Re: [Dovecot] SMTP Client authentication to remote Postfix/Dovecot
Follow up - Looks like a private VPN is the best solution to tackle this: http://article.gmane.org/gmane.mail.postfix.user/235903 On 18 March 2013 13:08, Christian Benke benkoka...@gmail.com wrote: Hello! This is probably another basic question and i'm not even sure if it's something where Dovecot is involved, but i'll give it a shot. So i've setup Postfix with Dovecot and system-auth on my remote server. So far it looks like everything is working fine and dandy via SASL(PLAIN) and TLS. I'm just not happy about my local SMTP client settings. I'm going to try to work with mutt in the future, so i need a local MTA - i've decided to try it with Postfix. This works so far and i can send mails with mutt. However - my setup relies on smtp_sasl_password_maps for authentication. I'm not too happy to have plaintext-passwords of remote systems lying around on my local filesystem. It doesn't really ease my mind that the file is readable by root only, this doesn't help if my laptop's harddisk gets mounted elsewhere. Are there alternatives or better ways to do SMTP authentication? http://www.postfix.org/SASL_README.html#server_cyrus_comm says: saslauthd can verify the SMTP client credentials by using them to log into an IMAP server So i have my mutt-client which is logged in to the remote Dovecot IMAP. Mutt uses the local MTA to send the mail. Is there some way to tell the local postfix or a local dovecot to authenticate the SMTP-Session via the existing IMAP-login? Or some other way where i at least don't rely on plaintext passwords but secure, encrypted hashes? Sorry if this is a redundant thread, smtp client authentication site:dovecot.org/list' and the likes are not exactly the most rewarding or unique search terms unfortunately. Thanks, Christian -- Central Asia by bike, starting May 2013 - http://poab.org
[Dovecot] SMTP Client authentication to remote Postfix/Dovecot
Hello! This is probably another basic question and i'm not even sure if it's something where Dovecot is involved, but i'll give it a shot. So i've setup Postfix with Dovecot and system-auth on my remote server. So far it looks like everything is working fine and dandy via SASL(PLAIN) and TLS. I'm just not happy about my local SMTP client settings. I'm going to try to work with mutt in the future, so i need a local MTA - i've decided to try it with Postfix. This works so far and i can send mails with mutt. However - my setup relies on smtp_sasl_password_maps for authentication. I'm not too happy to have plaintext-passwords of remote systems lying around on my local filesystem. It doesn't really ease my mind that the file is readable by root only, this doesn't help if my laptop's harddisk gets mounted elsewhere. Are there alternatives or better ways to do SMTP authentication? http://www.postfix.org/SASL_README.html#server_cyrus_comm says: saslauthd can verify the SMTP client credentials by using them to log into an IMAP server So i have my mutt-client which is logged in to the remote Dovecot IMAP. Mutt uses the local MTA to send the mail. Is there some way to tell the local postfix or a local dovecot to authenticate the SMTP-Session via the existing IMAP-login? Or some other way where i at least don't rely on plaintext passwords but secure, encrypted hashes? Sorry if this is a redundant thread, smtp client authentication site:dovecot.org/list' and the likes are not exactly the most rewarding or unique search terms unfortunately. Thanks, Christian -- Central Asia by bike, starting May 2013 - http://poab.org
Re: [Dovecot] Dovecot as LDA with Postfix and virtual users
Hello Rob! Thanks for answering! On 17 March 2013 02:58, /dev/rob0 r...@gmx.co.uk wrote: On Sun, Mar 17, 2013 at 01:20:55AM +0100, Christian Benke wrote: Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself. Perhaps surprisingly, this is a Postfix issue, not a Dovecot one. No, i was expecting it :-) I just wasn't sure where it belongs to. Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=benkkk AT example.com, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox) This is postfix/local, which means it is not being routed to your virtual_transport. It means example.com is in mydestination. You did not even set mydestination, thus you get the default. You really should review the Postfix Basic Configuration README: No, i tried a lot yesterday and i started from a working postfix/dovecot-setup with PAM. The config i posted above was merely the last incarnation. Should probably have emphasized that. I commented out mydestination because i received warnings that i shouldn't list them in both mydestination and virtual_mailbox_domains. Still, dovecot LDA has not been called either when the mydestination-parameter was present: Mar 16 21:54:56 poab postfix/smtpd[4197]: connect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: setting up TLS connection from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: Anonymous TLS connection established from mail-we0-f176.google.com[74.125.82.176]: TLSv1 with cipher RC4-SHA (128/128 bits) Mar 16 21:54:56 poab dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so Mar 16 21:54:56 poab dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs Mar 16 21:54:56 poab dovecot: auth: Debug: auth client connected (pid=0) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: 856034E1FD1: client=mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/cleanup[4203]: 856034E1FD1: message-id=CAAMQ8bS2bi6HG=u8bmc+e-_yu47wrb6dwxhh2rgsushdvpn...