Discussion:
[Dovecot] LMTP error
IT geek 31
2014-05-01 16:35:10 UTC
Permalink
Hi,

I've recently switched to LMTP as I'm now using mdbox. However since
switching, mails sent to the root account do not get delivered due to the
following error:

May 1 18:20:17 Server1 postfix/lmtp[13019]: CAEE91F851: to=<root at test.com>,
relay=mail.test.com[private/dovecot-lmtp], delay=1097,
delays=1096/0.45/0.43/0.46, dsn=4.3.0, status=deferred (host
mail.test.com[private/dovecot-lmtp]
said: 451 4.3.0 <root at test.com> Invalid user settings. Refer to server log
for more information. (in reply to RCPT TO command))

This obviously fills up my mail queue.

All other mails to all other mailboxes deliver fine.

I'm obviously missing something in my config... any ideas?

I'm using Dovecot 2.2.12 on NetBSD 5.2.2.

Many thanks,


-Mark

dovecot -n

# 2.2.12: /usr/pkg/etc/dovecot/dovecot.conf
# OS: NetBSD 5.2.2 cobalt
auth_username_format = %Ln
doveadm_password = secret
doveadm_port = 12345
first_valid_uid = 1010
last_valid_uid = 1020
listen = 192.168.1.1
login_greeting = test.com
mail_location = mdbox:~/mdbox
mail_plugins = " notify replication"
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = passwd
}
passdb {
driver = passwd
}
plugin {
mail_replica = tcp:Server2.test.com
}
protocols = imap lmtp
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
}
unix_listener replication-notify {
mode = 0600
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = root
}
service imap-login {
inet_listener imap {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0777
}
}
ssl_cert = </etc/openssl/certs/mail.test.com.crt
ssl_key = </etc/openssl/private/mail.test.com.key
userdb {
driver = passwd
}
userdb {
driver = passwd
}
protocol lda {
postmaster_address = postmaster at test.com
}
Thomas Leuxner
2014-05-01 16:56:20 UTC
Permalink
Post by IT geek 31
May 1 18:20:17 Server1 postfix/lmtp[13019]: CAEE91F851: to=<root at test.com>,
relay=mail.test.com[private/dovecot-lmtp], delay=1097,
delays=1096/0.45/0.43/0.46, dsn=4.3.0, status=deferred (host
mail.test.com[private/dovecot-lmtp]
said: 451 4.3.0 <root at test.com> Invalid user settings. Refer to server log
for more information. (in reply to RCPT TO command))
What about the Dovecot log? The error in the _Postfix_ log is pretty self-explanatory, have a look what Dovecot says.
Post by IT geek 31
userdb {
driver = passwd
}
userdb {
driver = passwd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140501/cc3a0228/attachment.sig>
IT geek 31
2014-05-01 17:21:12 UTC
Permalink
Post by Thomas Leuxner
What about the Dovecot log? The error in the _Postfix_ log is pretty
self-explanatory, have a look what Dovecot says.
Um, I was under the impression Dovecot logged to /var/log/maillog like
Postfix. I'm not aware of any other log for Dovecot?

I also forgot to add the relevant command in my Postfix main.cf:

mailbox_transport = lmtp:unix:private/dovecot-lmtp


-Mark
Thomas Leuxner
2014-05-01 17:27:01 UTC
Permalink
Post by IT geek 31
Um, I was under the impression Dovecot logged to /var/log/maillog like
Postfix. I'm not aware of any other log for Dovecot?
Obviously not, or you missed the detail in maillog. When the syslog line starts with _postfix_ it's postfix.

$ doveadm log find
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140501/dfc76238/attachment.sig>
IT geek 31
2014-05-01 17:36:12 UTC
Permalink
Post by Thomas Leuxner
Obviously not, or you missed the detail in maillog. When the syslog line
starts with _postfix_ it's postfix.
$ doveadm log find
Everything logs to /var/log/maillog.

The line I think I missed was:

May 1 19:31:50 Server1 dovecot: lmtp(13770): Error: user root: Invalid
settings in userdb: userdb returned 0 as uid

Any idea what this means?


