Loading ...
Sorry, an error occurred while loading the content.
 

postfix and dovecot SASL

Expand Messages
  • Peter Skensved
    I ve set up dovecot to provide SASL for postfix and as far as I can tell everything is working correctly. However, when I do a ehlo localhost I don t see it
    Message 1 of 6 , May 22, 2013
      I've set up dovecot to provide SASL for postfix and as far as I can
      tell everything is working correctly. However, when I do a ehlo localhost
      I don't see it announcing anything about AUTH :

      Connected to localhost.
      Escape character is '^]'.
      220 xxx.yyy.QueensU.CA ESMTP Postfix
      ehlo localhost
      250-xxx.yyy.QueensU.CA
      250-PIPELINING
      250-SIZE 40960000
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN

      Am I missing something in the configuration of postfix ( or dovecot ) ?
      The log files tell me that it authenticates and entering the wrong password
      makes it fail etc.

      peter
    • Noel Jones
      ... You didn t show your postconf -n output, so we re reduced to guessing. Common problem: AUTH seems to be working, but I don t see AUTH announced when I
      Message 2 of 6 , May 22, 2013
        On 5/22/2013 12:42 PM, Peter Skensved wrote:
        > I've set up dovecot to provide SASL for postfix and as far as I can
        > tell everything is working correctly. However, when I do a ehlo localhost
        > I don't see it announcing anything about AUTH :
        >
        > Connected to localhost.
        > Escape character is '^]'.
        > 220 xxx.yyy.QueensU.CA ESMTP Postfix
        > ehlo localhost
        > 250-xxx.yyy.QueensU.CA
        > 250-PIPELINING
        > 250-SIZE 40960000
        > 250-VRFY
        > 250-ETRN
        > 250-STARTTLS
        > 250-ENHANCEDSTATUSCODES
        > 250-8BITMIME
        > 250 DSN
        >
        > Am I missing something in the configuration of postfix ( or dovecot ) ?
        > The log files tell me that it authenticates and entering the wrong password
        > makes it fail etc.
        >
        > peter
        >

        You didn't show your "postconf -n" output, so we're reduced to guessing.

        Common problem: AUTH seems to be working, but I don't see AUTH
        announced when I telnet localhost.

        Typically this means you've set "smtpd_tls_auth_only = yes", which
        suppresses the AUTH announcement until after an encrypted session is
        established -- which is a usually good thing.

        To see the AUTH announcement, either temporarily set
        "smtpd_tls_auth_only = no", or test with "openssl s_client -connect
        localhost:25 -starttls smtp"


        -- Noel Jones
      • Bill Cole
        ... My telepathy says no but if you had done what http://www.postfix.org/DEBUG_README.html#mail advises, I could use less inconsistent tools. ... Right.
        Message 3 of 6 , May 22, 2013
          On 22 May 2013, at 13:42, Peter Skensved wrote:

          > I've set up dovecot to provide SASL for postfix and as far as I can
          > tell everything is working correctly. However, when I do a ehlo
          > localhost
          > I don't see it announcing anything about AUTH :
          >
          > Connected to localhost.
          > Escape character is '^]'.
          > 220 xxx.yyy.QueensU.CA ESMTP Postfix
          > ehlo localhost
          > 250-xxx.yyy.QueensU.CA
          > 250-PIPELINING
          > 250-SIZE 40960000
          > 250-VRFY
          > 250-ETRN
          > 250-STARTTLS
          > 250-ENHANCEDSTATUSCODES
          > 250-8BITMIME
          > 250 DSN
          >
          > Am I missing something in the configuration of postfix ( or dovecot )
          > ?

          My telepathy says "no" but if you had done what
          http://www.postfix.org/DEBUG_README.html#mail advises, I could use less
          inconsistent tools.

          > The log files tell me that it authenticates and entering the wrong
          > password
          > makes it fail etc.

          Right.

          While it is not a default, smtpd_tls_auth_only=yes is a commonly
          recommended and wise setting. You probably have it.
        • Peter Skensved
          ... Sorry about that : Here is the output of postconf - n : alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes
          Message 4 of 6 , May 24, 2013
            >> I've set up dovecot to provide SASL for postfix and as far as I can
            >> tell everything is working correctly. However, when I do a ehlo
            >> localhost
            >> I don't see it announcing anything about AUTH :
            >>
            >> Connected to localhost.
            >> Escape character is '^]'.
            >> 220 xxx.yyy.QueensU.CA ESMTP Postfix
            >> ehlo localhost
            >> 250-xxx.yyy.QueensU.CA
            >> 250-PIPELINING
            >> 250-SIZE 40960000
            >> 250-VRFY
            >> 250-ETRN
            >> 250-STARTTLS
            >> 250-ENHANCEDSTATUSCODES
            >> 250 DSN
            >> 250-8BITMIME
            >>
            >> Am I missing something in the configuration of postfix ( or dovecot )
            >> ?
            >
            > My telepathy says "no" but if you had done what
            > http://www.postfix.org/DEBUG_README.html#mail advises, I could use less
            > inconsistent tools.
            >
            >> The log files tell me that it authenticates and entering the wrong
            >> password
            >> makes it fail etc.
            >
            > Right.
            >
            > While it is not a default, smtpd_tls_auth_only=yes is a commonly
            > recommended and wise setting. You probably have it.
            >

