New dovecot server, authentication confusion
I've set up a new dovecot+postfix instance with virtual (not system) users.
I've a few questions, mostly about auth. I /think/ that postfix handles auth by asking dovecot.
Users need to provide user + password to send (smtps) and receive (imaps). I see where I've configured this for dovecot, which is /etc/dovecot/passwd.db. That file contains lines like this:
jeff@mobilitains.fr:{BLF-CRYPT}$2y$05$c...
What concerns me is that I see occasional log items like this:
Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no SASL
authentication mechanisms
(Also, I can't connect with thunderbird.)
But I think I've configured SASL auth, so I'm not sure what to look at / how to debug this. I'm looking for suggestions how to approach this.
I do not see how postfix knows who is allowed to connect, however. Am I correct that postfix delegates SASL to dovecot? This is the relevant config, I think:
[T] jeff@nantes-m1:log $ doveconf -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS
# Hostname: nantes-m1.p27.eu
auth_verbose = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
driver = passwd-file
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = " imap"
ssl = required
ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
driver = static
}
protocol lda {
deliver_log_format = msgid=%m: %$
mail_plugins = sieve
postmaster_address = postmaster@{{ primary_domain }}
quota_full_tempfail = yes
rejection_reason = Your message to <%t> was automatically
rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags
mail_max_userip_connections = 20
}
[T] jeff@nantes-m1:log $
[T] jeff@nantes-m1:log $ postconf -n | grep -i sasl
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
[T] jeff@nantes-m1:log $ postconf -Mf
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
...
Many thanks for any pointers.
I'm also a bit confused on how to test it, really, short of connecting with a regular email client (mutt, thunderbird, etc.). If there are more appropriate tools that I've missed, I'm quite open to pointers.
-- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255
On 24/01/2021 15:42, Jeff Abrahamson wrote:
I've set up a new dovecot+postfix instance with virtual (not system) users.
[...]
Thanks to several responses here (many thanks!) and much further hacking, I have moved further.
I now have two problems that I'm hitting my head on. (I've posted my config below.)
- Delivery has a permission error, but I don't see what is causing it.
- Authorisation on sending is failing.
1. Delivery
I send mail to jeff@mobilitains.fr, which I think should be an authorised user.
Jan 24 17:19:02 nantes-m1 postfix/qmgr[8025]: 8640AA0C71:
from=<jeff@p27.eu>, size=4737, nrcpt=1 (queue active)
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
(euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
dir owned by 4000:4000 mode=0755)
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
(euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
dir owned by 4000:4000 mode=0755)
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error: Mailbox INBOX:
Failed to autocreate mailbox: Internal error occurred. Refer to
server log for more information. [2021-01-24 17:19:02]
Jan 24 17:19:02 nantes-m1 dovecot:
lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>:
msgid=<45693641-2b61-815d-6129-feb9c4e3608a@p27.eu>: save failed to
open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox:
Internal error occurred. Refer to server log for more information.
[2021-01-24 17:19:02]
Jan 24 17:19:02 nantes-m1 postfix/local[10626]: 8640AA0C71:
to=<jeff@nantes-m1.p27.eu>, orig_to=<jeff@mobilitains.fr>,
relay=local, delay=593, delays=593/0.01/0/0.02, dsn=4.3.0,
status=deferred (temporary failure. Command output: lda(jeff):
Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
Permission denied )
Now I know what the words mean: it wants to create the mail directory where I've asked it to, in /var/mail/vmail/%d/%n/mail, and it's hitting a permission error, because that directory is owned by vmail and that bit of dovecot, apparently, doesn't have permission to read/write there. I can see that some dovecot processes run as vmail, others as dovecot or dovenull, still others as root (!). I'm unclear after much reading of docs what I /should/ see here and what I should change.
