Re: SASL authentication and Windows Live Mail
On 1/31/2012 1:44 AM, James Day wrote: The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful. The way the username and password are encoded and sent on the wire is slightly different. Biggest visible difference is PLAIN sends the username and password together in the same command; LOGIN sends them separately. Some clients only support one of these methods. Broadly speaking, some Microsoft clients only support LOGIN, some third-party clients only support PLAIN. There's no reason to not offer both. -- Noel Jones
RE: SASL authentication and Windows Live Mail
The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful. The way the username and password are encoded and sent on the wire is slightly different. Biggest visible difference is PLAIN sends the username and password together in the same command; LOGIN sends them separately. Some clients only support one of these methods. Broadly speaking, some Microsoft clients only support LOGIN, some third-party clients only support PLAIN. There's no reason to not offer both. -- Noel Jones Thanks Noel, as ever you've provided valuable insight. Your help is very much appreciated. Kind regards, James Day
SASL authentication and Windows Live Mail
I'll keep this short for now in case it's a known problem but if more logs are required let me know. I've configured postfix to allow SASL authenticated users (dovecot sasl) to relay. I've tested this and confirmed it works from within Outlook 2007 and 2010. However trying the same account details from Windows Live Mail throws up a: 554 Relay Access denied error message. Is this a known problem with the Windows Live Mail client or do I need to dig deeper? Kind regards, James Day
Re: SASL authentication and Windows Live Mail
On Tue, 31 Jan 2012 00:30:33 + James Day james@ontraq.com wrote: [snip] ... trying the same account details from Windows Live Mail throws up a: 554 Relay Access denied error message. [snip] IIRC, Relay access denied is a symptom of a non-SSL attempted connection/login when disable_plaintext_auth = yes in dovecot.conf. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.LinxNet.com/contact/scform.php.
Re: SASL authentication and Windows Live Mail
On 1/30/2012 9:32 PM, Jim Seymour wrote: On Tue, 31 Jan 2012 00:30:33 + James Day james@ontraq.com wrote: [snip] ... trying the same account details from Windows Live Mail throws up a: 554 Relay Access denied error message. [snip] IIRC, Relay access denied is a symptom of a non-SSL attempted connection/login when disable_plaintext_auth = yes in dovecot.conf. The error message means the mail was rejected by reject_unauth_destination, and that means the client didn't authenticate (or tried and failed). If AUTH was tried and failed, it will be noted in the postfix and dovecot logs. If no failures are logged, AUTH wasn't attempted. This may or may not have anything to do with SSL/TLS. Another good guess is that dovecot needs to offer LOGIN and/or PLAIN mechanisms. But we're just guessing here. We need more details of the connection and configuration to give more concrete advice. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
RE: SASL authentication and Windows Live Mail
Thanks for your input guys. As I suspected I need to dig a bit deeper. Here is the relevant portion of my mail log using Windows Live Mail to send: [...snip] Jan 31 07:27:51 vps03 postfix/smtpd[3923]: connect from unknown[IP_REMOVED] Jan 31 07:27:51 vps03 postfix/smtpd[3923]: NOQUEUE: reject: RCPT from unknown[IP_REMOVED]: 554 5.7.1 user@remotedomain: Relay access denied; from=dovecotuser@trusteddomain to=user@remotedomain proto=ESMTP helo=HOSTNAME Jan 31 07:27:51 vps03 postfix/smtpd[3923]: disconnect from unknown[IP_REMOVED] Jan 31 07:27:54 vps03 dovecot: imap-login: Login: user= dovecotuser@trusteddomain , method=PLAIN, rip=IP_REMOVED, lip=IP_REMOVED, TLS Jan 31 07:27:54 vps03 dovecot: IMAP(dovecotuser@trusteddomain): Disconnected: Logged out bytes=712/6487 [...snip] It seems to me that authentication isn't attempted until after the attempt to send fails. ...HOLD THE PRESS I added the LOGIN auth mechanism to my dovecot.conf and reloaded the service, the above was my first attempt to send this message again after doing so (which failed). Something must have taken some time to propagate because as I was typing this message the client connected again and sent successfully. Looks as though you were spot on Noel. Here is the log snipped for the successful send: Jan 31 07:35:47 vps03 postfix/smtpd[4049]: connect from unknown[IP_REMOVED] Jan 31 07:35:47 vps03 postfix/smtpd[4049]: BC1A1152601B2: client=unknown[IP_REMOVED], sasl_method=LOGIN, sasl_username= dovecotuser@trusteddomain Jan 31 07:35:48 vps03 postfix/cleanup[4052]: BC1A1152601B2: message-id=FDCB00758C7446F28A755733616C9E39@remotedomain Jan 31 07:35:48 vps03 postfix/qmgr[26598]: BC1A1152601B2: from= dovecotuser@trusteddomain , size=1261, nrcpt=1 (queue active) Jan 31 07:35:48 vps03 postfix/smtpd[4049]: disconnect from unknown[IP_REMOVED] Jan 31 07:35:48 vps03 dovecot: imap-login: Login: user=dovecotuser@trusteddomain, method=PLAIN, rip= IP_REMOVED, lip= IP_REMOVED, TLS Jan 31 07:35:48 vps03 postfix/smtp[4053]: BC1A1152601B2: to=user@remotedomain, relay=remote_mx_address[IP_REMOVED]:25, delay=0.79, delays=0.27/0/0.14/0.37, dsn=2.6.0, status=sent (250 2.6.0 FDCB00758C7446F28A755733616C9E39@remotedomain Queued mail for delivery) Jan 31 07:35:48 vps03 postfix/qmgr[26598]: BC1A1152601B2: removed The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful. Kind regards, James Day -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: 31 January 2012 04:22 To: postfix-users@postfix.org Subject: Re: SASL authentication and Windows Live Mail On 1/30/2012 9:32 PM, Jim Seymour wrote: On Tue, 31 Jan 2012 00:30:33 + James Day james@ontraq.com wrote: [snip] ... trying the same account details from Windows Live Mail throws up a: 554 Relay Access denied error message. [snip] IIRC, Relay access denied is a symptom of a non-SSL attempted connection/login when disable_plaintext_auth = yes in dovecot.conf. The error message means the mail was rejected by reject_unauth_destination, and that means the client didn't authenticate (or tried and failed). If AUTH was tried and failed, it will be noted in the postfix and dovecot logs. If no failures are logged, AUTH wasn't attempted. This may or may not have anything to do with SSL/TLS. Another good guess is that dovecot needs to offer LOGIN and/or PLAIN mechanisms. But we're just guessing here. We need more details of the connection and configuration to give more concrete advice. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
