Postfix and Dovecot SASL

[Rene Bakkum]

Hello all,

I am struggeling to get my Dovecot SASL to work within postfix. I have used
the configuration example listed on the main-site of dovecot and it
basically isn't giving me any success at all. I am probably missing
something easy, but after spending a few days testing and walking through
everything I could think about I thought figured it was better to ask :)
Hope someone can point me to the right direction.

My setup is that I have installed Ubuntu 9.04 (64bit), postfix and dovecot
linked to a MySQL database. The services are using maildirs which are stored
locally (no NFS). Postfix is using the LDA from dovecot to deliver the mail
and dovecot is used for IMAP and POP3. This is working and no problems at
all so far. The problem starts when I just want to enable the SASL
authentication from Dovecot. I used the 'guide' posted on
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL or found at
http://www.postfix.org/SASL_README.html#server_dovecot

When I try to telnet to port 25 (smtp) than I doesn't looks like the SASL is
working...
220 mail003 ESMTP Postfix (Ubuntu)
ehlo localhost
250-mail003
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Anything I missed in my configuration from either postfix/dovecot?
r...@mail003:/etc/postfix# dovecot --version
1.1.11
r...@mail003:~# dpkg-query -l postfix
+++-==-===
===-
ii  postfix2.5.5-1.1  High-performance mail transport agent

Here are my configurations of both:
r...@mail003:/etc/postfix# dovecot -n
# 1.1.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.28-16-server x86_64 Ubuntu 9.04 ext4
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s managesieve
ssl_cert_file: /etc/ssl/certs/ssl-mail.pem
ssl_key_file: /etc/ssl/private/ssl-mail.key
ssl_cipher_list:
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
login_greeting_capability(default): yes
login_greeting_capability(imap): yes
login_greeting_capability(pop3): no
login_greeting_capability(managesieve): no
mail_max_userip_connections(default): 10
mail_max_userip_connections(imap): 10
mail_max_userip_connections(pop3): 3
mail_max_userip_connections(managesieve): 10
mail_privileged_group: mail
mail_uid: 5000
mail_gid: 5000
mail_location: maildir:/home/vmail/%d/%n/.Maildir
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
sieve_storage(default):
sieve_storage(imap):
sieve_storage(pop3):
sieve_storage(managesieve): ~/sieve
sieve(default):
sieve(imap):
sieve(pop3):
sieve(managesieve): ~/.dovecot.sieve
auth default:
  mechanisms: plain login
  passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/private/dovecot-auth
  mode: 432
  user: postfix
  group: postfix
master:
  path: /var/run/dovecot/auth-master
  mode: 384
  user: vmail
  group: vmail

r...@mail003:/etc/dovecot# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no

broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.
conf -n -m "${EXTENSION}"
mailbox_size_limit = 0
mydestination = mail003.mydomain.nl, localhost.mydomain.nl, , localhost
myhostname = mail003.mydomain.nl
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = ye

postfix and dovecot SASL

[Peter Skensved]

I've set up dovecot to provide SASL for postfix and as far as I can
tell everything is working correctly. However, when I do a  ehlo localhost
I don't see it announcing anything about AUTH :

Connected to localhost.
Escape character is '^]'.
220 xxx.yyy.QueensU.CA ESMTP Postfix
ehlo localhost
250-xxx.yyy.QueensU.CA
250-PIPELINING
250-SIZE 4096
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

  Am I missing something in the configuration of postfix ( or dovecot ) ?
The log files tell me that it authenticates and entering the wrong password
makes it fail etc.

   peter

Re: Postfix and Dovecot SASL

[Eero Volotinen]

Quoting Rene Bakkum :


Hello all,

I am struggeling to get my Dovecot SASL to work within postfix. I have used
the configuration example listed on the main-site of dovecot and it
basically isn't giving me any success at all. I am probably missing
something easy, but after spending a few days testing and walking through
everything I could think about I thought figured it was better to ask :)
Hope someone can point me to the right direction.

