Re: dovecot sasl with postfix, smtp auth not available

Hi Badli,

thanks for the information.

A few hints: If possible, please avoid using HTML mails. And for outputs like 'postconf -n': please use an attached text file if your MUA (OL) isn't able to transfer them in a proper way.

I would suggest the following changes:

1. postconf -n [...] smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot

As Benny already wrote: delete them from your main.cf as port 25 should not be used for authentication.

2. postconf -M [...] smtps inet n - - - -       smtpd [...] -o smtpd_client_restrictions= permit_sasl_authenticated, reject

-------------------------------^

-o milter_macro_daemon_name= ORIGINATING

------------------------------^

In master.cf: please take care that you don't specify whitespaces around the '=', at least if you're using the short form shown above.

Some more examples, where you should check and change the master.cf regarding this:

submission inet n - - - -    smtpd [...] -o smtpd _sasl_security_options= noanonymous -o smtpd_client_restrictions= permit_sasl_authenticated, reject -o smtpd_sender_login_maps= hash:/etc/postfix/virtual -o smtpd_sender_restrictions= reject_sender_login_mismatch -o smtpd_recipient_restrictions= reject_non_fqdn_recipient ...

Regarding the authentication part(s) itself:

The configuration of the submission port seems correct to me and authentication should work. You can test it this way:

openssl s_client -connect www.zystro.xyz:587 -starttls smtp

For the smtps port you should add at least the following to the existing configuration of your master.cf:

smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING

   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
   -o smtpd_sasl_security_options=noanonymous

You can test it this way:

openssl s_client -connect www.zystro.xyz:465

After connecting successfully (to 465 & 587), in both cases using 'ehlo foo' you should see entries like these:

[...] 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN [...]

If not, we need the logs. ;-)

HTH and regards, Markus