postfix permission denied

[r4yfx]

Expected behavior:

• Plugin: inputs.postfix, Collection 1

postfix_queue,queue=active,host=mailrelay length=0i,size=0i,age=0i 1517831282000000000
postfix_queue,queue=hold,host=mailrelay length=0i,size=0i,age=0i 1517831282000000000
postfix_queue,queue=incoming,host=mailrelay size=0i,age=0i,length=0i 1517831282000000000
postfix_queue,queue=maildrop,host=mailrelay length=0i,size=0i,age=0i 1517831282000000000
postfix_queue,queue=deferred,host=mailrelay length=7i,size=629232i,age=479i 1517831282000000000

Actual behavior:

Feb 5 11:47:30 mailrelay01 telegraf: 2018-02-05T11:47:30Z E! Error in plugin [inputs.postfix]: error scanning queue active: open /var/spool/postfix/active: permission denied
Feb 5 11:47:30 mailrelay01 telegraf: 2018-02-05T11:47:30Z E! Error in plugin [inputs.postfix]: error scanning queue hold: open /var/spool/postfix/hold: permission denied
Feb 5 11:47:30 mailrelay01 telegraf: 2018-02-05T11:47:30Z E! Error in plugin [inputs.postfix]: error scanning queue incoming: open /var/spool/postfix/incoming: permission denied
Feb 5 11:47:30 mailrelay01 telegraf: 2018-02-05T11:47:30Z E! Error in plugin [inputs.postfix]: error scanning queue maildrop: open /var/spool/postfix/maildrop: permission denied
Feb 5 11:47:30 mailrelay01 telegraf: 2018-02-05T11:47:30Z E! Error in plugin [inputs.postfix]: error scanning queue deferred/0: open /var/spool/postfix/deferred/0: permission denied

Additional info:

When I run the test config I receive the data in which I am expecting (root user) restart the daemon and it wont come up suggesting that there is a permission issue. I have added the user to the postfix group and still receive the same error. Any suggestion to resolve the permission issue?

[bdronneau]

Hello,

How do you handle this error ? Because I've the same behavior, when I've a deferred, a directory is created with restricted right.

[r4yfx]

Hopefully this would help, although my permissions looked correct, and running the test via root worked perfectly. These didn't take effect properly.

sudo chgrp -R telegraf /var/spool/postfix/{active,hold,incoming,deferred}
sudo chmod -R g+rXs /var/spool/postfix/{active,hold,incoming,deferred}
sudo usermod -a -G postdrop telegraf
sudo chmod g+r /var/spool/postfix/maildrop

[bdronneau]

Yes this command help at time t but if a new folder is create in deferred, it's not taking telegraf groups.
Thanks anyway.

[danielnelson]

I believe the posix ACL method will handle newly created directories:

sudo setfacl -Rdm u:telegraf:rX /var/spool/postfix/{active,hold,incoming,deferred,maildrop}

https://github.com/influxdata/telegraf/tree/master/plugins/inputs/postfix#permissions

[bdronneau]

I was hoping posix will save my day but not (maybe i miss understood something)

drwxr-s---+ 3 postfix telegraf 4096 Feb 23 14:35 deferred

$ ls -l /var/spool/postfix/deferred/
drwx------+ 2 postfix postfix 4096 Feb 23 14:44 5

$ getfacl /var/spool/postfix/deferred/5
getfacl: Removing leading '/' from absolute path names
# file: var/spool/postfix/deferred/5
# owner: postfix
# group: postfix
user::rwx
group::---
other::---
default:user::rwx
default:user:telegraf:r-x
default:group::---
default:mask::r-x
default:other::---

and from Syslog
Mar 26 15:16:30 myhost telegraf[24012]: 2018-03-26T15:16:30Z E! Error in plugin [inputs.postfix]: error scanning queue deferred/5: open /var/spool/postfix/deferred/5: permission denied

[bdronneau]

Okay, for some reason my user in acl is not put on creation, I'll do some other tests (include restart postfix in order to take care new permissions). Thank for the help.