My setup is that I have installed Ubuntu 9.04 (64bit), postfix and dovecot
linked to a MySQL database. The services are using maildirs which are stored
locally (no NFS). Postfix is using the LDA from dovecot to deliver the mail
and dovecot is used for IMAP and POP3. This is working and no problems at
all so far. The problem starts when I just want to enable the SASL
authentication from Dovecot. I used the 'guide' posted on
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL or found at
http://www.postfix.org/SASL_README.html#server_dovecot

When I try to telnet to port 25 (smtp) than I doesn't looks like the SASL is
working...
220 mail003 ESMTP Postfix (Ubuntu)
ehlo localhost
250-mail003
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Anything I missed in my configuration from either postfix/dovecot?
r...@mail003:/etc/postfix# dovecot --version
1.1.11
r...@mail003:~# dpkg-query -l postfix
+++-==-===
===-
ii  postfix2.5.5-1.1  High-performance mail transport agent

Here are my configurations of both:
r...@mail003:/etc/postfix# dovecot -n
# 1.1.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.28-16-server x86_64 Ubuntu 9.04 ext4
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s managesieve
ssl_cert_file: /etc/ssl/certs/ssl-mail.pem
ssl_key_file: /etc/ssl/private/ssl-mail.key
ssl_cipher_list:
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
login_greeting_capability(default): yes
login_greeting_capability(imap): yes
login_greeting_capability(pop3): no
login_greeting_capability(managesieve): no
mail_max_userip_connections(default): 10
mail_max_userip_connections(imap): 10
mail_max_userip_connections(pop3): 3
mail_max_userip_connections(managesieve): 10
mail_privileged_group: mail
mail_uid: 5000
mail_gid: 5000
mail_location: maildir:/home/vmail/%d/%n/.Maildir
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
sieve_storage(default):
sieve_storage(imap):
sieve_storage(pop3):
sieve_storage(managesieve): ~/sieve
sieve(default):
sieve(imap):
sieve(pop3):
sieve(managesieve): ~/.dovecot.sieve
auth default:
  mechanisms: plain login
  passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/private/dovecot-auth
  mode: 432
  user: postfix
  group: postfix
master:
  path: /var/run/dovecot/auth-master
  mode: 384
  user: vmail
  group: vmail

r...@mail003:/etc/dovecot# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no

broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.
conf -n -m "${EXTENSION}"
mailbox_size_limit = 0
mydestination = mail003.mydomain.nl, localhost.mydomain.nl, , localhost
myhostname = mail003.mydomain.nl
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
sm

Re: postfix and dovecot SASL

[Noel Jones]

On 5/22/2013 12:42 PM, Peter Skensved wrote:
> I've set up dovecot to provide SASL for postfix and as far as I can
> tell everything is working correctly. However, when I do a  ehlo localhost
> I don't see it announcing anything about AUTH :
> 
> Connected to localhost.
> Escape character is '^]'.
> 220 xxx.yyy.QueensU.CA ESMTP Postfix
> ehlo localhost
> 250-xxx.yyy.QueensU.CA
> 250-PIPELINING
> 250-SIZE 4096
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
>   Am I missing something in the configuration of postfix ( or dovecot ) ?
> The log files tell me that it authenticates and entering the wrong password
> makes it fail etc.
> 
>peter
> 

You didn't show your "postconf -n" output, so we're reduced to guessing.

Common problem: AUTH seems to be working, but I don't see AUTH
announced when I telnet localhost.

Typically this means you've set "smtpd_tls_auth_only = yes", which
suppresses the AUTH announcement until after an encrypted session is
established -- which is a usually good thing.

To see the AUTH announcement, either temporarily set
"smtpd_tls_auth_only = no", or test with "openssl s_client -connect
localhost:25 -starttls smtp"


  -- Noel Jones

Re: postfix and dovecot SASL

[Bill Cole]

On 22 May 2013, at 13:42, Peter Skensved wrote:


I've set up dovecot to provide SASL for postfix and as far as I can
tell everything is working correctly. However, when I do a  ehlo 
localhost

I don't see it announcing anything about AUTH :

Connected to localhost.
Escape character is '^]'.
220 xxx.yyy.QueensU.CA ESMTP Postfix
ehlo localhost
250-xxx.yyy.QueensU.CA
250-PIPELINING
250-SIZE 4096
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Am I missing something in the configuration of postfix ( or dovecot ) 
?


My telepathy says "no" but if you had done what 
http://www.postfix.org/DEBUG_README.html#mail advises, I could use less 
inconsistent tools.


The log files tell me that it authenticates and entering the wrong 
password

makes it fail etc.


Right.

While it is not a default, smtpd_tls_auth_only=yes is a commonly 
recommended and wise setting. You probably have it.

