On 11.10.18 14:02, Laura Smith wrote: > To me, it seems dovecot is not behaving correctly, because if it is > not using root to access the directory then it is not going to be able > to chmod the socket later is it ?
I use the following on several Dovecot-plus-Postfix servers, and they all work fine: # /etc/dovecot/conf.d/10-master.conf unix_listener /var/spool/postfix/private/dovecot-auth { user = postfix group = postfix mode = 0660 } # /etc/postfix/master.cf # Remove line breaks on the value-side, I only added them for readability! submission inet n - n - - smtpd -o relay_clientcerts=${indexed}relay_clientcerts -o smtpd_sender_login_maps=${indexed}submission_login_maps -o smtpd_client_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,permit_tls_clientcerts, permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_tls_clientcerts, reject_sender_login_mismatch, permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_path=private/dovecot-auth -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=may -o syslog_name=postfix/submission [...] Note that this configuration only allows authentication via port 587 (submission), not port 25 (smtp). By convention, that's how it should be. Also, I allow authentication using either SASL or client-side SSL certificates, so you could remove all *cert* settings. If you don't use sender login maps, remove those settings as well. -Ralph