mjhjmtu

Because of recent policy changes at our office's ISP (no more SSL or TLS 1.0, only TLS 1.1+), I've had to ditch ssmtp as our mail relay on a Debian 9 workstation. I reinstalled postfix, which automatically removed ssmtp. Great. But there were some problems with installation, probably due to apparmor: postfix just would not configure, and no amount of apt-get clean, apt-get install -f, or dpkg -a --configure would solve that. I disabled apparmor, reinstalled ssmtp, purged postfix, fixed dependencies, and then reinstalled postfix. Now postfix automatically went through its post-install configuration no problem. Great.

The problem now is that postfix is unable to create a lock file for messages from root. Here's the error message it produces in mail.warn when I try to send a test message as root:

Feb 25 10:30:56 Mephistopheles postfix/local[9195]: warning: unable to create lock file /root/mailbox.lock: Permission denied

I'm pretty sure on my other Debian workstations the default spool directory was /var/mail. So, first question, is the spool directory the problem, or the mailbox directory? And is it a question of group postfix having permissions on a directory? I don't want to give postfix RW permissions on /root.

I tried setting postconf mail_spool_directory=/var/mail/ and postconf home_mailbox= (null), then running postfix reload. So far no dice.

Here's my /etc/postfix/main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs. 
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes 
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache 
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
#restricting use to TLS 1.1+
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv11
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_exclude_ciphers = RC4, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS ECDSA, CAMELLIA128,
3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
myhostname = Mephistopheles.[our domain].com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, [our domain].com,
Mephistopheles, localhost.localdomain, localhost
relayhost = [our ISP name]:25 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
mail_spool_directory = /var/mail/ 
home_mailbox =

On previous instances of postfix (on other machines) installation has been totally seamless. Not sure what about the ssmtp/postfix swap gummed this up, although apparmor clearly played a role.

Have you redirected email addressed to root to your non privileged OS account?

http://www.postfix.org/BASIC_CONFIGURATION_README.html#notify

/etc/aliases:

postmaster: you

root: you