Re: postfix and dovecot SASL

[Peter Skensved]

>> I've set up dovecot to provide SASL for postfix and as far as I can
>> tell everything is working correctly. However, when I do a  ehlo
>> localhost
>> I don't see it announcing anything about AUTH :
>>
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 xxx.yyy.QueensU.CA ESMTP Postfix
>> ehlo localhost
>> 250-xxx.yyy.QueensU.CA
>> 250-PIPELINING
>> 250-SIZE 4096
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250 DSN
>> 250-8BITMIME
>>
>> Am I missing something in the configuration of postfix ( or dovecot )
>> ?
>
> My telepathy says "no" but if you had done what
> http://www.postfix.org/DEBUG_README.html#mail advises, I could use less
> inconsistent tools.
>
>>  The log files tell me that it authenticates and entering the wrong
>> password
>> makes it fail etc.
> 
> Right.
> 
> While it is not a default, smtpd_tls_auth_only=yes is a commonly
> recommended and wise setting. You probably have it.
> 

 Sorry about that : Here is the output of postconf - n :

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 4096
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,reject_non_fqdn_helo_hostname,  
  reject_invalid_helo_hostname,permit
smtpd_recipient_restrictions = reject_unauth_pipelining,   
reject_non_fqdn_recipient,   reject_unknown_recipient_domain,   
permit_mynetworks,   permit_sasl_authenticated,   reject_unauth_destination,   
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,
reject_unknown_sender_domain,permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


  And dovecon -n 

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.2.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) 
auth_debug = yes
auth_verbose = yes
disable_plaintext_auth = no
mbox_write_locks = fcntl
passdb {
  driver = pam
}
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}
ssl_cert = 

Re: postfix and dovecot SASL

[/dev/rob0]

On Fri, May 24, 2013 at 09:14:14AM -0400, Peter Skensved wrote:
> >> I don't see it announcing anything about AUTH :
> >>
> >> Connected to localhost.
> >> Escape character is '^]'.
> >> 220 xxx.yyy.QueensU.CA ESMTP Postfix
> >> ehlo localhost
> >> 250-xxx.yyy.QueensU.CA
> >> 250-PIPELINING
> >> 250-SIZE 4096
> >> 250-VRFY
> >> 250-ETRN
> >> 250-STARTTLS
> >> 250-ENHANCEDSTATUSCODES
> >> 250 DSN
> >> 250-8BITMIME
> >>
> >> Am I missing something in the configuration of postfix ( or 
> >> dovecot ) ?
> >
> > My telepathy says "no" but if you had done what
> > http://www.postfix.org/DEBUG_README.html#mail advises, I could 
> > use less inconsistent tools.
> >
> >> The log files tell me that it authenticates and entering the 
> >> wrong password makes it fail etc.
> > 
> > Right.
> > 
> > While it is not a default, smtpd_tls_auth_only=yes is a
> > commonly recommended and wise setting. You probably have it.

Did you see this part ^^ up here?

>  Sorry about that : Here is the output of postconf - n :
snip
> smtpd_tls_auth_only = yes
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: postfix and dovecot SASL

[LuKreme]

On May 24, 2013, at 7:14, Peter Skensved  wrote:

> smtpd_tls_auth_only = yes

So, questioned answered then?

Strange problem with postfix and dovecot sasl auth

[Juha Pahkala]

Hello,

I've been trying to setup postfix with tls and smtp auth (dovecot sasl). 
I'm now stuck with the smtp auth part, with a strange error. For a few 
days I've tried to search information about similar problems, but found 
none. Now I'm hoping somebody here could help me out. I'm running Ubuntu 
Jaunty on AMD64.


I've disabled tls (and a lot of other options, and not running in a 
chroot jail) for now. The problem is, that as soon as I enable smtp auth 
in postfix (smtpd_sasl_auth_enable), smtp stops working. When doing


bash:# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.