[T] jeff@nantes-m1:postfix $ ps axfu | grep dovec
root 607 0.0 0.3 4612 3360 ? Ss 10:12 0:00
/usr/sbin/dovecot -F
dovecot 637 0.0 0.1 4248 1072 ? S 10:12 0:00
\_ dovecot/anvil
root 9852 0.0 0.2 4388 2940 ? S 16:54 0:00
\_ dovecot/log
dovecot 9907 0.0 0.2 4396 2828 ? S 16:54 0:00
\_ dovecot/stats
root 9908 0.0 0.4 5664 4188 ? S 16:54 0:00
\_ dovecot/config
dovenull 9976 0.0 0.6 8476 6584 ? S 16:58 0:00
\_ dovecot/imap-login
vmail 9978 0.0 0.5 6940 5572 ? S 16:58 0:00
\_ dovecot/imap
dovenull 10023 0.0 0.6 8472 6584 ? S 17:04 0:00
\_ dovecot/imap-login
vmail 10024 0.0 0.5 6884 5516 ? S 17:04 0:00
\_ dovecot/imap
jeff 10952 0.0 0.0 8904 672 pts/1 S+ 17:33 0:00
| \_ grep --color=auto dovec
[T] jeff@nantes-m1:postfix $
2. Authorisation on sending
Using thunderbird I try to send an email from my workstation as jeff@mobilitains.fr (myself, as this host sees it) to another user (myself somewhere else).
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: connect
from 10.244.88.92.rev.sfr.net[92.88.244.10]
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: Anonymous
TLS connection established from
10.244.88.92.rev.sfr.net[92.88.244.10]: TLSv1 with cipher
ECDHE-RSA-AES128-SHA (128/128 bits)
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: warning:
SASL: Connect to private/auth failed: No such file or directory
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: fatal: no
SASL authentication mechanisms
Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: process
/usr/lib/postfix/sbin/smtpd pid 10971 exit status 1
Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning:
/usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
So I'm failing to connect, but the error about private/auth is quite unclear to me. I think what I've configured is that plaintext auth is disabled unless on a SSL/TLS connection, and SSL/TLS connections are required, so plaintext over SSL/TLS is the rule. There's an error related to smtpd startup, though I'm unclear what that means, since postfix is running. I think it means it can't run smtpd to send the mail, but why and where configured is unclear to me.
[T] jeff@nantes-m1:conf.d $ *cat 10-auth.conf | grep -vE '^#' | uniq*
disable_plaintext_auth = yes
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_mechanisms = plain
!include auth-passwdfile.conf.ext
[T] jeff@nantes-m1:conf.d $
[T] jeff@nantes-m1:conf.d $ *cat auth-passwdfile.conf.ext *
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
#
# This is heavily modified from the ubuntu dovecot distribution file.
passdb {
driver = passwd-file
# args = scheme=CRYPT username_format=%u /etc/dovecot/users
# args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db
args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
deny = no
master = no
pass = no
skip = never
result_failure = continue
result_internalfail = continue
result_success = return-ok
}
userdb {
driver = static
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
}
[T] jeff@nantes-m1:conf.d $
My config:
[T] jeff@nantes-m1:~ $ *doveconf -n*
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS ext4
# Hostname: nantes-m1.p27.eu
auth_debug = yes
auth_verbose = yes
mail_home = /var/mail/vmail/%d/%n
mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
driver = passwd-file
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = " imap"
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0600
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
ssl_cipher_list =
ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
driver = static
}
verbose_ssl = yes
protocol lda {
deliver_log_format = msgid=%m: %$
mail_plugins = sieve
postmaster_address = postmaster@{{ primary_domain }}
quota_full_tempfail = yes
rejection_reason = Your message to <%t> was automatically
rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags
mail_max_userip_connections = 20
}
[T] jeff@nantes-m1:~ $
[T] jeff@nantes-m1:postfix $ postconf -Mf
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
...
-- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255
On 2021-01-24 18:50, Jeff Abrahamson wrote:
On 24/01/2021 15:42, Jeff Abrahamson wrote:
I've set up a new dovecot+postfix instance with virtual (not system) users. [...]
Thanks to several responses here (many thanks!) and much further hacking, I have moved further.
I now have two problems that I'm hitting my head on. (I've posted my config below.)
Delivery has a permission error, but I don't see what is causing it.
Authorisation on sending is failing.
- Delivery
I send mail to jeff@mobilitains.fr, which I think should be an authorised user.
