Loading ...
Sorry, an error occurred while loading the content.

Re: postfix and dovecot SASL

Expand Messages
  • Noel Jones
    ... You didn t show your postconf -n output, so we re reduced to guessing. Common problem: AUTH seems to be working, but I don t see AUTH announced when I
    Message 1 of 6 , May 22, 2013
    • 0 Attachment
      On 5/22/2013 12:42 PM, Peter Skensved wrote:
      > I've set up dovecot to provide SASL for postfix and as far as I can
      > tell everything is working correctly. However, when I do a ehlo localhost
      > I don't see it announcing anything about AUTH :
      >
      > Connected to localhost.
      > Escape character is '^]'.
      > 220 xxx.yyy.QueensU.CA ESMTP Postfix
      > ehlo localhost
      > 250-xxx.yyy.QueensU.CA
      > 250-PIPELINING
      > 250-SIZE 40960000
      > 250-VRFY
      > 250-ETRN
      > 250-STARTTLS
      > 250-ENHANCEDSTATUSCODES
      > 250-8BITMIME
      > 250 DSN
      >
      > Am I missing something in the configuration of postfix ( or dovecot ) ?
      > The log files tell me that it authenticates and entering the wrong password
      > makes it fail etc.
      >
      > peter
      >

      You didn't show your "postconf -n" output, so we're reduced to guessing.

      Common problem: AUTH seems to be working, but I don't see AUTH
      announced when I telnet localhost.

      Typically this means you've set "smtpd_tls_auth_only = yes", which
      suppresses the AUTH announcement until after an encrypted session is
      established -- which is a usually good thing.

      To see the AUTH announcement, either temporarily set
      "smtpd_tls_auth_only = no", or test with "openssl s_client -connect
      localhost:25 -starttls smtp"


      -- Noel Jones
    • Bill Cole
      ... My telepathy says no but if you had done what http://www.postfix.org/DEBUG_README.html#mail advises, I could use less inconsistent tools. ... Right.
      Message 2 of 6 , May 22, 2013
      • 0 Attachment
        On 22 May 2013, at 13:42, Peter Skensved wrote:

        > I've set up dovecot to provide SASL for postfix and as far as I can
        > tell everything is working correctly. However, when I do a ehlo
        > localhost
        > I don't see it announcing anything about AUTH :
        >
        > Connected to localhost.
        > Escape character is '^]'.
        > 220 xxx.yyy.QueensU.CA ESMTP Postfix
        > ehlo localhost
        > 250-xxx.yyy.QueensU.CA
        > 250-PIPELINING
        > 250-SIZE 40960000
        > 250-VRFY
        > 250-ETRN
        > 250-STARTTLS
        > 250-ENHANCEDSTATUSCODES
        > 250-8BITMIME
        > 250 DSN
        >
        > Am I missing something in the configuration of postfix ( or dovecot )
        > ?

        My telepathy says "no" but if you had done what
        http://www.postfix.org/DEBUG_README.html#mail advises, I could use less
        inconsistent tools.

        > The log files tell me that it authenticates and entering the wrong
        > password
        > makes it fail etc.

        Right.

        While it is not a default, smtpd_tls_auth_only=yes is a commonly
        recommended and wise setting. You probably have it.
      • Peter Skensved
        ... Sorry about that : Here is the output of postconf - n : alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes
        Message 3 of 6 , May 24, 2013
        • 0 Attachment
          >> I've set up dovecot to provide SASL for postfix and as far as I can
          >> tell everything is working correctly. However, when I do a ehlo
          >> localhost
          >> I don't see it announcing anything about AUTH :
          >>
          >> Connected to localhost.
          >> Escape character is '^]'.
          >> 220 xxx.yyy.QueensU.CA ESMTP Postfix
          >> ehlo localhost
          >> 250-xxx.yyy.QueensU.CA
          >> 250-PIPELINING
          >> 250-SIZE 40960000
          >> 250-VRFY
          >> 250-ETRN
          >> 250-STARTTLS
          >> 250-ENHANCEDSTATUSCODES
          >> 250 DSN
          >> 250-8BITMIME
          >>
          >> Am I missing something in the configuration of postfix ( or dovecot )
          >> ?
          >
          > My telepathy says "no" but if you had done what
          > http://www.postfix.org/DEBUG_README.html#mail advises, I could use less
          > inconsistent tools.
          >
          >> The log files tell me that it authenticates and entering the wrong
          >> password
          >> makes it fail etc.
          >
          > Right.
          >
          > While it is not a default, smtpd_tls_auth_only=yes is a commonly
          > recommended and wise setting. You probably have it.
          >