...and it halts, and timeouts. Never prints the banner. I've get 
increased logging enabled ('smtpd -vv' in master.cf) and below is the 
relevant part, with the 'no SASL authentication mechanisms' print:


Apr 24 15:42:30 server postfix/smtpd[8126]: xsasl_dovecot_server_create: 
SASL service=smtp, realm=(null)

Apr 24 15:42:30 server postfix/smtpd[8126]: name_mask: noanonymous
Apr 24 15:42:30 server postfix/smtpd[8126]: 
xsasl_dovecot_server_connect: Connecting
Apr 24 15:42:40 server postfix/smtpd[8126]: 
xsasl_dovecot_server_connect: auth reply: status
Apr 24 15:42:50 server postfix/smtpd[8126]: fatal: no SASL 
authentication mechanisms
Apr 24 15:42:50 server postfix/pipe[8128]: warning: unexpected 
end-of-input from dovecot socket while reading input attribute name
Apr 24 15:42:50 server postfix/pipe[8128]: warning: deliver_request_get: 
error receiving common attributes
Apr 24 15:42:51 server postfix/master[8903]: warning: process 
/usr/lib/postfix/smtpd pid 8126 exit status 1


I've seen the 'no SASL authentication mechanisms' erros with google, but 
usually because postfix is unable to find the dovecot client auth 
socket. I don't think this is my problem. Below are output of 'postconf 
-n' and 'dovecot -n' commands:


alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
canonical_maps = hash:/etc/postfix/canonical
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/lib/dovecot/deliver -c 
/etc/dovecot/dovecot-postfix.conf -n -m "${EXTENSION}"

mydestination =
mydomain = *my.domain*
myhostname = *server.at.my.domain*
mynetworks = 127.0.0.0/8, 192.168.0.0/24, [::1]/128
myorigin = /etc/mailname
readme_directory = no
relay_domains =
relayhost = [*my.isp.provider*]
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/dovecot
smtpd_sasl_type = dovecot
strict_rfc821_envelopes = yes
virtual_gid_maps = static:5000
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:5000


# 1.1.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.28-11-server x86_64 Ubuntu 9.04 ext3
base_dir: /var/run/dovecot/
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot-info.log
ssl_cert_file: /etc/ssl/certs/dovecot.pem
ssl_key_file: /etc/ssl/private/dovecot.pem
disable_plaintext_auth: no
login_dir: /var/run/dovecot//login
login_executable: /usr/lib/dovecot/imap-login
valid_chroot_dirs: /var/spool/vmail
mail_location: maildir:/home/vmail/%d/%n/Maildir
auth default:
 mechanisms: plain login
 debug: yes
 passdb:
   driver: passwd-file
   args: /etc/dovecot/passwd
 userdb:
   driver: static
   args: uid=vmail gid=vmail home=/home/vmail/%d/%n
 socket:
   type: listen
   client:
 path: /var/spool/postfix/private/auth
 mode: 438
 user: postfix
 group: postfix
   master:
 path: /var/run/dovecot/auth-master
 mode: 384
 user: vmail

I can see the private/auth socket created when dovecot starts, with 
postfix:postfix permissions. Also, netstat shows it:


bash:# netstat -ln | grep dovecot
unix  2  [ ACC ] STREAM LISTENING 111791   private/dovecot
unix  2  [ ACC ] STREAM LISTENING 120787   
/var/run/dovecot//dict-server
unix  2  [ ACC ] STREAM LISTENING 120789   
/var/run/dovecot//login/default
unix  2  [ ACC ] STREAM LISTENING 120800   
/var/run/dovecot/auth-master
unix  2  [ ACC ] STREAM LISTENING 120803   
/var/run/dovecot//auth-worker.29982


I'm totally clueless as to what to try next. Does anybody here have any 
suggestions how to continue, what to try or debug. I'd bee very greatful 
for any ideas.


TIA,

Juha Pahkala






--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Strange problem with postfix and dovecot sasl auth

[Terry Carmen]

> Hello,
>
> I've been trying to setup postfix with tls and smtp auth (dovecot sasl).
> I'm now stuck with the smtp auth part, with a strange error. For a few
> days I've tried to search information about similar problems, but found
> none. Now I'm hoping somebody here could help me out. I'm running Ubuntu
> Jaunty on AMD64.
>
> I've disabled tls (and a lot of other options, and not running in a
> chroot jail) for now. The problem is, that as soon as I enable smtp auth
> in postfix (smtpd_sasl_auth_enable), smtp stops working. When doing
>
> bash:# telnet localhost 25
> Trying ::1...

^

I'm guessing that something in the mix isn't properly configured for IPv6.

I's probably configurable, but unless you really need IPv6, I'd suggest just
disabling IPv6 in your network stack, commenting out any IPv6 references in
Postfix and trying again.

