[Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
Tere.
Recently just migrated from Sendmail 8.14.3 to Postfix 2.5.6 and switched from Cyrus-sasl 2.1.22 to Dovecot 1.1.13 sasl, all are compiled from source and I have used Dovecot for a long time, since alpha versions.
Everything worked well for Outlook Express, Outlook and Thunderbird clients, but Microsoft Entourage 2004 or 2008 clients smtps fails - "Authentication failed because Entourage doesn't support any of the available authentication methods."
Similar case like - http://archives.neohapsis.com/archives/postfix/2008-09/thread.html#145
I tried everything, the config is like described in Postfix and Dovecot sites - http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
I also tried in main.cf smtpd_sasl_security_options =forward_secrecy like described in http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options
But none helped.
So I switched back to Cyrus-sasl and Entourage works well like before with sendmail.
I started to search what may be the reason, and seems with Dovecot sasl Postfix wont advertise needed stuff in ehlo:
With Cyrus:
telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com 250-my.host.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN starttls 220 2.0.0 Ready to start TLS
With dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com starttls 220 2.0.0 Ready to start TLS
Setting with Cyrus in main.cf smtpd_tls_auth_only = no gives even more but still nothing with Dovecot:
telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.eeESMTP EHLO example.com 250-my.host.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
So is this a Entourage or Dovecot or Postfix bug? I really like to drop the Cyrus and use only Dovecot sasl.
Any hint is welcome.
-- Mart
On Wed, 2009-04-15 at 12:33 +0300, Mart Pirita wrote:
With dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com starttls 220 2.0.0 Ready to start TLS
Are you saying that EHLO doesn't return anything when using Dovecot SASL? Something's very broken then.
Tere.
Are you saying that EHLO doesn't return anything when using Dovecot SASL?
Yes.
Something's very broken then.
Hmm, but what?
Dovecot is compiled with options:
./configure
--prefix=/usr
--with-ssl=/usr/local/ssl
--with-ssldir=/etc/ssl
--with-rawlog
--sysconfdir=/etc
--without-vpopmail
--disable-ipv6
--with-pam
--without-passwd-file
--without-checkpassword
--without-bsdauth
--without-static-userdb
--without-passdb-userdb
--without-pgsql
--without-mysql
--without-sqlite
--with-rundir=/var/run/dovecot
--without-deliver
--without-gssapi
And runs with settings:
dovecot -n # 1.1.13: /etc/dovecot.conf # OS: Linux 2.6.24.2 i686 Red Hat Linux release 8.0 (Psyche) protocols: imaps pop3 pop3s ssl_parameters_regenerate: 0 disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_log_format_elements: %u [%r] %m %c mail_max_userip_connections(default): 90 mail_max_userip_connections(imap): 90 mail_max_userip_connections(pop3): 9 maildir_copy_preserve_filename: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 imap_client_workarounds(default): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(imap): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(pop3): bytes=%i/%o, del=%d/%m, size=%s auth default: cache_size: 1024 failure_delay: 3 passdb: driver: pam args: cache_key=%u%r%s * userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Postfix is compiled with options:
CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DUSE_TLS
-DUSE_SSL -I/usr/local/ssl/include -DHAS_DB -I/usr/local/db4/include
-I/usr/include'
AUXLIBS="-L/usr/local/ssl/lib -lssl -lcrypto -L/usr/local/db4/lib -ldb
-L/usr/lib -ldl" \
And sasl and tls settings are:
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth broken_sasl_auth_clients = yes smtpd_use_tls = yes smtp_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes
-- Mart
On Apr 16, 2009, at 9:18 AM, Mart Pirita wrote:
Tere.
Are you saying that EHLO doesn't return anything when using Dovecot SASL?
Yes.
But you said that other clients would still work? I don't see how
that's possible if Postfix doesn't reply to EHLO.
Anyway, I guess you could see if auth_debug=yes logs something.
Tere.
But you said that other clients would still work? I don't see how that's possible if Postfix doesn't reply to EHLO.
Well, I compiled postfix again and somehow now I can see more data using dovecot sasl, no idea, why I didn't see this before:
Escape character is '^]'. 220 my.domain.ee ESMTP ehlo k.com 250-my.domain.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN starttls 220 2.0.0 Ready to start TLS
Using in main.cf smtpd_tls_auth_only = no
Escape character is '^]'. 220 my.domain.ee ESMTP ehlo e.com 250-my.domain.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Anyway, I guess you could see if auth_debug=yes logs something.
Enabled, trying to send message with Entourage, SSL enabled, port 465, outgoing server requires authentication with same credentials as incoming servers:
Apr 16 21:33:42 server postfix/smtpd[3909]: connect from 88-196-40-172-dsl.noe.estpak.ee[88.196.40.172] Apr 16 21:33:43 server postfix/smtpd[3909]: lost connection after EHLO from 88-196-40-172-dsl.noe.estpak.ee[88.196.40.172] Apr 16 21:33:43 server postfix/smtpd[3909]: disconnect from 88-196-40-172-dsl.noe.estpak.ee[88.196.40.172]
"Authentication failed because Entourage doesn't support any of the available authentication methods." Disabling
Same settings, sending with with Thunderbird:
Apr 16 21:34:10 server postfix/smtpd[3909]: connect from 88-196-40-172-dsl.noe.estpak.ee[88.196.40.172] Apr 16 21:34:10 server postfix/smtpd[3909]: 5548348C172: client=88-196-40-172-dsl.noe.estpak.ee[88.196.40.172], sasl_method=PLAIN, sasl_username=user Apr 16 21:34:10 server postfix/cleanup[3961]: 5548348C172: warning: header Subject: sasa from 88-196-40-172-dsl.noe.estpak.ee[88.196.40.172]; from=user@mydomain.ee to=user@mydomain.ee proto=ESMTP helo=<[192.168.30.3]> Apr 16 21:34:10 server postfix/smtpd[3909]: disconnect from 88-196-40-172-dsl.noe.estpak.ee[88.196.40.172]
Message sent.
