I've set up a new dovecot+postfix instance with virtual (not system) users.

I've a few questions, mostly about auth.  I think that postfix handles auth by asking dovecot.

Users need to provide user + password to send (smtps) and receive (imaps).  I see where I've configured this for dovecot, which is /etc/dovecot/passwd.db.  That file contains lines like this:

jeff@mobilitains.fr:{BLF-CRYPT}$2y$05$c...

What concerns me is that I see occasional log items like this:

Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no SASL authentication mechanisms

(Also, I can't connect with thunderbird.)

But I think I've configured SASL auth, so I'm not sure what to look at / how to debug this.  I'm looking for suggestions how to approach this.

I do not see how postfix knows who is allowed to connect, however.  Am I correct that postfix delegates SASL to dovecot?  This is the relevant config, I think:

[T] jeff@nantes-m1:log $ doveconf -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS
# Hostname: nantes-m1.p27.eu
auth_verbose = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
  driver = passwd-file
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_after = /var/mail/vmail/sieve-after
  sieve_before = /var/mail/vmail/sieve-before
  sieve_dir = ~/sieve
}
protocols = " imap"
ssl = required
ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
  driver = static
}
protocol lda {
  deliver_log_format = msgid=%m: %$
  mail_plugins = sieve
  postmaster_address = postmaster@{{ primary_domain }}
  quota_full_tempfail = yes
  rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
  mail_max_userip_connections = 20
}
[T] jeff@nantes-m1:log $

[T] jeff@nantes-m1:log $ postconf -n | grep -i sasl
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot

[T] jeff@nantes-m1:log $ postconf -Mf
smtp       inet  n       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
...

Many thanks for any pointers.

I'm also a bit confused on how to test it, really, short of connecting with a regular email client (mutt, thunderbird, etc.).  If there are more appropriate tools that I've missed, I'm quite open to pointers.

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/