Postfix can't find Postgserql's unix socket using "peer" method

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix can't find Postgserql's unix socket using "peer" method

Hamid M.
Hello

Using psql I can connect to postgresql's socket with a database user/role that does not have a password set. This is achieved by using "peer" authentication method and maps set in "pg_ident.conf" file:
mailserver_map  postfix  mailserver

"pg_hba.conf" file:
local    mailserver    all    peer map=mailserver_map

Issuing following command works and doesn't require password:
sudo -u postfix psql -U mailserver -d mailserver -h /var/run/postgresql

Additionally, all queries using "postmap -q" succeed with correct results.

But none of the look ups defined in "virtual_mailbox_maps.cf" or "virtual_alias_maps.cf" work when the postfix server tries them, and in fact they report that connection to postgresql fails because it can't find it!:

postfix/trivial-rewrite[8119]: warning: connect to pgsql server /var/run/postgresql: could not connect to server: No such file or directory??Is the server running locally and accepting??connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"??

My virtual maps look like this:
user = mailserver
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source = '%s'
hosts = /var/run/postgresql

My questions are:
1- Why Postfix reports that it can't connect to server instead of a message like "authentication failed for user"? Can this be considered a bug since it seems not providing "password" field breaks the command Postifx uses to establish communication to Postgres (hence the incorrect error message)?

2- Is there a way of achieving this authentication method that I am missing? I can make it work if I add a password for the database user and provide that in "virtual_alias_maps.cf" files but I was wondering if this can be done without password since I am using local/socket-based connection?

Thanks in advance for your time,
Hamid
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Jaroslaw Rafa
Dnia 28.01.2020 o godz. 18:43:48 Hamid M. pisze:

>
> Issuing following command works and doesn't require password:
> sudo -u postfix psql -U mailserver -d mailserver -h /var/run/postgresql
>
> Additionally, all queries using "postmap -q" succeed with correct results.
>
> But none of the look ups defined in "virtual_mailbox_maps.cf" or "
> virtual_alias_maps.cf" work when the postfix server tries them, and in fact
> they report that connection to postgresql fails because it can't find it!:
>
> postfix/trivial-rewrite[8119]: warning: connect to pgsql server
> /var/run/postgresql: could not connect to server: No such file or
> directory??Is the server running locally and accepting??connections on Unix
> domain socket "/var/run/postgresql/.s.PGSQL.5432"??

Maybe the reason is that your PostgreSQL socket isn't available from within
Postfix chroot jail?
Try placing it somewhere inside Postfix chroot jail.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Hamid M.

On Tue, Jan 28, 2020 at 6:52 PM Jaroslaw Rafa <[hidden email]> wrote:

> postfix/trivial-rewrite[8119]: warning: connect to pgsql server
> /var/run/postgresql: could not connect to server: No such file or
> directory??Is the server running locally and accepting??connections on Unix
> domain socket "/var/run/postgresql/.s.PGSQL.5432"??

Maybe the reason is that your PostgreSQL socket isn't available from within
Postfix chroot jail?
Try placing it somewhere inside Postfix chroot jail.

Thanks for your reply. I moved the socket folder into Postfix's jail "/var/spool/postfix/postgresql":

ls -ld /var/spool/postfix/postgresql
drwxrwsr-x 2 postgres postgres 4096 Jan 29 00:45 postgresql/

Postgresql starts correctly and creates the socket, however the issue remains, i.e, I can connect to sever using
"psql" but I get same error messages from Postfix:

Jan 29 00:47:19 mail postfix/trivial-rewrite[10046]: warning: connect to pgsql server /var/spool/postfix/postgresql: 
could not connect to server: No such file or directory??
Is the server running locally and accepting??connections on Unix domain socket "/var/spool/postfix/postgresql/.s.PGSQL.5432"??


Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Viktor Dukhovni
On Tue, Jan 28, 2020 at 07:53:42PM -0500, Hamid M. wrote:

> Thanks for your reply. I moved the socket folder into Postfix's jail
> "/var/spool/postfix/postgresql":

It would be easier to just turn off chroot in master.cf, but:

> ls -ld /var/spool/postfix/postgresql
> drwxrwsr-x 2 postgres postgres 4096 Jan 29 00:45 postgresql/

You also need symbolic link

    /var/spool/postfix/var/spool/postfix -> ../..

So that paths under /var/spool/postfix work the same way for
both chrooted and not chrooted processes.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Hamid M.
On Tue, Jan 28, 2020 at 8:11 PM Viktor Dukhovni <[hidden email]> wrote:

You also need symbolic link

    /var/spool/postfix/var/spool/postfix -> ../..

So that paths under /var/spool/postfix work the same way for
both chrooted and not chrooted processes.


Nos sure how to go about doing this linking since I don't see any /var foledr wither /var/spool/postfix

something like:
cd /var/spool/postfix
ln -s ../.. var/spool/postfix
?
 