@mail.gmail.com Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: from=benkkk AT wheemail.com, size=1644, nrcpt=1 (queue active) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: disconnect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/local[4204]: 856034E1FD1: to=benkkk AT example.com, relay=local, delay=0.39, delays=0.33/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to mailbox) Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: removed Perhaps you'd be better off without the virtual mailboxes anyway? Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser. I've gone back to the working PAM-config today and will try to figure out SASL for now, maybe going back to virtual users later. But i'm still interested in comments regarding the mydestination issue, i can go back to the virtual user settings quickly to try. [snip] Central Asia by bike, starting May 2013 - http://poab.org Wow, a great adventure, good luck! Thanks! Will (re-)add a RSS-feed soon. Best regards, Christian
Re: [Dovecot] Dovecot as LDA with Postfix and virtual users
Perhaps you'd be better off without the virtual mailboxes anyway? Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser. Virtual mailboxes have their place, indeed, but more so for large numbers of domains and users. For a small-timer (as it sounds like you are), I wouldn't say they're attractive. Increased complexity, decreased functionality, [usually] security tradeoffs. (System users who own all and ONLY their own mail are not going to endanger others' mail. Virtual mailboxes typically are owned by a shared UID+GID, and a compromise of that UID or GID could threaten all mail.) Rob, thank you for your comments! I'll just stay with system users then, i only need a few accounts as you guessed correctly. Virtual users appeared nice due to the separation from the system. But probably not worth the effort, as you argumented. Cheers, Christian
[Dovecot] Dovecot as LDA with Postfix and virtual users
Hello! I've been trying to configure Dovecot to work as LDA for file-based virtual users with Postfix. Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself. Postfix drops the mail in /var/mail/user/mbox, if Dovecot would be called, it should deliver it to /var/vmail/domain/user/Maildir. I've made sure to add the dovecot-service to postfix/master.cf according to http://wiki2.dovecot.org/LDA/Postfix and tried all kinds of settings and did quadruple checks for errors. I'm using Debian 6.0 with Dovecot 2.1.7(From backports) and Postfix 2.7.1 I've been trying to figure out what's missing for a few hours now and have to give up for today. I hope someone can help me with a hint what's missing or wrong :-/ Here's an excerpt from my mail.log, my postconf -n and dovecot -n: Mar 17 00:02:46 poab postfix/smtpd[15333]: connect from mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/smtpd[15333]: setting up TLS connection from mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/smtpd[15333]: Anonymous TLS connection established from mail-wg0-f47.google.com[74.125.82.47]: TLSv1 with cipher RC4-SHA (128/128 bits) Mar 17 00:02:46 poab dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so Mar 17 00:02:46 poab dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs Mar 17 00:02:46 poab dovecot: auth: Debug: auth client connected (pid=0) Mar 17 00:02:46 poab postfix/smtpd[15333]: 66AD04E23EE: client=mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/cleanup[15340]: 66AD04E23EE: message-id=caamq8bseetcsykkhkhbaqwxjwrewapb_wa2dk8j4n-q5y+d...@mail.gmail.com Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: from=benkkk AT wheemail.com, size=1611, nrcpt=1 (queue active) Mar 17 00:02:46 poab postfix/smtpd[15333]: disconnect from mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=benkkk AT example.com, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox) Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: removed # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix debug_peer_level = 3 inet_interfaces = all inet_protocols = all mailbox_size_limit = 512000 myhostname = example.com mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_reject_unlisted_recipient = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem smtpd_tls_key_file = /etc/ssl/private/postfix.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps virtual_transport = dovecot # dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-openvz-amd64 x86_64 Debian 6.0.7 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-master auth_verbose = yes auth_verbose_passwords = sha1 first_valid_gid = 5000 first_valid_uid = 5000 last_valid_gid = 5000 last_valid_uid = 5000 lda_mailbox_autocreate = yes log_timestamp = %Y-%m-%d %H:%M:%S mail_debug = yes mail_gid = 5000 mail_home = /var/vmail/%d/%n mail_location