以下日志文件来自我当前的邮件日志:
Apr 24 17:44:48 h2290750 dovecot: auth: Error: pgsql: Connect failed to mail: could not connect to server: Permission denied
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011Is the server running on host "localhost" (::1) and accepting
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011TCP/IP connections on port 5432?
Apr 24 17:44:48 h2290750 dovecot: auth: Error: could not connect to server: Permission denied
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011Is the server running on host "localhost" (127.0.0.1) and accepting
Apr 24 17:44:48 h2290750 dovecot: auth: Error: #011TCP/IP connections on port 5432?
我检查了 postgresql 服务器是否正在监听端口 5432。我的 pg_hba.conf 看起来像这样。
# TYPE DATABASE USER ADDRESS METHOD
# Mail stuff
host mail mailreader 127.0.0.1/32 md5
host mail mailreader ::1/128 md5
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident
我的dovecot-sql.conf的连接配置:
driver = pgsql
connect = host=localhost dbname=mail user=mailreader password=secret
default_pass_scheme = SHA512
password_query = SELECT email as user, password, 'maildir:/home/mail'||maildir as userdb_mail FROM users WHERE email = '%u'
有什么建议吗?也许我需要对秘密进行哈希处理,以便 dovecot 将 md5 哈希密码推送到 pgsql?
编辑:psql -U mailreader -d mail在数据库中留下 SQL 提示mail
答案1
连接邮件失败:无法连接到服务器:权限被拒绝服务器是否在主机“localhost”(::1) 上运行并接受
实际上暗示了 SELinux 的问题。检查 audit.log 后,我发现下面这行代码反复出现。
类型 = AVC 消息 = 审核(1398759363.514:635):avc:拒绝 { 打开 } pid = 12779 comm =“auth”名称 =“auth-token-secret.dat.tmp”dev = md1 ino = 11927980 scontext = unconfined_u:system_r:dovecot_auth_t:s0 tcontext = unconfined_u:object_r:dovecot_var_run_t:s0 tclass = file
使用以下命令安装策略核心实用程序后:
yum 安装 policycoreutils-python
我能够使用 audit2allow 命令为 SELinux 创建一个例外:
grep auth_t /var/log/audit/audit.log | audit2allow -M postgreylocal
此后,可以使用以下命令将异常加载到 SELinux 中:
semodule-i postgreylocal.pp
就是这样。运行起来非常顺畅。
答案2
从外观上看,您的 postgres 用户 mailreader 无权访问 postgres 数据库邮件。
一旦您解决了这个问题,它就会开始为您工作。
答案3
此部分消息:
连接邮件失败:无法连接到服务器:没有权限
服务器是否在主机“localhost”(::1)上运行并接受
暗示SELinux权限问题。这时 SELinux 会禁止从您的 dovecot 进程发起 TCP 连接。
看SELinux 不允许 dovecot 连接到 postgresql在 fedora-selinux-list 上查看据称有效的示例策略。
它的要点似乎是:
module dovecotauthfixes 1.0;
require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}
#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;