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Viktor Dukhovni
On Tue, Jan 28, 2020 at 08:27:53PM -0500, Hamid M. wrote:

> > You also need symbolic link
> >
> >     /var/spool/postfix/var/spool/postfix -> ../..
> >
> > So that paths under /var/spool/postfix work the same way for
> > both chrooted and not chrooted processes.
>
> Not sure how to go about doing this linking since I don't see any /var
> folder wither /var/spool/postfix
>
> Something like:
> cd /var/spool/postfix
> ln -s ../.. var/spool/postfix

Naturally, you'd have to create the intermediate directories:

    # (umask 022; mkdir -p /var/spool/postfix/var/spool)
    # ln -s ../.. /var/spool/postfix/var/spool/postfix

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Hamid M.


On Tue, Jan 28, 2020 at 8:36 PM Viktor Dukhovni <[hidden email]> wrote:

Naturally, you'd have to create the intermediate directories:

    # (umask 022; mkdir -p /var/spool/postfix/var/spool)
    # ln -s ../.. /var/spool/postfix/var/spool/postfix

Thanks Victor, this helped solve the issue.
Just curious if I wanted to disable chroot, should it only apply to smtpd or some other few services? 
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Jaroslaw Rafa
In reply to this post by Hamid M.
Dnia 28.01.2020 o godz. 19:53:42 Hamid M. pisze:

> Thanks for your reply. I moved the socket folder into Postfix's jail
> "/var/spool/postfix/postgresql":
>
> ls -ld /var/spool/postfix/postgresql
> drwxrwsr-x 2 postgres postgres 4096 Jan 29 00:45 postgresql/
>
> Postgresql starts correctly and creates the socket, however the issue
> remains, i.e, I can connect to sever using
> "psql" but I get same error messages from Postfix:
>
> Jan 29 00:47:19 mail postfix/trivial-rewrite[10046]: warning: connect to
> pgsql server /var/spool/postfix/postgresql:
> could not connect to server: No such file or directory??
> Is the server running locally and accepting??connections on Unix domain
> socket "/var/spool/postfix/postgresql/.s.PGSQL.5432"??

If you have the socket in /var/spool/postfix/postgresql, then you need to
specify path to socket in Postfix configuration taking into account the
chroot jail, ie. not "/var/spool/postfix/postgresql", but just "postgresql".

Alternatively, you can create
/var/spool/postfix/var/spool/postfix/postgresql directory, as Viktor wrote.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Viktor Dukhovni
> On Jan 29, 2020, at 4:32 AM, Jaroslaw Rafa <[hidden email]> wrote:
>
> If you have the socket in /var/spool/postfix/postgresql, then you need to
> specify path to socket in Postfix configuration taking into account the
> chroot jail, ie. not "/var/spool/postfix/postgresql", but just "postgresql".

No, that's fragile, not all processes using the table are necessarily
or consistently over time chrooted.  Making a symlink is more robust.

> Alternatively, you can create
> /var/spool/postfix/var/spool/postfix/postgresql directory, as Viktor wrote.

No, there's a symlink in there, that makes:

  /var/spool/postfix == /var/spool/postfix/var/spool/postfix
                     == /var/spool/postfix/var/spool/postfix/var/spool/postfix/
                     == /var/spool/postfix/var/spool/postfix/var/spool/postfix/var/spool/postfix
                     == ... up to PATHLEN_MAX ...

Therefore, the directory is in /var/spool/postfix as before, but now
it is also accessible under the same name from inside the jail.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Christoph Moench-Tegeder
In reply to this post by Hamid M.
## Hamid M. ([hidden email]):

> postfix/trivial-rewrite[8119]: warning: connect to pgsql server
> /var/run/postgresql: could not connect to server: No such file or
> directory??Is the server running locally and accepting??connections on Unix
> domain socket "/var/run/postgresql/.s.PGSQL.5432"??

That message is straight from libpq (PostgreSQL client library) - if
you had authentication problems (password etc.) you'd get different
error messages.

> 2- Is there a way of achieving this authentication method that I am
> missing? I can make it work if I add a password for the database user and
> provide that in "virtual_alias_maps.cf" files but I was wondering if this
> can be done without password since I am using local/socket-based connection?

Downthread I saw that you already found the solution (moving the
PostgreSQL socket inside the chroot). Let me add (for the benefit
of future readers of this) that the PostgreSQL parameter setting the
location of the database servers unix socket - "unix_socket_directories"
- is in fact plural, that is, you can give multiple socket directories,
seperated by comma, and have multiple unix sockets on your system.
(That parameter became plural in PostgreSQL 9.3 (before, it was singular
"unix_socket_directory"), so it's in all supported PostgreSQL releases).

Regards,
Christoph

--
Spare Space
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't find Postgserql's unix socket using "peer" method

Viktor Dukhovni
In reply to this post by Hamid M.
On Wed, Jan 29, 2020 at 01:21:03AM -0500, Hamid M. wrote:

> Just curious if I wanted to disable chroot, should it only apply to smtpd
> or some other few services?

Generally all.  If however you later decide to reenable chroot, some
services will need to stay not chrooted.

    proxymap
    proxywrite
    postlog
    local
    virtual
    ... generally any delivery agent using pipe(8) ...

Some internal services can always be chrooted, they never access
resources outside the queue directory, but keeping them chrooted is
unlikely to be worth the effort if the more exposed services are not.

--
    Viktor.