-- Mart
On Thu, 2009-04-16 at 21:39 +0300, Mart Pirita wrote:
250-AUTH PLAIN 250-AUTH=PLAIN
You're missing LOGIN here, which is required by some MS clients (although I thought Outlook belonged to that category too).
Tere.
On Thu, 2009-04-16 at 21:39 +0300, Mart Pirita wrote:
250-AUTH PLAIN 250-AUTH=PLAIN
You're missing LOGIN here, which is required by some MS clients (although I thought Outlook belonged to that category too).
Yes, I noticed that too, as same test with cyrus-sasl shows:
250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
But I have enabled login in dovecot.conf:
# Postfix - suggested configuration taken from SASL_README
(2.3.2).
mechanisms = plain
login
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
So something is still broken, but what? How can I make Doveco SASL advertise auth login too?
-- Mart
Tere.
Then it should show up.. Post dovecot -n output instead, that'll show what exactly Dovecot is reading from config file.
Please:
dovecot -n # 1.1.13: /etc/dovecot.conf # OS: Linux 2.6.24.2 i686 Red Hat Linux release 8.0 (Psyche) protocols: imaps pop3 pop3s ssl_parameters_regenerate: 0 disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_log_format_elements: %u [%r] %m %c mail_max_userip_connections(default): 90 mail_max_userip_connections(imap): 90 mail_max_userip_connections(pop3): 9 maildir_copy_preserve_filename: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 imap_client_workarounds(default): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(imap): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(pop3): bytes=%i/%o, del=%d/%m, size=%s auth default: cache_size: 1024 failure_delay: 3 passdb: driver: pam args: cache_key=%u%r%s dovecot userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
-- Mart
On Apr 17, 2009, at 2:40 AM, Mart Pirita wrote:
Tere.
Then it should show up.. Post dovecot -n output instead, that'll
show what exactly Dovecot is reading from config file.Please:
dovecot -n .. auth default: cache_size: 1024 failure_delay: 3
If you had changed the mechanisms=plain default, it would have shown
up here (and you can see that also with dovecot -a). So something's
wrong in that setting.
Tere.
If you had changed the mechanisms=plain default, it would have shown up here (and you can see that also with dovecot -a). So something's wrong in that setting.
Hmm, You are right, postfix install inserted into config lines:
# Postfix - suggested configuration taken from SASL_README
(2.3.2).
mechanisms = plain
login
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
But right after this comes next, old part:
# Space separated list of wanted authentication
mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
skey
#
gss-spnego
# NOTE: See also disable_plaintext_auth
setting.
mechanisms =
plain
And Dovecot accepts the last one:(.
So it's my mistake, but I was taught, that Dovecot always give error on startup, if any double config lines exist. Now dovecot -n looks better:
auth default: mechanisms: plain login cache_size: 1024 failure_delay: 3 passdb: driver: pam args: cache_key=%u%r%s dovecot userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
And also shows up:
50-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
And Entourage works fine. Also with smtpd_tls_auth_only = yes settings.
Super.
Thank You Timo!
-- Mart
On Apr 15, 2009, at 5:33 AM, Mart Pirita wrote:
Everything worked well for Outlook Express, Outlook and Thunderbird clients, but Microsoft Entourage 2004 or 2008 clients smtps fails - "Authentication failed because Entourage doesn't support any of the available authentication methods."
BTW. Is it possible that all other clients are using STARTTLS (or no
encryption) and only Entourage is trying to use smtps port?
Tere.
BTW. Is it possible that all other clients are using STARTTLS (or no encryption) and only Entourage is trying to use smtps port?
No, all clients are using same settings. And all clients work with cyrus-sasl, but with Dovecot, Entourage won't work.
-- Mart
I think it is mostly a Entourage problem. I just decided to switch
to Apple Mail since it works much better with IMAP than Entourage.
On Apr 16, 2009, at 1:41 PM, Mart Pirita wrote:
Tere.
BTW. Is it possible that all other clients are using STARTTLS (or
no encryption) and only Entourage is trying to use smtps port?No, all clients are using same settings. And all clients work with
cyrus-sasl, but with Dovecot, Entourage won't work.-- Mart
Tere.
I think it is mostly a Entourage problem. I just decided to switch to Apple Mail since it works much better with IMAP than Entourage.
I'm pretty sure, this is Entourage problem, as Apple Mail (IPhone -s too) works well, but as a lot clients using Entourage as calendar, etc, they just won't change the mail client.
If proven, that Dovecot is act by standards, and Entourage does not, I must use Cyrus-sasl also in future but first I must be sure, that I haven't made any mistakes on my side.
-- Mart
participants (3)
-
Mart Pirita
-
Romer Ventura
-
Timo Sirainen