Terry

Re: Strange problem with postfix and dovecot sasl auth

[Wietse Venema]

Juha Pahkala:
> Apr 24 15:42:30 server postfix/smtpd[8126]: name_mask: noanonymous
> Apr 24 15:42:30 server postfix/smtpd[8126]: 
> xsasl_dovecot_server_connect: Connecting
> Apr 24 15:42:40 server postfix/smtpd[8126]: 
> xsasl_dovecot_server_connect: auth reply: status
> Apr 24 15:42:50 server postfix/smtpd[8126]: fatal: no SASL 
> authentication mechanisms

Your DOVECOT configuration provides no authentication mechanisms
that are allowed by POSTFIX smtpd_sasl_security_options.

Wietse

Re: Strange problem with postfix and dovecot sasl auth

[Juha Pahkala]

Terry Carmen wrote:

Hello,

I've been trying to setup postfix with tls and smtp auth (dovecot sasl).
I'm now stuck with the smtp auth part, with a strange error. For a few
days I've tried to search information about similar problems, but found
none. Now I'm hoping somebody here could help me out. I'm running Ubuntu
Jaunty on AMD64.

I've disabled tls (and a lot of other options, and not running in a
chroot jail) for now. The problem is, that as soon as I enable smtp auth
in postfix (smtpd_sasl_auth_enable), smtp stops working. When doing

bash:# telnet localhost 25
Trying ::1...



^

I'm guessing that something in the mix isn't properly configured for IPv6.

I's probably configurable, but unless you really need IPv6, I'd suggest just
disabling IPv6 in your network stack, commenting out any IPv6 references in
Postfix and trying again.

Terry

  

Hi Terry,

Thanks for the suggestion. Should've been more clear originally, but I 
already had tried that. And I now tried it again, to no avail (ie. 
commenting out the 'inet_protocols = all', and dropping the ipv6 
loopback from my 'mynetworks'). So doesn't seem to be an ipv6 issue as I 
understand.


For reference, I had to enable ipv6 in postfix, since the new Ubuntu 
Jaunty has ipv6 compiled into the kernel as opposed to being a module. 
And there seems to be no way of disabling it. And the fetchmail package 
distributed with jaunty barfs, if ipv6 is enabled in the system, but not 
in postfix at least, this seems to be the case.


br, juhis

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Strange problem with postfix and dovecot sasl auth

[Juha Pahkala]

Wietse Venema wrote:

Juha Pahkala:
  

Apr 24 15:42:30 server postfix/smtpd[8126]: name_mask: noanonymous
Apr 24 15:42:30 server postfix/smtpd[8126]: 
xsasl_dovecot_server_connect: Connecting
Apr 24 15:42:40 server postfix/smtpd[8126]: 
xsasl_dovecot_server_connect: auth reply: status
Apr 24 15:42:50 server postfix/smtpd[8126]: fatal: no SASL 
authentication mechanisms



Your DOVECOT configuration provides no authentication mechanisms
that are allowed by POSTFIX smtpd_sasl_security_options.

Wietse

  


Thanks for your answer. I'm not quite sure I understand it though. This 
is how I understand the situation currently:  Postfix has (by default) 
disabled anonymous auth mechanisms. But it does allow plaintext auth. My 
dovecot provides plain and login. So if I understand correctly, the 
dovecot plain should be fine?


I tried to add cram-md5 and digest-md5 to dovecot auth mechanisms, but 
it didn't change anyhing. I even tried to set 
"smtpd_sasl_security_options = " in postfix main.cf, ie. allowing 
anonymous auth. And according to postfix documentation... "Postfix 
treats anonymous login as no authentication." So no authentication 
should be going on, but still I get the error. But the setup does work 
if I disable sasl auth with "smtpd_sasl_auth_enable =no". I'm a bit 
confused here.


Am I making any sense here, surely hope not :)

juhis



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Strange problem with postfix and dovecot sasl auth

[Juha Pahkala]

Wietse Venema wrote:

Juha Pahkala:
  

Wietse Venema wrote:


Juha Pahkala:
  
  

Apr 24 15:42:30 server postfix/smtpd[8126]: name_mask: noanonymous
Apr 24 15:42:30 server postfix/smtpd[8126]: 
xsasl_dovecot_server_connect: Connecting
Apr 24 15:42:40 server postfix/smtpd[8126]: 
xsasl_dovecot_server_connect: auth reply: status
Apr 24 15:42:50 server postfix/smtpd[8126]: fatal: no SASL 
authentication mechanisms



Your DOVECOT configuration provides no authentication mechanisms
that are allowed by POSTFIX smtpd_sasl_security_options.

Wietse

  
  
Thanks for your answer. I'm not quite sure I understand it though. This 
is how I understand the situation currently:  Postfix has (by default) 
disabled anonymous auth mechanisms. But it does allow plaintext auth. My 
dovecot provides plain and login. So if I understand correctly, the 
dovecot plain should be fine?



Postfix receives no methods from the Dovecot authentication server
that satisfy the smtpd_sasl_security_options requirement. If you
don't believe this, then you can try to trace the conversation
between Postfix and the Dovecot authentication server.

Wietser

  

Hi Wietser,

Don't get me wrong, I do believe you if you say so, but I just don't 
understand why. Given my dovecot config, which I believe is a quite 
standard way of configuring dovecot , I have no idea why it doesn't 
work. I've seen similar config files when searching the web, and they 
seem to work. Do you have any suggestions as to what could be wrong with 
my dovecot config?


Thanks in advance,

juhis

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Strange problem with postfix and dovecot sasl auth

[Sahil Tandon]

On Sun, 26 Apr 2009, Juha Pahkala wrote:
> Wietse Venema wrote:
>> Juha Pahkala:
>>   
>>> Wietse Venema wrote:
>>> 
 Juha Pahkala:
 
> Apr 24 15:42:30 server postfix/smtpd[8126]: name_mask: noanonymous
> Apr 24 15:42:30 server postfix/smtpd[8126]:  
> xsasl_dovecot_server_connect: Connecting
> Apr 24 15:42:40 server postfix/smtpd[8126]:  
> xsasl_dovecot_server_connect: auth reply: status
> Apr 24 15:42:50 server postfix/smtpd[8126]: fatal: no SASL  
> authentication mechanisms
> 
 Your DOVECOT configuration provides no authentication mechanisms
 that are allowed by POSTFIX smtpd_sasl_security_options.

Wietse

 
>>> Thanks for your answer. I'm not quite sure I understand it though. 
>>> This is how I understand the situation currently:  Postfix has (by 
>>> default) disabled anonymous auth mechanisms. But it does allow 
>>> plaintext auth. My dovecot provides plain and login. So if I 
>>> understand correctly, the dovecot plain should be fine?
>>> 
>>
>> Postfix receives no methods from the Dovecot authentication server
>> that satisfy the smtpd_sasl_security_options requirement. If you
>> don't believe this, then you can try to trace the conversation
>> between Postfix and the Dovecot authentication server.
>>
>>  Wietser
>>
>>   
> Hi Wietser,
>
> Don't get me wrong, I do believe you if you say so, but I just don't  
> understand why. Given my dovecot config, which I believe is a quite  
> standard way of configuring dovecot , I have no idea why it doesn't  
> work. I've seen similar config files when searching the web, and they  
> seem to work. Do you have any suggestions as to what could be wrong with  
> my dovecot config?

Ask your last question on the Dovecot mailing list.

-- 
Sahil Tandon 

Re: Strange problem with postfix and dovecot sasl auth

[Timo Sirainen]

On Apr 24, 2009, at 11:54 AM, Juha Pahkala wrote:

Apr 24 15:42:50 server postfix/smtpd[8126]: fatal: no SASL  
authentication mechanisms

..

auth default:
mechanisms: plain login


So Dovecot is advertising PLAIN and LOGIN mechanisms to Postfix.


  client:
path: /var/spool/postfix/private/auth
mode: 438
user: postfix
group: postfix


Looks correct too.

I can see the private/auth socket created when dovecot starts, with  
postfix:postfix permissions. Also, netstat shows it:


bash:# netstat -ln | grep dovecot
unix  2  [ ACC ] STREAM LISTENING 111791   private/ 
dovecot
unix  2  [ ACC ] STREAM LISTENING 120787   /var/run/ 
dovecot//dict-server
unix  2  [ ACC ] STREAM LISTENING 120789   /var/run/ 
dovecot//login/default
unix  2  [ ACC ] STREAM LISTENING 120800   /var/run/ 
dovecot/auth-master
unix  2  [ ACC ] STREAM LISTENING 120803   /var/run/ 
dovecot//auth-worker.29982


I don't see it there. What is that private/dovecot anyway? Maybe  
netstat -lnp | grep dovecot would have shown the socket though.


What Postfix version do you use?

Re: Strange problem with postfix and dovecot sasl auth

[Timo Sirainen]

On Apr 26, 2009, at 11:58 PM, Timo Sirainen wrote:


smtpd_sasl_path = private/dovecot

..
I can see the private/auth socket created when dovecot starts, with  
postfix:postfix permissions. Also, netstat shows it:


bash:# netstat -ln | grep dovecot
unix  2  [ ACC ] STREAM LISTENING 111791   private/ 
dovecot


I don't see it there. What is that private/dovecot anyway? Maybe  
netstat -lnp | grep dovecot would have shown the socket though.


Oh. That's actually it. Dovecot is listening on private/auth, but  
Postfix is connecting to private/dovecot. But what is listening on  
private/dovecot then? You've added some kind of a "dovecot" service to  
master.cf?

Re: Strange problem with postfix and dovecot sasl auth

[Victor Duchovni]

On Mon, Apr 27, 2009 at 12:04:50AM -0400, Timo Sirainen wrote:

> Oh. That's actually it. Dovecot is listening on private/auth, but Postfix 
> is connecting to private/dovecot. But what is listening on private/dovecot 
> then? You've added some kind of a "dovecot" service to master.cf?

Almost certainly a pipe(8) transport.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Strange problem with postfix and dovecot sasl auth

[Timo Sirainen]

On Mon, 2009-04-27 at 00:08 -0400, Victor Duchovni wrote:
> On Mon, Apr 27, 2009 at 12:04:50AM -0400, Timo Sirainen wrote:
> 
> > Oh. That's actually it. Dovecot is listening on private/auth, but Postfix 
> > is connecting to private/dovecot. But what is listening on private/dovecot 
> > then? You've added some kind of a "dovecot" service to master.cf?
> 
> Almost certainly a pipe(8) transport.

Maybe it could give a better error message in that case. Something like:

--- xsasl_dovecot_server.c.old  2009-04-26 21:43:05.0 -0400
+++ xsasl_dovecot_server.c  2009-04-26 21:42:57.0 -0400
@@ -253,7 +253,7 @@
 VSTREAM *sasl_stream;
 char   *line, *cmd, *mech_name;
 unsigned int major_version, minor_version;
-int fd, success;
+int fd, success, version_received;
 int sec_props;
 
 if (msg_verbose)
@@ -279,7 +279,7 @@
msg_warn("SASL: Couldn't send handshake: %m");
return (-1);
 }
-success = 0;
+success = 0; version_received = 0;
 line_str = vstring_alloc(256);
 while (vstring_get_nonl(line_str, sasl_stream) != VSTREAM_EOF) {
line = vstring_str(line_str);
@@ -291,6 +291,7 @@
line = split_at(line, '\t');
 
if (strcmp(cmd, "VERSION") == 0) {
+version_received = 1;
if (sscanf(line, "%u\t%u", &major_version, &minor_version) != 2) {
msg_warn("SASL: Protocol version error");
break;
@@ -327,6 +328,8 @@
 
 if (!success) {
/* handshake failed */
+if (!version_received)
+msg_warn("SASL: Protocol version not received. Connected to wrong 
socket?");
(void) vstream_fclose(sasl_stream);
return (-1);
 }



signature.asc
Description: This is a digitally signed message part

Re: Strange problem with postfix and dovecot sasl auth

[Juha Pahkala]

Timo Sirainen wrote:

On Apr 26, 2009, at 11:58 PM, Timo Sirainen wrote:


smtpd_sasl_path = private/dovecot

..
I can see the private/auth socket created when dovecot starts, with 
postfix:postfix permissions. Also, netstat shows it:


bash:# netstat -ln | grep dovecot
unix  2  [ ACC ] STREAM LISTENING 111791   
private/dovecot


I don't see it there. What is that private/dovecot anyway? Maybe 
netstat -lnp | grep dovecot would have shown the socket though.


Oh. That's actually it. Dovecot is listening on private/auth, but 
Postfix is connecting to private/dovecot. But what is listening on 
private/dovecot then? You've added some kind of a "dovecot" service to 
master.cf?





Doh! I can't believe I've missed that, don't know how many times and 
hours I've spent staring at the config files feeling a bit stupid 
atm... ;)


Thanks Timo for spotting it, much appreciated! And Victor was right in 
his answer, the

'private/dovecot' showing in netstat is indeed a pipe transport.

THANK YOU!!!

juhis

p.s. everythings working now wrt. my dovecot&postfix co-existence.