0

I'm running a mail server with CentOS 7 + Exim 4.92 + Dovecot 2.2.36 and RoundCubeMail as web interface, and have the following problem: when I send to or receive from emails which is not admin@ or info@ or dev@ etc. I have the following error:

2020-04-05 05:37:52 H=mail.mydomain.com (IP) [IP] sender verify fail for <bender@mydomain.com>: Unknown user
2020-04-05 05:37:52 H=mail.mydomain.com (IP) [IP] F=<bender@mydomain.com> A=dovecot_login:bender@mydomain.com rejected RCPT <admin@mydomain.com>: Sender verify failed

Here I tried to send an email from bender@mydomain.com to admin@mydomain.com. But if I send an email from admin to info, or from dev to info everything goes well: emails are sent and received, no errors occur.

If I send an email to bender@mydomain.ru then I receive returned message:

Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

bender@mydomain.com Unknown user Reporting-MTA: dns; mail.mydomain.com

Action: failed

Final-Recipient: rfc822;bender@mydomain.com

Status: 5.0.0

All mailboxes was created via VESTA CP and really exist, passwd file locates in /home/user/conf/mail/mydomain.com/ and contains entries like:

bender:{MD5}$1$XXX:user:mail::/home/user:0

Mail server host: mail.mydomain.com

MX entry: mail.mydomain.com

There is authentication via dovecot in the exim config file:

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

Dovecot's 10-auth.conf file contains following entries:

disable_plaintext_auth = no
auth_verbose = yes
auth_mechanisms = plain login
!include auth-passwdfile.conf.ext

Dovecot's auth-passwdfile.conf.ext:

passdb {
  driver = passwd-file
  args = scheme=MD5-CRYPT username_format=%n /etc/exim/domains/%d/passwd
}

userdb {
  driver = passwd-file
  args = username_format=%n /etc/exim/domains/%d/passwd
}

/etc/exim/domains/mydomain.com - symlink exactly to /home/user/conf/mail/mydomain.com/

I can successfully login to RoundCube web interface with all these mail accounts.

I spent 3 days trying to find the answer in the Internet and tried to change exim/dovecot config files, but nothing helped. And I'm stuck. I guess that emails like admin/info/dev are some trusted standards, or exist somewhere in the previous passwd file/config file, but I didn't find any on my server, and anyway if I change username or password hash in /home/user/conf/mail/mydomain.com/passwd I even can't login to RoundCubeMail and send an email. I'm new to mail servers so I don't even have an idea where to dig, I tried everything I could with my knowledge.

P.S. exim and dovecot comes with VESTA CP, but I removed and installed them manually because of mysql dependencies of upgrading to latest version.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
holycreeper
  • 41
  • 1
  • 6
  • 1
    **Important**: you should change your password, since you posted it on this site. Concerning your problem: **exim4** does not know any user `bender`, check the [routers section](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_runtime_configuration_file.html#SECTconffilfor) of your config file and add the router configuration for local domains to your question. – Piotr P. Karwasz Apr 05 '20 at 07:13
  • @PiotrP.Karwasz in config file I have this entry: localuser: driver = accept check_local_user # local_part_suffix = +* : -* # local_part_suffix_optional transport = local_delivery cannot_route_message = Unknown user What else should I add? – holycreeper Apr 05 '20 at 08:39

1 Answers1

1

Your dovecot configuration is configured to use a virtual users database, i.e. your e-mail users are not system users of your server. On the other hand Exim is only configured to deliver mail to local system users.

You need to configure it to use the Dovecot user database (cf. Dovecot documentation). Therefore:

  • Comment out your localuser router,

  • Add a router to check for Dovecot users just after the localuser router:

    dovecot_local_users:
    driver = accept
    domains = +local_domains
    # Requires fixing permission, so that Exim can read it
    local_parts = lsearch;/etc/exim/domains/${domain}/passwd
    transport = dovecot_delivery

  • Add a transport anywhere in the transport section (as described in the aforementioned link):

    dovecot_delivery:
    driver = pipe
    # The path to the dovecot-lda binary may differ on your system
    command = /usr/local/libexec/dovecot/dovecot-lda -d $local_part@$domain -f $sender_address
    message_prefix =
    message_suffix =
    log_output
    delivery_date_add
    envelope_to_add
    return_path_add
    # Set the appropriate user and group, which your mailboxes use.
    #user =
    #group = mail
    #mode = 0660
    temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

  • Test the routing configuration with:

    /usr/sbin/exim4 -bt address_to_test

Edit: The lsearch;/etc/exim/domains/${domain}/passwd requires you to give Exim4 access to the dovecot's passwd files. That might be a security risk, since this file contains real passwords. So you can:

  • Comment out the local_parts condition. No passwd file access will be required, but your server will accept any username during the SMTP session and generate a bounce message for the non-existent usernames afterwards. Since most Return-Path addresses in spam messages are spoofed, this will deliver the message to the wrong address.

  • Generate and maintain a second file, which will contain just the usernames of the virtual users:

    user1:
user2:
user3:

    and give it as argument to lsearch.

By the way, you should consider changing your password scheme in Dovecot (cf. Dovecot documentation) into something more modern, line SHA512-CRYPT used in the /etc/shadow files of modern distributions.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • Yes, indeed, it works! Couldn't find these blocks from googling, it seems better to learn documentation itself. There are another problems now with permissions, but it should be already another topic I think. Thanks a lot! – holycreeper Apr 05 '20 at 17:11
  • Regarding the permission problem with the access to `/etc/exim/domains/${domain}/passwd` I added some details to the answer. – Piotr P. Karwasz Apr 05 '20 at 20:35
  • Oh, this is exaclty I was reading about now, very useful information, thank you again! Could you give me advice please: I'm going to choose option 2 (generate file with only usernames), so where is better to store this file and what permission rights should it have? Btw, my dovecot-lda owned by `root` and has group `mail`, is it correct/safe? Exim and Dovecot are have group `mail` as well. – holycreeper Apr 06 '20 at 03:11
  • The user list does not contain sensitive data, so it can be `root:root` with a `0644` mode (in a directory writable only by root with all its ancestors, cf. [path_resolution](http://man7.org/linux/man-pages/man7/path_resolution.7.html)). The `passwd` file can be `root:dovecot` (the group containing just `dovecot`) with a `0640` mode, since you will probably update the passwords yourself. The e-mails can be stored as `dovecot:mail` with a `0660` mode. – Piotr P. Karwasz Apr 06 '20 at 05:00