Jan 24 17:19:02 nantes-m1 postfix/qmgr[8025]: 8640AA0C71: from=jeff@p27.eu, size=4737, nrcpt=1 (queue active) Jan 24 17:19:02 nantes-m1 dovecot: lda(jeff)<10628>
: Error: mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/, dir owned by 4000:4000 mode=0755) Jan 24 17:19:02 nantes-m1 dovecot: lda(jeff)<10628> : Error: mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/, dir owned by 4000:4000 mode=0755) This looks to me as if dovecot lda is trying to deliver as user jeff (uid 1000) instead of the configured uid 4000 from static userdb. Try to set auth_debug = yes and/or mail_debug = yes to see whats going on. Jan 24 17:19:02 nantes-m1 dovecot: lda(jeff)<10628> : Error: Mailbox INBOX: Failed to autocreate mailbox: Internal error occurred. Refer to server log for more information. [2021-01-24 17:19:02] Jan 24 17:19:02 nantes-m1 dovecot: lda(jeff)<10628> : msgid=45693641-2b61-815d-6129-feb9c4e3608a@p27.eu: save failed to open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox: Internal error occurred. Refer to server log for more information. [2021-01-24 17:19:02] Jan 24 17:19:02 nantes-m1 postfix/local[10626]: 8640AA0C71: to=jeff@nantes-m1.p27.eu, orig_to=jeff@mobilitains.fr, relay=local, delay=593, delays=593/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: lda(jeff): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied ) for this see https://doc.dovecot.org/installation_guide/upgrading/from-2.2-to-2.3/?highli... Now I know what the words mean: it wants to create the mail directory where I've asked it to, in /var/mail/vmail/%d/%n/mail, and it's hitting a permission error, because that directory is owned by vmail and that bit of dovecot, apparently, doesn't have permission to read/write there. I can see that some dovecot processes run as vmail, others as dovecot or dovenull, still others as root (!). I'm unclear after much reading of docs what I _should_ see here and what I should change.
[T] jeff@nantes-m1:postfix $ ps axfu | grep dovec root 607 0.0 0.3 4612 3360 ? Ss 10:12 0:00 /usr/sbin/dovecot -F dovecot 637 0.0 0.1 4248 1072 ? S 10:12 0:00 \_ dovecot/anvil root 9852 0.0 0.2 4388 2940 ? S 16:54 0:00 \_ dovecot/log dovecot 9907 0.0 0.2 4396 2828 ? S 16:54 0:00 \_ dovecot/stats root 9908 0.0 0.4 5664 4188 ? S 16:54 0:00 \_ dovecot/config dovenull 9976 0.0 0.6 8476 6584 ? S 16:58 0:00 \_ dovecot/imap-login vmail 9978 0.0 0.5 6940 5572 ? S 16:58 0:00 \_ dovecot/imap dovenull 10023 0.0 0.6 8472 6584 ? S 17:04 0:00 \_ dovecot/imap-login vmail 10024 0.0 0.5 6884 5516 ? S 17:04 0:00 \_ dovecot/imap jeff 10952 0.0 0.0 8904 672 pts/1 S+ 17:33 0:00 | \_ grep --color=auto dovec [T] jeff@nantes-m1:postfix $
- Authorisation on sending
Using thunderbird I try to send an email from my workstation as jeff@mobilitains.fr (myself, as this host sees it) to another user (myself somewhere else).
Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: connect from 10.244.88.92.rev.sfr.net[92.88.244.10] Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: Anonymous TLS connection established from 10.244.88.92.rev.sfr.net[92.88.244.10]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: warning: SASL: Connect to private/auth failed: No such file or directory You configured postfix with smtpd_sasl_path = private/auth but dovecot is configured to create the socket as service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0600 user = postfix } you need to fix either postfix or dovecot configuration. Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: fatal: no SASL authentication mechanisms I have set auth_mechanisms in 10-auth.conf to auth_mechanisms = plain login see also postfix documentation http://www.postfix.org/SASL_README.html#server_dovecot Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: process /usr/lib/postfix/sbin/smtpd pid 10971 exit status 1 Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
So I'm failing to connect, but the error about private/auth is quite unclear to me. I think what I've configured is that plaintext auth is disabled unless on a SSL/TLS connection, and SSL/TLS connections are required, so plaintext over SSL/TLS is the rule. There's an error related to smtpd startup, though I'm unclear what that means, since postfix is running. I think it means it can't run smtpd to send the mail, but why and where configured is unclear to me.
-- Christian Kivalo
participants (2)
-
Christian Kivalo
-
Jeff Abrahamson