dovecot sasl with postfix, smtp auth not available
Hi All,
I have set up dovecot sasl with postfix. When I check the smtp with ehlo there is no auth advertise.
Connected to www.zystro.xyz. Escape character is '^]'. 220 www.zystro.xyz ehlo x.zystro.xyz 250-www.zystro.xyz 250-PIPELINING 250-SIZE 10485760 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING
I did a number of installations the auth was not shown. I have use debian distributed and also dovecot packages.
Sasl.
root@www:~# postconf -a cyrus dovecot root@www:~# postconf -A cyrus
Dovecot version.
root@www:~# dovecot --version 2.3.20 (80a5ac675d)
Dovecot configuration.
root@www:~# dovecot -n # 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # OS: Linux 5.10.0-21-amd64 x86_64 Debian 11.6 # Hostname: www.zystro.xyz auth_mechanisms = plain login debug_log_path = /var/log/dovecot-debug.log info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_location = mbox:~/Mailbox namespace { inbox = yes location = prefix = separator = / } passdb { driver = pam } postmaster_address = postmaster@zystro.xyz protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { address = 127.0.0.1,::1 port = 143 } inet_listener imaps { address = * port = 993 ssl = yes } } ssl_cert = </etc/letsencrypt/live/www.zystro.xyz/fu llchain.pem ssl_key = # hidden, use -P to show it userdb { args = blocking=no driver = passwd }
I have followed the guide at postfix and dovecot but still the auth did not appear.
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
https://www.postfix.org/SASL_README.html
Anybody got any ideas ?
Regards, -badli
On 04-22-2023 11:15 pm, Badli Al Rashid wrote: I have set up dovecot sasl with postfix. When I check the smtp with ehlo there is no auth advertise.
There shouldn't be on port 25. Users should do email submission on port 587 or 465.
But if you really want there to be... http://www.postfix.org/postconf.5.html#smtp_sasl_auth_enable
FYI; Just in case it was confusing, dovecot does not take submission email nor answers ehlo, that is a postfix thing.
Hi,
My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl.
I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails.
I could authenticate normally using port 465 / 587 but it is block at the moment.
When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
# telnet 127.0.0.1 25
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 www.zystro.xyz ehlo x.zystro.xyz 250-www.zystro.xyz 250-PIPELINING 250-SIZE 10485760 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING 421 4.4.2 www.zystro.xyz Error: timeout exceeded Connection closed by foreign host.
Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ?
Thank you.
Regards, -badli
From: dovecot--- via dovecot <dovecot@dovecot.org> Sent: Sunday, April 23, 2023, 15:22 To: dovecot@dovecot.org <dovecot@dovecot.org> Subject: Re: dovecot sasl with postfix, smtp auth not available
On 04-22-2023 11:15 pm, Badli Al Rashid wrote: I have set up dovecot sasl with postfix. When I check the smtp with ehlo there is no auth advertise.
There shouldn't be on port 25. Users should do email submission on port 587 or 465.
But if you really want there to be... http://www.postfix.org/postconf.5.html#smtp_sasl_auth_enable
FYI; Just in case it was confusing, dovecot does not take submission email nor answers ehlo, that is a postfix thing.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Badli Al Rashid skrev den 2023-04-23 13:06:
My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl.
then post doveconf -n that shows it
I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails.
logs
I could authenticate normally using port 465 / 587 but it is block at the moment.
where is this change ?
When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
# telnet 127.0.0.1 25
bound to fail
Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ?
how do you know its postfix ?
to help more its esitiential to know witch part failing
random questions gives random answers
logs No logs as I have to redo a new setup.
bound to fail I was only trying to check if the smtp-auth is advertise by doing ehlo.
where is this change ? My client ip was listed in sorbs.net. I could not connect to the smtp server.
how do you know its postfix ? Because i did an apt install postfix on the node. dovecot is on the same node.
Regards, -badli
From: Benny Pedersen <me@junc.eu> Sent: Sunday, April 23, 2023, 20:22 To: dovecot@dovecot.org <dovecot@dovecot.org> Subject: Re: dovecot sasl with postfix, smtp auth not available
Badli Al Rashid skrev den 2023-04-23 13:06:
My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl.
then post doveconf -n that shows it
I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails.
logs
I could authenticate normally using port 465 / 587 but it is block at the moment.
where is this change ?
When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
# telnet 127.0.0.1 25
bound to fail
Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ?
how do you know its postfix ?
to help more its esitiential to know witch part failing
random questions gives random answers
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi,
There is also a feature in postfix where AUTH is only advertised over TLS (i.e. port 465, or port 25/587 after STARTTLS).
https://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
On 23-04-2023 14:41, Badli Al Rashid wrote:
logs No logs as I have to redo a new setup.
bound to fail I was only trying to check if the smtp-auth is advertise by doing ehlo.
where is this change ? My client ip was listed in sorbs.net. I could not connect to the smtp server.
how do you know its postfix ? Because i did an apt install postfix on the node. dovecot is on the same node.
Regards, -badli
*From:* Benny Pedersen <me@junc.eu> *Sent:* Sunday, April 23, 2023, 20:22 *To:* dovecot@dovecot.org <dovecot@dovecot.org> *Subject:* Re: dovecot sasl with postfix, smtp auth not available
Badli Al Rashid skrev den 2023-04-23 13:06:
My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl.
then post doveconf -n that shows it
I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails.
logs
I could authenticate normally using port 465 / 587 but it is block at the moment.
where is this change ?
When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
# telnet 127.0.0.1 25
bound to fail
Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ?
how do you know its postfix ?
to help more its esitiential to know witch part failing
random questions gives random answers
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot--- via dovecot skrev den 2023-04-23 20:25:
I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
That is because "smtp" is not the same as "smtpd".
http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587
when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends
HI Benny,
master.cf already have enteries for 465 and 587 as I followed the guide.
Noted and thank you.
Regards, -badli
From: Benny Pedersen <me@junc.eu> Sent: Monday, April 24, 2023, 02:54 To: dovecot@dovecot.org <dovecot@dovecot.org> Subject: Re: dovecot sasl with postfix, smtp auth not available
dovecot--- via dovecot skrev den 2023-04-23 20:25:
I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
That is because "smtp" is not the same as "smtpd".
http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587
when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 2023-04-23 11:53, Benny Pedersen wrote:
dovecot--- via dovecot skrev den 2023-04-23 20:25:
I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise.
That is because "smtp" is not the same as "smtpd".
http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587
when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
FYI, +1...
Especially since some email clients STILL fallback to insecure password auth attempts on port 25, resulting in sending email passwords across the internet in plain text.
Everyone should adopt this policy by default. Turning off AUTH on insecure connections has shown to reduce email compromise levels by up to 90%.
Reminder, this also applies to POP/IMAP.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Hi Markus,
The output as follows.
postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes cafile = /etc/letsencrypt/live/www.zystro.xyz/cert. pem compatibility_level = 3.5 disable_vrfy_command = yes home_mailbox = Mailbox inet_interfaces = all inet_protocols = all mailbox_command = mailbox_size_limit = 1048576000 maximal_backoff_time = 3h message_size_limit = 10485760 minimal_backoff_time = 180s mydestination = $mydomain, $myhostname, localhost mydomain = zystro.xyz myhostname = www.zystro.xyz mynetworks_style = host myorigin = $mydomain readme_directory = no recipient_delimiter = + relayhost = smtp_always_send_ehlo = yes smtp_helo_timeout = 15s smtp_rcpt_timeout = 15s smtp_sasl_auth_enable = yes smtp_tls_CAfile = $cafile smtp_tls_cert_file = $tcert smtp_tls_key_file = $tkey smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_dire ctory}/smtp_scache smtpd_banner = $myhostname smtpd_client_restrictions = reject_rbl_client dnsbl .sorbs.net smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostn ame, reject_non_fqdn_helo_hostname, reject_unknown_ helo_hostname smtpd_recipient_limit = 40 smtpd_recipient_restrictions = reject_invalid_hostn ame, reject_unknown_recipient_domain, reject_unauth _destination, reject_rbl_client sbl.spamhaus.org, p ermit smtpd_relay_restrictions = permit_mynetworks permit _sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_timeout = 30s smtpd_tls_cert_file = $tcert smtpd_tls_key_file = $tkey smtpd_tls_security_level = encrypt strict_rfc821_envelopes = yes tcert = /etc/letsencrypt/live/www.zystro.xyz/fullch ain.pem tkey = /etc/letsencrypt/live/www.zystro.xyz/privkey .pem virtual_alias_maps = hash:/etc/postfix/virtual root@www:~#
postconf -M smtp inet n - y - - smtpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd maildrop unix - n n - - pipe flags=DRXhu user=vmail argv=/usr/bin/mai ldrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z - a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/if mail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp /bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/sca lemail/bin/scalemail-store ${nexthop} ${user} ${ext ension} mailman unix - n n - - pipe flags=FRX user=list argv=/usr/lib/mailma n/bin/postfix-to-mailman.py ${nexthop} ${user} smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_t ls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions= permit_sasl_authenticat ed, reject -o milter_macro_daemon_name= ORIGINATING submission inet n - - - - smtpd -o smtpd_etrn_restrictions=reject -o sm tpd_enforce_tls=yes -o smtpd_tls_security_level=enc rypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_ty pe=dovecot -o smtpd_sasl_path=private/auth -o smtpd _sasl_security_options= noanonymous -o smtpd_sasl_l ocal_domain=$mydomain -o smtpd_client_restrictions= permit_sasl_authenticated, reject -o smtpd_sender_ login_maps= hash:/etc/postfix/virtual -o smtpd_send er_restrictions= reject_sender_login_mismatch -o sm tpd_recipient_restrictions= reject_non_fqdn_recipie nt, reject_unknown_recipient_domain, permit_sasl_au thenticated,reject root@www:~#
Regards, -badli
From: Markus Winkler <ml@irmawi.de> Sent: Monday, April 24, 2023, 05:33 To: dovecot@dovecot.org <dovecot@dovecot.org> Subject: Re: dovecot sasl with postfix, smtp auth not available
Hi Badli,
On 23.04.23 05:15, Badli Al Rashid wrote:
Anybody got any ideas ?
please post the output of:
- postconf -n
- postconf -M
Regards, Markus
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Badli,
thanks for the information.
A few hints: If possible, please avoid using HTML mails. And for outputs like 'postconf -n': please use an attached text file if your MUA (OL) isn't able to transfer them in a proper way.
I would suggest the following changes:
- postconf -n [...] smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot
As Benny already wrote: delete them from your main.cf as port 25 should not be used for authentication.
- postconf -M [...] smtps inet n - - - - smtpd [...] -o smtpd_client_restrictions= permit_sasl_authenticated, reject
-------------------------------^
-o milter_macro_daemon_name= ORIGINATING
------------------------------^
In master.cf: please take care that you don't specify whitespaces around the '=', at least if you're using the short form shown above.
Some more examples, where you should check and change the master.cf regarding this:
submission inet n - - - - smtpd [...] -o smtpd _sasl_security_options= noanonymous -o smtpd_client_restrictions= permit_sasl_authenticated, reject -o smtpd_sender_login_maps= hash:/etc/postfix/virtual -o smtpd_sender_restrictions= reject_sender_login_mismatch -o smtpd_recipient_restrictions= reject_non_fqdn_recipient ...
Regarding the authentication part(s) itself:
The configuration of the submission port seems correct to me and authentication should work. You can test it this way:
openssl s_client -connect www.zystro.xyz:587 -starttls smtp
For the smtps port you should add at least the following to the existing configuration of your master.cf:
smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
You can test it this way:
openssl s_client -connect www.zystro.xyz:465
After connecting successfully (to 465 & 587), in both cases using 'ehlo foo' you should see entries like these:
[...] 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN [...]
If not, we need the logs. ;-)
HTH and regards, Markus
participants (6)
-
Badli Al Rashid
-
Benny Pedersen
-
dovecot@ptld.com
-
Markus Winkler
-
Michael Peddemors
-
Tom Hendrikx