-Mark
Reindl Harald
2014-05-01 17:41:24 UTC
Permalink
Post by IT geek 31
Post by Thomas Leuxner
Obviously not, or you missed the detail in maillog. When the syslog line
starts with _postfix_ it's postfix.
$ doveadm log find
Everything logs to /var/log/maillog.
May 1 19:31:50 Server1 dovecot: lmtp(13770): Error: user root: Invalid
settings in userdb: userdb returned 0 as uid
Any idea what this means?
that you are working with unix-accounts and the root uid 0
is prohibited for (good) saftey reasons

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140501/11db25ea/attachment.sig>
Thomas Leuxner
2014-05-01 17:47:41 UTC
Permalink
Post by Reindl Harald
Post by IT geek 31
May 1 19:31:50 Server1 dovecot: lmtp(13770): Error: user root: Invalid
settings in userdb: userdb returned 0 as uid
Any idea what this means?
that you are working with unix-accounts and the root uid 0
is prohibited for (good) saftey reasons
If that has worked before then now is a good time to rewrite it to one of your IMAP users (best done on the Postfix end).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140501/fe571d9f/attachment.sig>
Reindl Harald
2014-05-01 17:48:22 UTC
Permalink
Post by Reindl Harald
that you are working with unix-accounts and the root uid 0
is prohibited for (good) saftey reasons
Okay, that sounds good. How do I deliver mail to the root account then, and stop this error/warning/message? As
mails are now backing up in the queue and cannot be delivered...
keep your responses on the list!

* set a alias on the postfix side to another mail-address
* that way dovecot never see the root-address as destination
* use "postsuper -d queue_id" to kill the messages from the queue
______________________________

cat /etc/aliases | grep root
# Person who should get root's mail
root: h.reindl at thelounge.net
______________________________

don't forget calling "newaliases" after changes in that file
if you have implemented aliases on postfix in a different way
follow the documentation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140501/dd498985/attachment-0001.sig>
IT geek 31
2014-05-01 17:52:52 UTC
Permalink
Post by Reindl Harald
* set a alias on the postfix side to another mail-address
* that way dovecot never see the root-address as destination
* use "postsuper -d queue_id" to kill the messages from the queue
______________________________
cat /etc/aliases | grep root
# Person who should get root's mail
root: h.reindl at thelounge.net
______________________________
don't forget calling "newaliases" after changes in that file
if you have implemented aliases on postfix in a different way
follow the documentation
Okay, so that's two people who have recommended the same solution. That's
good enough for me. I shall go and implement that now.

Many thanks for all your help guys!


-Mark
Reindl Harald
2014-05-01 17:28:09 UTC
Permalink
Post by IT geek 31
Post by Thomas Leuxner
What about the Dovecot log? The error in the _Postfix_ log is pretty
self-explanatory, have a look what Dovecot says.
Um, I was under the impression Dovecot logged to /var/log/maillog like
Postfix. I'm not aware of any other log for Dovecot?
depends on your configuration

but even if - you need to read that since you only provided
the postfix line which refers clearly to the dovecot log
because postfix can't know anything more than the response
of the destination which tells you where to look

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140501/5acb1c9e/attachment.sig>
Joseph Tam
2014-05-01 23:17:28 UTC
Permalink
Post by IT geek 31
I've recently switched to LMTP as I'm now using mdbox. However since
switching, mails sent to the root account do not get delivered due to the
May 1 18:20:17 Server1 postfix/lmtp[13019]: CAEE91F851: to=<root at test.com>,
relay=mail.test.com[private/dovecot-lmtp], delay=1097,
delays=1096/0.45/0.43/0.46, dsn=4.3.0, status=deferred (host
mail.test.com[private/dovecot-lmtp]
said: 451 4.3.0 <root at test.com> Invalid user settings. Refer to server log
for more information. (in reply to RCPT TO command))
first_valid_uid = 1010
will need to be changed to "0", or better yet, as others have suggested,
alias root to some user with UID within 1010..1020.

The dovecot logs that you ought to see will be something like

May 1 16:12:11 viol dovecot: lda: Error: user root: Mail access
for users with UID 0 not permitted (see first_valid_uid
in config file, uid from userdb lookup).

Joseph Tam <jtam.home at gmail.com>
IT geek 31
2014-05-01 23:32:59 UTC
Permalink
Post by IT geek 31
first_valid_uid = 1010
will need to be changed to "0", or better yet, as others have suggested,
alias root to some user with UID within 1010..1020.
Ah-ha! That's what caused it. I wouldn't have seen that error before
changing to LMTP, as using mbox Postfix would have just delivered it
without issue.

Unfortunately I need the first and last valid UID as this is how I control
which accounts are replicated.

I've setup an alias for root now that uses an account in the 1010-1020
range and I'm all happy :-)


-Mark
Charles Marcus
2014-05-02 10:02:15 UTC
Permalink
Post by Joseph Tam
Post by IT geek 31
first_valid_uid = 1010
will need to be changed to "0",
Worst ... advice ... ever.

Please do NOT EVER suggest to anyone else to EVER do that.
Post by Joseph Tam
or better yet, as others have suggested,
alias root to some user with UID within 1010..1020.
This is one of the very *first* things that you should do on pretty much
*any* new server setup.

I guess maybe there are one or more valid corner cases where you
wouldn't want to do this, but I can't think of any (good) ones...

Charles

Loading...