          Sorry about that : Here is the output of postconf - n :

          alias_database = hash:/etc/aliases
          alias_maps = hash:/etc/aliases
          broken_sasl_auth_clients = yes
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          daemon_directory = /usr/libexec/postfix
          data_directory = /var/lib/postfix
          debug_peer_level = 2
          html_directory = no
          inet_interfaces = all
          inet_protocols = all
          mail_owner = postfix
          mailq_path = /usr/bin/mailq.postfix
          manpage_directory = /usr/share/man
          message_size_limit = 40960000
          mydestination = $myhostname, localhost.$mydomain, localhost
          mynetworks_style = subnet
          newaliases_path = /usr/bin/newaliases.postfix
          queue_directory = /var/spool/postfix
          readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
          sample_directory = /usr/share/doc/postfix-2.6.6/samples
          sendmail_path = /usr/sbin/sendmail.postfix
          setgid_group = postdrop
          smtpd_delay_reject = yes
          smtpd_helo_required = yes
          smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
          smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_path = private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_type = dovecot
          smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
          smtpd_tls_auth_only = yes
          smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
          smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
          smtpd_tls_loglevel = 1
          smtpd_tls_security_level = may
          smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
          smtpd_tls_session_cache_timeout = 3600s
          tls_random_source = dev:/dev/urandom
          unknown_local_recipient_reject_code = 550


          And dovecon -n

          # 2.0.9: /etc/dovecot/dovecot.conf
          # OS: Linux 2.6.32-279.2.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
          auth_debug = yes
          auth_verbose = yes
          disable_plaintext_auth = no
          mbox_write_locks = fcntl
          passdb {
          driver = pam
          }
          protocols = imap
          service auth {
          unix_listener /var/spool/postfix/private/auth {
          group = postfix
          mode = 0660
          user = postfix
          }
          }
          ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
          ssl_key = </etc/pki/dovecot/private/dovecot.pem
          userdb {
          driver = passwd
          }


          peter
        • LuKreme
          ... So, questioned answered then?
          Message 4 of 6 , May 24, 2013
          • 0 Attachment
            On May 24, 2013, at 7:14, Peter Skensved <peter@...> wrote:

            > smtpd_tls_auth_only = yes

            So, questioned answered then?
          • /dev/rob0
            ... Did you see this part ^^ up here? ... snip ... -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if
            Message 5 of 6 , May 24, 2013
            • 0 Attachment
              On Fri, May 24, 2013 at 09:14:14AM -0400, Peter Skensved wrote:
              > >> I don't see it announcing anything about AUTH :
              > >>
              > >> Connected to localhost.
              > >> Escape character is '^]'.
              > >> 220 xxx.yyy.QueensU.CA ESMTP Postfix
              > >> ehlo localhost
              > >> 250-xxx.yyy.QueensU.CA
              > >> 250-PIPELINING
              > >> 250-SIZE 40960000
              > >> 250-VRFY
              > >> 250-ETRN
              > >> 250-STARTTLS
              > >> 250-ENHANCEDSTATUSCODES
              > >> 250 DSN
              > >> 250-8BITMIME
              > >>
              > >> Am I missing something in the configuration of postfix ( or
              > >> dovecot ) ?
              > >
              > > My telepathy says "no" but if you had done what
              > > http://www.postfix.org/DEBUG_README.html#mail advises, I could
              > > use less inconsistent tools.
              > >
              > >> The log files tell me that it authenticates and entering the
              > >> wrong password makes it fail etc.
              > >
              > > Right.
              > >
              > > While it is not a default, smtpd_tls_auth_only=yes is a
              > > commonly recommended and wise setting. You probably have it.

              Did you see this part ^^ up here?

              > Sorry about that : Here is the output of postconf - n :
              snip
              > smtpd_tls_auth_only = yes
              --
              http://rob0.nodns4.us/ -- system administration and consulting
              Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
            Your message has been successfully submitted and would be delivered to recipients shortly.