Re: [Dovecot] SMTP Client authentication to remote Postfix/Dovecot
Follow up - Looks like a private VPN is the best solution to tackle this: http://article.gmane.org/gmane.mail.postfix.user/235903 On 18 March 2013 13:08, Christian Benke benkoka...@gmail.com wrote: Hello! This is probably another basic question and i'm not even sure if it's something where Dovecot is involved, but i'll give it a shot. So i've setup Postfix with Dovecot and system-auth on my remote server. So far it looks like everything is working fine and dandy via SASL(PLAIN) and TLS. I'm just not happy about my local SMTP client settings. I'm going to try to work with mutt in the future, so i need a local MTA - i've decided to try it with Postfix. This works so far and i can send mails with mutt. However - my setup relies on smtp_sasl_password_maps for authentication. I'm not too happy to have plaintext-passwords of remote systems lying around on my local filesystem. It doesn't really ease my mind that the file is readable by root only, this doesn't help if my laptop's harddisk gets mounted elsewhere. Are there alternatives or better ways to do SMTP authentication? http://www.postfix.org/SASL_README.html#server_cyrus_comm says: saslauthd can verify the SMTP client credentials by using them to log into an IMAP server So i have my mutt-client which is logged in to the remote Dovecot IMAP. Mutt uses the local MTA to send the mail. Is there some way to tell the local postfix or a local dovecot to authenticate the SMTP-Session via the existing IMAP-login? Or some other way where i at least don't rely on plaintext passwords but secure, encrypted hashes? Sorry if this is a redundant thread, smtp client authentication site:dovecot.org/list' and the likes are not exactly the most rewarding or unique search terms unfortunately. Thanks, Christian -- Central Asia by bike, starting May 2013 - http://poab.org
[Dovecot] SMTP Client authentication to remote Postfix/Dovecot
Hello! This is probably another basic question and i'm not even sure if it's something where Dovecot is involved, but i'll give it a shot. So i've setup Postfix with Dovecot and system-auth on my remote server. So far it looks like everything is working fine and dandy via SASL(PLAIN) and TLS. I'm just not happy about my local SMTP client settings. I'm going to try to work with mutt in the future, so i need a local MTA - i've decided to try it with Postfix. This works so far and i can send mails with mutt. However - my setup relies on smtp_sasl_password_maps for authentication. I'm not too happy to have plaintext-passwords of remote systems lying around on my local filesystem. It doesn't really ease my mind that the file is readable by root only, this doesn't help if my laptop's harddisk gets mounted elsewhere. Are there alternatives or better ways to do SMTP authentication? http://www.postfix.org/SASL_README.html#server_cyrus_comm says: saslauthd can verify the SMTP client credentials by using them to log into an IMAP server So i have my mutt-client which is logged in to the remote Dovecot IMAP. Mutt uses the local MTA to send the mail. Is there some way to tell the local postfix or a local dovecot to authenticate the SMTP-Session via the existing IMAP-login? Or some other way where i at least don't rely on plaintext passwords but secure, encrypted hashes? Sorry if this is a redundant thread, smtp client authentication site:dovecot.org/list' and the likes are not exactly the most rewarding or unique search terms unfortunately. Thanks, Christian -- Central Asia by bike, starting May 2013 - http://poab.org
Re: [Dovecot] Dovecot as LDA with Postfix and virtual users
Hello Rob! Thanks for answering! On 17 March 2013 02:58, /dev/rob0 r...@gmx.co.uk wrote: On Sun, Mar 17, 2013 at 01:20:55AM +0100, Christian Benke wrote: Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself. Perhaps surprisingly, this is a Postfix issue, not a Dovecot one. No, i was expecting it :-) I just wasn't sure where it belongs to. Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=benkkk AT example.com, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox) This is postfix/local, which means it is not being routed to your virtual_transport. It means example.com is in mydestination. You did not even set mydestination, thus you get the default. You really should review the Postfix Basic Configuration README: No, i tried a lot yesterday and i started from a working postfix/dovecot-setup with PAM. The config i posted above was merely the last incarnation. Should probably have emphasized that. I commented out mydestination because i received warnings that i shouldn't list them in both mydestination and virtual_mailbox_domains. Still, dovecot LDA has not been called either when the mydestination-parameter was present: Mar 16 21:54:56 poab postfix/smtpd[4197]: connect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: setting up TLS connection from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: Anonymous TLS connection established from mail-we0-f176.google.com[74.125.82.176]: TLSv1 with cipher RC4-SHA (128/128 bits) Mar 16 21:54:56 poab dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so Mar 16 21:54:56 poab dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs Mar 16 21:54:56 poab dovecot: auth: Debug: auth client connected (pid=0) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: 856034E1FD1: client=mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/cleanup[4203]: 856034E1FD1: message-id=CAAMQ8bS2bi6HG=u8bmc+e-_yu47wrb6dwxhh2rgsushdvpn...@mail.gmail.com Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: from=benkkk AT wheemail.com, size=1644, nrcpt=1 (queue active) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: disconnect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/local[4204]: 856034E1FD1: to=benkkk AT example.com, relay=local, delay=0.39, delays=0.33/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to mailbox) Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: removed Perhaps you'd be better off without the virtual mailboxes anyway? Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser. I've gone back to the working PAM-config today and will try to figure out SASL for now, maybe going back to virtual users later. But i'm still interested in comments regarding the mydestination issue, i can go back to the virtual user settings quickly to try. [snip] Central Asia by bike, starting May 2013 - http://poab.org Wow, a great adventure, good luck! Thanks! Will (re-)add a RSS-feed soon. Best regards, Christian
Re: [Dovecot] Dovecot as LDA with Postfix and virtual users
Perhaps you'd be better off without the virtual mailboxes anyway? Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser. Virtual mailboxes have their place, indeed, but more so for large numbers of domains and users. For a small-timer (as it sounds like you are), I wouldn't say they're attractive. Increased complexity, decreased functionality, [usually] security tradeoffs. (System users who own all and ONLY their own mail are not going to endanger others' mail. Virtual mailboxes typically are owned by a shared UID+GID, and a compromise of that UID or GID could threaten all mail.) Rob, thank you for your comments! I'll just stay with system users then, i only need a few accounts as you guessed correctly. Virtual users appeared nice due to the separation from the system. But probably not worth the effort, as you argumented. Cheers, Christian
[Dovecot] Dovecot as LDA with Postfix and virtual users
Hello!
I've been trying to configure Dovecot to work as LDA for file-based
virtual users with Postfix.
Some part in the configuration seems to miss though, as mails are
received by Postfix, but instead of giving it to Dovecot for delivery,
it delivers the mails itself.
Postfix drops the mail in /var/mail/user/mbox, if Dovecot would be
called, it should deliver it to /var/vmail/domain/user/Maildir.
I've made sure to add the dovecot-service to postfix/master.cf
according to http://wiki2.dovecot.org/LDA/Postfix and tried all kinds
of settings and did quadruple checks for errors.
I'm using Debian 6.0 with Dovecot 2.1.7(From backports) and Postfix 2.7.1
I've been trying to figure out what's missing for a few hours now and
have to give up for today. I hope someone can help me with a hint
what's missing or wrong :-/
Here's an excerpt from my mail.log, my postconf -n and dovecot -n:
Mar 17 00:02:46 poab postfix/smtpd[15333]: connect from
mail-wg0-f47.google.com[74.125.82.47]
Mar 17 00:02:46 poab postfix/smtpd[15333]: setting up TLS connection
from mail-wg0-f47.google.com[74.125.82.47]
Mar 17 00:02:46 poab postfix/smtpd[15333]: Anonymous TLS connection
established from mail-wg0-f47.google.com[74.125.82.47]: TLSv1 with
cipher RC4-SHA (128/128 bits)
Mar 17 00:02:46 poab dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_mysql.so
Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_pgsql.so
Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_sqlite.so
Mar 17 00:02:46 poab dovecot: auth: Debug: passwd-file
/etc/dovecot/users: Read 1 users in 0 secs
Mar 17 00:02:46 poab dovecot: auth: Debug: auth client connected (pid=0)
Mar 17 00:02:46 poab postfix/smtpd[15333]: 66AD04E23EE:
client=mail-wg0-f47.google.com[74.125.82.47]
Mar 17 00:02:46 poab postfix/cleanup[15340]: 66AD04E23EE:
message-id=caamq8bseetcsykkhkhbaqwxjwrewapb_wa2dk8j4n-q5y+d...@mail.gmail.com
Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: from=benkkk AT
wheemail.com, size=1611, nrcpt=1 (queue active)
Mar 17 00:02:46 poab postfix/smtpd[15333]: disconnect from
mail-wg0-f47.google.com[74.125.82.47]
Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=benkkk AT
example.com, relay=local, delay=0.35, delays=0.3/0.01/0/0.04,
dsn=2.0.0, status=sent (delivered to mailbox)
Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: removed
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
debug_peer_level = 3
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 512000
myhostname = example.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps
virtual_transport = dovecot
# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-openvz-amd64 x86_64 Debian 6.0.7
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_verbose = yes
auth_verbose_passwords = sha1
first_valid_gid = 5000
first_valid_uid = 5000
last_valid_gid = 5000
last_valid_uid = 5000
lda_mailbox_autocreate = yes
log_timestamp = %Y-%m-%d %H:%M:%S
mail_debug = yes
mail_gid = 5000
mail_home = /var/vmail/%d/%n
mail_location
