Jan 17 13:17 ../
-rw-r--r-- 1 root wheel 12K Dec 2 09:43 LICENSE
-rw-r--r-- 1 root wheel 1.6K Dec 2 09:43 TLS_LICENSE
-rw-r--r-- 1 root wheel 21K Dec 2 09:43 access
-rw-r--r-- 1 root wheel 9.8K Dec 2 09:43 aliases
-rw-r--r-- 1 root wheel 3.5K Dec 2 09:43 bounce.cf.default
-rw-r--r-- 1 root wheel 12K Dec 2 09:43 canonical
-rw-r--r-- 1 root wheel 44B Dec 2 09:43 custom_header_checks
-rw-r--r-- 1 root wheel 10K Dec 2 09:43 generic
-rw-r--r-- 1 root wheel 23K Dec 2 09:43 header_checks
-rw-r--r-- 1 root wheel 27K Dec 2 09:43 main.cf
-rw-r--r-- 1 root wheel 27K Dec 2 09:43 main.cf.default
-rw-r--r-- 1 root wheel 26K Dec 2 09:43 main.cf.proto
-rw-r--r-- 1 root wheel 6.0K Dec 2 09:43 makedefs.out
-rw-r--r-- 1 root wheel 7.3K Dec 2 09:43 master.cf
-rw-r--r-- 1 root wheel 7.3K Dec 2 09:43 master.cf.default
-rw-r--r-- 1 root wheel 6.1K Dec 2 09:43 master.cf.proto
-rw-r--r-- 1 root wheel 20K Dec 2 09:43 postfix-files
drwxr-xr-x 2 root wheel 64B Dec 2 09:43 postfix-files.d/
-rw-r--r-- 1 root wheel 6.8K Dec 2 09:43 relocated
-rw-r--r-- 1 root wheel 12K Dec 2 09:43 transport
-rw-r--r-- 1 root wheel 13K Dec 2 09:43 virtual

Does anybody know what the issue is here?

Thanks.

10 Replies

✓ Best Answer

This I have on top of the file:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamassassin

smtps     inet  n       -       -       -       -       smtpd
  ...
  -o content_filter=spamassassin
  ...

Towards the bottom, there's this:

spamassassin  unix  -       n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

I think this is your problem. According to this:

https://manpages.org/spamc

there is no -f option for spamc

Frankly, I would take this stuff out let postfix just send the message to dovecot using LMTP. When the message is handed to dovecot, you can use a pigeonhole sieve script to do spam filtering as part of the delivery pipeline.

sieve is an internet-standard language for programming the delivery of mail. It's quite powerful…although it lacks some of the features you're used to in a "regular" programming language. pigeonhole is the name of the dovecot implementation of sieve.

The definitive documentation on sieve language features are the RFCs that define those features. None of them are terribly illustrative but, fortunately, sieve is a fairly straightforward language that is designed to be simple. Here's some learn-by-example info on the "flavor" of sieve programs:

https://support.tigertech.net/sieve

As you can see, you can get pretty creative on how you tell dovecot to deliver ham/spam.

I've been using sieve in limited ways to do simple stuff like this for a number of years.

Here's some info on how to set up pigeonhole sieve:

https://doc.dovecot.org/configuration_manual/sieve/configuration/

You'll need to install the dovecot-pigeonhole package (I think that's what it's called). Once installed, you'll need to configure the pigeonhole extension called vnd.dovecot.filter.

If you don't want to do this, use the spamassassin milter:

https://serverfault.com/questions/783401/how-to-get-spamassassin-working-with-postfix-as-a-milter

IMHO, either of these would be a much cleaner implementation than what you're trying to do here.

Hint: The milter will be less work to set up initially. The sieve approach will probably be (a lot!) more flexible in the long run. Perhaps you could do the milter initially while the sieve approach is in development…

-- sw

P.S. Once postfix hands the message off to dovecot, it's free receive another message. Involving spamassassin in the process of receiving messages can introduce a bottleneck into that process. As you probably are well-aware, spamassassin is written in perl and can't run as fast as postfix can potentially feed it. Although spamc/spamd speeds that process up a lot, spamassassin is going to be a lot slower (and resource intensive) than postfix. It's just the nature of the beast…

The permissions in /etc/postfix/main.cf are:

Emphasis is mine.

Is this a directory? Your description is unclear… If it is, you need to move all these files up one level to /etc/postfix.

-- sw

Is this a directory?

Oh, sorry no. main.cf is the file that is reported to be not openable in /var/log/mail.log.

/etc/postfix is where the files are located.

Can you post the part of /etc/postfix/master.cf where you pipe incoming mail to spamassassin?

I think that may be misconfigured.

-- sw

Sure.

This I have on top of the file:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamassassin

smtps     inet  n       -       -       -       -       smtpd
  ...
  -o content_filter=spamassassin
  ...

Towards the bottom, there's this:

spamassassin  unix  -       n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Thanks for helping me again, @stevewi.

Hi @stevewi,

there is no -f option for spamc…

Ah, you're absolutely right. I configured SpamAssassin using instructions from this Linode Guide (cf. "Managing Spam With SpamAssassin") that should be wrong than.

Frankly, I would take this stuff out let postfix just send the message to dovecot using LMTP. When the message is handed to dovecot, you can use a pigeonhole sieve script to do spam filtering as part of the delivery pipeline.

For now I've disabled SpamAssassin and spamc. I'm going to monitor for a day, whether that solves my issue with sendmail or not.

IMHO, either of these would be a much cleaner implementation than what you're trying to do here.

On the weekend, I'll have some free time to investigate both alternatives.

Thank you very much for your long and detailed reply. It's very much appreciated!

-- Marc

Hi again @stevewi,

I've just taken a look at /var/log/mail.cf, after disabling SpamAssassin and spamc earlier today.
The old error involving sendmail is gone, but I've noticed a new one:

Feb 3 15:02:41 [hostname] postfix/qmgr[850]: 0C8711E038: from=noreply-dmarc-support@google.com, size=3558, nrcpt=1 (queue active)
Feb 3 15:02:41 [hostname] postfix/qmgr[850]: warning: connect to transport private/spamassassin: Connection refused
Feb 3 15:02:41 [hostname] postfix/error[1944]: 0C8711E038: to=<report@[domain].net>, relay=none, delay=354048, delays=354048/0.02/0/0.02, dsn=4.3.0, status=deferred (mail transport unavailable)</report@[domain].net>

Do you maybe know what the error here could be related to?

This might help you out:

https://stackoverflow.com/questions/26960730/postfix-mail-transport-unavailable-only-in-queue

My guess is that 0C8711E038 was queued before you disabled spamassassin.

-- sw

It worked! All your great suggestions solved my problems. Thank you very much, @stevewi. You're the best!!

You're welcome…

Just to followup on your Connection refused error… Another possibility is that spamd's socket was not located in /var/spool/postifix/private. postfix daemons can run chrooted. To achieve that, they expect everything they need to be in /var/spool/postfix. private is a subdirectory of that.

I really hope you try out sieve…I don't think you'll be disappointed.

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct