How to Fix “postfix/main.cf: Permission denied” Error on CentOS SMTP Relay Setup


2 views

When configuring Postfix as an SMTP relay on CentOS, one common stumbling block is the permission error when trying to access main.cf. The error typically appears in your maillog as:

fatal: open /etc/postfix/main.cf: Permission denied

The key observation here is that while you might have set correct permissions on the file itself, Postfix may still fail to read it due to directory-level permissions or SELinux contexts.

First, verify the complete permission chain:

# Check file permissions
ls -la /etc/postfix/main.cf

# Check directory permissions
ls -ld /etc/postfix/

# Check SELinux context
ls -Z /etc/postfix/main.cf

Here's the full procedure to resolve this issue:

# 1. Set proper ownership
sudo chown root:postfix /etc/postfix/main.cf

# 2. Set appropriate file permissions
sudo chmod 640 /etc/postfix/main.cf

# 3. Verify directory permissions
sudo chmod 755 /etc/postfix/

# 4. Check SELinux context (for CentOS/RHEL)
sudo restorecon -v /etc/postfix/main.cf

# 5. Verify Postfix can access the file
sudo -u postfix cat /etc/postfix/main.cf >/dev/null

# 6. Restart Postfix
sudo systemctl restart postfix

If the error persists, consider these additional checks:

# Check if AppArmor/SELinux is blocking access
sudo ausearch -m avc -ts recent

# Verify Postfix master process user
ps aux | grep postfix

# Check for extended attributes
lsattr /etc/postfix/main.cf

Here's a working main.cf snippet for Gmail relay:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

After fixing permissions and configuration, test with:

sudo postfix check
sudo postfix reload
journalctl -u postfix -f

Remember to check both system logs and mail logs for any remaining issues.

When configuring Postfix as an SMTP relay on CentOS 5.5, many admins encounter the frustrating "permission denied" error when accessing /etc/postfix/main.cf. The key insight here is that Postfix runs as multiple system users (postfix, postdrop) with strict security contexts.

The Postfix master process typically runs as root, but worker processes run as the postfix user. Here's what's actually needed:

# Correct permission structure:
-rw-r--r--. 1 root root 27531 Apr 29 12:19 /etc/postfix/main.cf

First, verify the current SELinux context:

ls -lZ /etc/postfix/main.cf
# Should show: system_u:object_r:postfix_etc_t:s0

If SELinux is enforcing (check with getenforce), restore the proper context:

restorecon -v /etc/postfix/main.cf
chcon -t postfix_etc_t /etc/postfix/main.cf

For a complete solution that addresses both traditional Unix permissions and SELinux:

# Reset ownership and permissions
chown root:root /etc/postfix/main.cf
chmod 644 /etc/postfix/main.cf

# Verify directory permissions
chmod 755 /etc/postfix/

# For RHEL/CentOS 5 specifically:
service postfix stop
rm -f /var/spool/postfix/pid/master.pid
service postfix start

If the issue persists, check these additional items:

# Check process ownership
ps aux | grep postfix

# Verify filesystem ACLs
getfacl /etc/postfix/main.cf

# Alternative troubleshooting command
strace -f -o postfix.strace /usr/sbin/postfix start

Here's a working main.cf snippet for Gmail relay setup:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes

Remember to set proper permissions (600) on /etc/postfix/sasl_passwd and run postmap after creating it.