[nomad-007]

sudo setfacl -Rdm u:telegraf:rx /var/spool/postfix/{active,hold,incoming,deferred,maildrop}
sudo -u telegraf stat /var/spool/postfix/active/
stat: cannot stat '/var/spool/postfix/active/': Permission denied

not enough permissions on directories above

sudo setfacl -m u:telegraf:rx /var/spool/postfix
sudo setfacl -m u:telegraf:rx /var/spool
sudo -u telegraf stat /var/spool/postfix/active
File: /var/spool/postfix/active
Size: 36864 Blocks: 88 IO Block: 4096 directory
Device: 801h/2049d Inode: 527294 Links: 2
Access: (0750/drwxr-x---) Uid: ( 114/ postfix) Gid: ( 0/ root)
Access: 2020-03-13 09:20:39.007150389 +0000
Modify: 2020-03-13 09:20:36.091111251 +0000
Change: 2020-03-13 09:20:36.091111251 +0000
Birth: -

[danielnelson]

Try running both of these setfacl calls from the plugin README:

$ sudo setfacl -m g:telegraf:rX /var/spool/postfix/{,active,hold,incoming,deferred,maildrop}
$ sudo setfacl -Rdm g:telegraf:rX /var/spool/postfix/{,active,hold,incoming,deferred,maildrop}

[SupRavII]

@danielnelson correct lines is:
$ sudo setfacl -m g:telegraf:rX /var/spool/postfix/{active,hold,incoming,deferred,maildrop}
$ sudo setfacl -Rdm g:telegraf:rX /var/spool/postfix/{active,hold,incoming,deferred,maildrop}

[danielnelson]

If you have the leading , it should automatically give permissions for any newly created spool directories, otherwise I imagine they should both work.

[SupRavII]

@danielnelson Yes correct, with leading , telegraf stop complain abut new mails in deffered ou other

Good lines tested - OK:

sudo setfacl -m g:telegraf:rX /var/spool/postfix/{,active,hold,incoming,deferred,maildrop}
sudo setfacl -Rdm g:telegraf:rX /var/spool/postfix/{,active,hold,incoming,deferred,maildrop}

Thank's @danielnelson

[dynek]

If you have the leading , it should automatically give permissions for any newly created spool directories, otherwise I imagine they should both work.

Why not simply /var/spool/postfix then (for the second setfacl) as it's recursive.

[danielnelson]

I think it is related to #3594 (comment)

[dynek]

What I mean is that:
sudo setfacl -Rdm g:telegraf:rX /var/spool/postfix/{,active,hold,incoming,deferred,maildrop}

equals:
sudo setfacl -Rdm g:telegraf:rX /var/spool/postfix/

As we are passing the recursive flag on /var/spool/postfix/{,} - or am I missing something ?

[danielnelson]

It seems like the commands we are recommending are based on our method using unix permissions where we didn't want to change the permissions of the maildrop directory. When doing this with Posix ACLs it seems like we could just set both of the ACLs only on /var/spool/postfix/, since setting them will leave the unix permissions in place.

Maybe we want:

sudo setfacl -Rm g:telegraf:rX /var/spool/postfix/
sudo setfacl -dm g:telegraf:rX /var/spool/postfix/

[SupRavII]

@danielnelson confirmed !

Before:

2020-03-30T19:07:30Z E! [inputs.postfix] Error in plugin: error scanning /var/spool/postfix/maildrop: open /var/spool/postfix/maildrop: permission denied
2020-03-30T19:07:30Z E! [inputs.postfix] Error in plugin: error scanning /var/spool/postfix/deferred: open /var/spool/postfix/deferred: permission denied
2020-03-30T19:07:40Z E! [inputs.postfix] Error in plugin: error scanning /var/spool/postfix/active: open /var/spool/postfix/active: permission denied
2020-03-30T19:07:40Z E! [inputs.postfix] Error in plugin: error scanning /var/spool/postfix/incoming: open /var/spool/postfix/incoming: permission denied
2020-03-30T19:07:40Z E! [inputs.postfix] Error in plugin: error scanning /var/spool/postfix/maildrop: open /var/spool/postfix/maildrop: permission denied
2020-03-30T19:07:40Z E! [inputs.postfix] Error in plugin: error scanning /var/spool/postfix/deferred: open /var/spool/postfix/deferred: permission denied

== AFTER ACL'S ==

sudo setfacl -Rm g:telegraf:rX /var/spool/postfix/
sudo setfacl -dm g:telegraf:rX /var/spool/postfix/

No complaints in Log :)

Graphs OK to start show mails :)

[derrickpark]

Okay, for some reason my user in acl is not put on creation, I'll do some other tests (include restart postfix in order to take care new permissions). Thank for the help.

@bdronneau
Were you able to resolve your issue, particularly with: "Yes this command help at time t but if a new folder is create in deferred, it's not taking telegraf groups."

Seems like certain sub folders under "Deferred" are being created with different permissions.

[bdronneau]

Hi @derrickpark,
I've not figure out what happen in this use case. I stop digging because we move our postfix solution to SaaS api email solution.