            Sorry about that : Here is the output of postconf - n :

            alias_database = hash:/etc/aliases
            alias_maps = hash:/etc/aliases
            broken_sasl_auth_clients = yes
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            daemon_directory = /usr/libexec/postfix
            data_directory = /var/lib/postfix
            debug_peer_level = 2
            html_directory = no
            inet_interfaces = all
            inet_protocols = all
            mail_owner = postfix
            mailq_path = /usr/bin/mailq.postfix
            manpage_directory = /usr/share/man
            message_size_limit = 40960000
            mydestination = $myhostname, localhost.$mydomain, localhost
            mynetworks_style = subnet
            newaliases_path = /usr/bin/newaliases.postfix
            queue_directory = /var/spool/postfix
            readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
            sample_directory = /usr/share/doc/postfix-2.6.6/samples
            sendmail_path = /usr/sbin/sendmail.postfix
            setgid_group = postdrop
            smtpd_delay_reject = yes
            smtpd_helo_required = yes
            smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
            smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
            smtpd_sasl_auth_enable = yes
            smtpd_sasl_path = private/auth
            smtpd_sasl_security_options = noanonymous
            smtpd_sasl_type = dovecot
            smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
            smtpd_tls_auth_only = yes
            smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
            smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
            smtpd_tls_loglevel = 1
            smtpd_tls_security_level = may
            smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
            smtpd_tls_session_cache_timeout = 3600s
            tls_random_source = dev:/dev/urandom
            unknown_local_recipient_reject_code = 550


            And dovecon -n

            # 2.0.9: /etc/dovecot/dovecot.conf
            # OS: Linux 2.6.32-279.2.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
            auth_debug = yes
            auth_verbose = yes
            disable_plaintext_auth = no
            mbox_write_locks = fcntl
            passdb {
            driver = pam
            }
            protocols = imap
            service auth {
            unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0660
            user = postfix
            }
            }
            ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
            ssl_key = </etc/pki/dovecot/private/dovecot.pem
            userdb {
            driver = passwd
            }


            peter
          • LuKreme
            ... So, questioned answered then?
            Message 5 of 6 , May 24, 2013
              On May 24, 2013, at 7:14, Peter Skensved <peter@...> wrote:

              > smtpd_tls_auth_only = yes

              So, questioned answered then?
            • /dev/rob0
              ... Did you see this part ^^ up here? ... snip ... -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if
              Message 6 of 6 , May 24, 2013
                On Fri, May 24, 2013 at 09:14:14AM -0400, Peter Skensved wrote:
                > >> I don't see it announcing anything about AUTH :
                > >>
                > >> Connected to localhost.
                > >> Escape character is '^]'.
                > >> 220 xxx.yyy.QueensU.CA ESMTP Postfix
                > >> ehlo localhost
                > >> 250-xxx.yyy.QueensU.CA
                > >> 250-PIPELINING
                > >> 250-SIZE 40960000
                > >> 250-VRFY
                > >> 250-ETRN
                > >> 250-STARTTLS
                > >> 250-ENHANCEDSTATUSCODES
                > >> 250 DSN
                > >> 250-8BITMIME
                > >>
                > >> Am I missing something in the configuration of postfix ( or
                > >> dovecot ) ?
                > >
                > > My telepathy says "no" but if you had done what
                > > http://www.postfix.org/DEBUG_README.html#mail advises, I could
                > > use less inconsistent tools.
                > >
                > >> The log files tell me that it authenticates and entering the
                > >> wrong password makes it fail etc.
                > >
                > > Right.
                > >
                > > While it is not a default, smtpd_tls_auth_only=yes is a
                > > commonly recommended and wise setting. You probably have it.

                Did you see this part ^^ up here?

                > Sorry about that : Here is the output of postconf - n :
                snip
                > smtpd_tls_auth_only = yes
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              Your message has been successfully submitted and would be delivered to recipients shortly.