[Dovecot] Authentication problems
Hi there, I'm in a bit of a dilemma and wonder if anyone can help.
Over the weekend I bought a new dedicated server and moved my mail/web over to it. I'd used the Sarge[1] tutorial at workaround.org for the old server and as I'd wanted to move to Dovecot for a while I decided to use their Etch[2] tutorial for the new one. For the most part everything's working nicely, but I seem to be having problems with (mostly non-SSL) SMTP authentication.
In this install Postfix passes SASL authentication to Dovecot. For most clients using SSL this works fine, but as soon as SSL is off it fails. This is despite having disable_plaintext_auth set to 'no'. Furthermore it appears that some clients w/SSL are also failing. Outlook being the major culprit. I'm completely stumped.
I've pasted a copy of the output from dovecot -n below.
Thanks in advance!
Rodti
[1] http://workaround.org/articles/ispmail-sarge [2] http://workaround.org/articles/ispmail-etch
# 1.0.13: /etc/dovecot/dovecot.conf log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap imaps pop3 pop3s disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_privileged_group: mail mail_location: maildir:/home/vmail/%d/%n/Maildir mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv namespace: type: private separator: . prefix: INBOX. inbox: yes auth default: mechanisms: plain login cram-md5 passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
On Mon, 2008-09-01 at 13:29 +0100, Rodti MacLeary wrote:
In this install Postfix passes SASL authentication to Dovecot. For most clients using SSL this works fine, but as soon as SSL is off it fails. This is despite having disable_plaintext_auth set to 'no'. Furthermore it appears that some clients w/SSL are also failing. Outlook being the major culprit. I'm completely stumped.
Dovecot's disable_plaintext_auth setting doesn't affect Postfix.
I've pasted a copy of the output from dovecot -n below.
Logs would be much more helpful. Set auth_debug=yes and show logs of a successful and a failing session. Both Dovecot and Postfix logs.
On 1 Sep 2008, at 13:34, Timo Sirainen wrote:
On Mon, 2008-09-01 at 13:29 +0100, Rodti MacLeary wrote:
In this install Postfix passes SASL authentication to Dovecot. For
most clients using SSL this works fine, but as soon as SSL is off it
fails. This is despite having disable_plaintext_auth set to 'no'.
Furthermore it appears that some clients w/SSL are also failing. Outlook being
the major culprit. I'm completely stumped.Dovecot's disable_plaintext_auth setting doesn't affect Postfix.
Not sure which of the following actually fixed it, but added
'broken_sasl_auth_clients = yes' to my Postfix main.cf and changed my
dovecot.conf 'mechanisms' to 'login plain' instead of 'plain login'.
Now all is well.
Thanks to everyone for their help, particularly Roger for his offlist
advice on installing 1.1.3.
r.
On Mon, 2008-09-01 at 13:29 +0100, Rodti MacLeary wrote:
auth default: mechanisms: plain login cram-md5 passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf
Oh, one guess: Do you store passwords in CRAM-MD5 or plaintext format? If not, maybe your clients are trying to use CRAM-MD5 and it's failing because of that? Logs would show that anyway.
On Mon, 01 Sep 2008 15:35:56 +0300, Timo Sirainen <tss@iki.fi> wrote:
Oh, one guess: Do you store passwords in CRAM-MD5 or plaintext format? If not, maybe your clients are trying to use CRAM-MD5 and it's failing because of that? Logs would show that anyway.
All passwords are hashed in the MySQL database. They were in plain text on the old system. Could this be the problem?
r.
Hi
This sounds to me like the failing Outlook clients might fall over to CRAM-MD5 and you need to use the %m to map out the method sasl uses to return the right password. Then you need to either use the source packet from ubuntu intrepid and apply this patch
http://hg.dovecot.org/dovecot-1.1/rev/3fcfe8d316b6
Or download the release candidate of 1.1.3
Also I use a sql query to get the password in the form:
password_query = SELECT id as user, passwd as password FROM passwds WHERE id = '%u' AND model = '%m'
-Roger
Rodti MacLeary wrote:
Hi there, I'm in a bit of a dilemma and wonder if anyone can help.
Over the weekend I bought a new dedicated server and moved my mail/web over to it. I'd used the Sarge[1] tutorial at workaround.org for the old server and as I'd wanted to move to Dovecot for a while I decided to use their Etch[2] tutorial for the new one. For the most part everything's working nicely, but I seem to be having problems with (mostly non-SSL) SMTP authentication.
In this install Postfix passes SASL authentication to Dovecot. For most clients using SSL this works fine, but as soon as SSL is off it fails. This is despite having disable_plaintext_auth set to 'no'. Furthermore it appears that some clients w/SSL are also failing. Outlook being the major culprit. I'm completely stumped.
I've pasted a copy of the output from dovecot -n below.
Thanks in advance!
Rodti
[1] http://workaround.org/articles/ispmail-sarge [2] http://workaround.org/articles/ispmail-etch
# 1.0.13: /etc/dovecot/dovecot.conf log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap imaps pop3 pop3s disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_privileged_group: mail mail_location: maildir:/home/vmail/%d/%n/Maildir mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv namespace: type: private separator: . prefix: INBOX. inbox: yes auth default: mechanisms: plain login cram-md5 passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
participants (3)
-
R A
-
Rodti MacLeary
-
Timo Sirainen