dovecot sasl with postfix, smtp auth not available

2023-04-22 Thread Badli Al Rashid 
Hi All,

I have set up dovecot sasl with postfix. When I check the smtp with ehlo there 
is no auth advertise.

Connected to www.zystro.xyz.
Escape character is '^]'.
220 www.zystro.xyz
ehlo x.zystro.xyz
250-www.zystro.xyz
250-PIPELINING
250-SIZE 10485760
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

I did a number of installations the auth was not shown. I have use debian 
distributed and also dovecot packages.

Sasl.

root@www:~# postconf -a
cyrus
dovecot
root@www:~# postconf -A
cyrus

Dovecot version.

root@www:~# dovecot --version
2.3.20 (80a5ac675d)


Dovecot configuration.

root@www:~# dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# OS: Linux 5.10.0-21-amd64 x86_64 Debian 11.6
# Hostname: www.zystro.xyz
auth_mechanisms = plain login
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
mail_location = mbox:~/Mailbox
namespace {
  inbox = yes
  location =
  prefix =
  separator = /
}
passdb {
  driver = pam
}
postmaster_address = postmas...@zystro.xyz
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}
service imap-login {
  inet_listener imap {
address = 127.0.0.1,::1
port = 143
  }
  inet_listener imaps {
address = *
port = 993
ssl = yes
  }
}
ssl_cert = https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/

https://www.postfix.org/SASL_README.html

Anybody got any ideas ?

Regards,
-badli
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Blacklistd

2023-04-22 Thread Aki Tuomi via dovecot 


> On 22/04/2023 18:21 EEST Michael Grimm via dovecot  
> wrote:
> 
>  
> Marc  wrote:
> 
> >> Blacklistd places a very short set of code to send a small packet to a 
> >> socket when
> >> the decision is made to deny access.
> 
> > And how does blacklistd get fed?
> 
> 
> Actually, one needs to add a small amount of code to dovecot which writes to 
> a socket. This code needs to be invoked whenever someone tries to "break in" 
> or "abuse" your dovecot server. Thus, the application informs the blacklistd 
> daemon about abuse and who did so. Blacklistd listens to that socket [1].
> 
> The running blacklistd then decides what to do with these attempts and uses 
> firewall functionality to block future attempts if wanted. 
> 
> [1] https://github.com/paul-chambers/blacklistd
> 
> The sources of bind, ftp, sshd, and postfix have already been modified 
> accordingly.
> 
> Regards,
> Michael

So, why not use auth policy for this? It can send information about potential 
login attempts to a remote server. And if the data format is not exactly 
correct for blacklistd, I'm sure an adapter can be added in the middle or into 
blacklistd.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Blacklistd

2023-04-22 Thread Michael Grimm via dovecot 
Marc  wrote:

>> Blacklistd places a very short set of code to send a small packet to a 
>> socket when
>> the decision is made to deny access.

> And how does blacklistd get fed?


Actually, one needs to add a small amount of code to dovecot which writes to a 
socket. This code needs to be invoked whenever someone tries to "break in" or 
"abuse" your dovecot server. Thus, the application informs the blacklistd 
daemon about abuse and who did so. Blacklistd listens to that socket [1].

The running blacklistd then decides what to do with these attempts and uses 
firewall functionality to block future attempts if wanted. 

[1] https://github.com/paul-chambers/blacklistd

The sources of bind, ftp, sshd, and postfix have already been modified 
accordingly.

Regards,
Michael
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

RE: Blacklistd

2023-04-22 Thread Marc 
> 
>   Since blacklistd uses PF, you can already use fail2ban or sshguard
>   to achieve the same thing you are after.
>   Given that blacklistd is just an intermediary like fail2ban, is
> there a real need for dovecot interfacing with it?
> 
> 
> Fail2ban and sshguard are log scanners.  They are a very inelegant
> approach that requires a lot of horsepower to scan logs that are not
> designed for scanning, but for human reading.  Log formats tend to
> change with time thus necessitating updates to the scanners.  Blacklistd
> places a very short set of code to send a small packet to a socket when
> the decision is made to deny access.  There is no real delay in the
> actual blocking.  Scanning large logs in a high traffic environment is
> expensive.  For a product that is intended for high volume environments
> I find it interesting that a log scanning solution would be appropriate.

And how does blacklistd get fed?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org