No AUTH PLAIN with dovecot 2.0.19
Hi
I have installed the package dovecot-postfix on Ubuntu 12.04 LTS:
dovecot --version: 2.0.19 postconf -d | grep version: 2.9.6
and receiving email works very fine, but relaying email does not work.
I think the problem is that after STARTTLS the authentication is not being executed
250-AUTH PLAIN 250-AUTH=PLAIN
which means using telnet returns
telnet mx2.wyona.com 587 Trying 50.116.54.197... Connected to node3.wyona.com. Escape character is '^]'. 220 node3.members.linode.com ESMTP Postfix (Ubuntu) EHLO letscallitevil.com 250-node3.members.linode.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
So far I have used dovecot version 1.2.9, which works very fine, but the configuration
/etc/dovecot/dovecot.conf
seems to be very different in the case of dovecot version 2.0.19.
I have checked all kind of tutorials for several days now, like for example
https://help.ubuntu.com/10.04/serverguide/postfix.html
but nothing helped.
Any pointers or help is very much appreciated.
Thanks
Michael
Am 29.09.2014 um 14:53 schrieb Michael Wechner:
telnet is worthless because AUTH is likely announced *after STARTTLS* http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
oh my god, another server in the linode-zombie network that's bad neigbourhood and you should avoid a PTR ending with "members.linode.com" which is generic and here blocked because i have never seen any legit mail from Linode but 24 hours each day attacks or spam delivery attempts
http://www.mxpolice.com/email-security/importance-of-ptr-records-for-reliabl...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Harald
Thanks very much for your quick reply. Please see my answers inline below
Am 29.09.14 15:01, schrieb Reindl Harald:
right, but when requesting for example mail.wyona.com, then I can see AUTH
telnet mail.wyona.com 587 Trying 195.226.6.75... Connected to mx1.wyona.com. Escape character is '^]'. 220 mail.wyona.com ESMTP Postfix (Ubuntu) EHLO wyona.com 250-mail.wyona.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
or also when using ngrep
T 195.226.6.75:587 -> 10.10.1.102:58990 [AP] 250-mail.wyona.com..250-PIPELINING..250-SIZE 10240000..250-VRFY..250-ETRN..250-STARTTLS..250-AUTH PLAIN..250-AUTH=PLAIN..250-ENHANCEDSTATUSCODES. .250-8BITMIME..250 DSN..
hence I would assume to see it also for the new version of postfix and dovecot, or do I misunderstand something?
http://www.mxpolice.com/email-security/importance-of-ptr-records-for-reliabl...
thanks for pointing this out. I have set it now according to
https://www.linode.com/docs/networking/dns/adding-dns-records/
and it should work within the next 24 hours (at least that's what linode says).
Thanks
Michael
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUKVzlAAoJECV0ivYw6bPKk+wIAN/Xkj/GfHmEiCE0bTBxGoAU l9opgJT9f/zIX0hSt9NI0Pj+B12dKiseCCO/dA4GiBCmiODNe4IsNqbqgCYpckHD iSkq7X+93jOoHmtdBjyP2Oo1X9OvRy+AcaFFCFABMr3PqNjF9qMSSJMUOToQFuVv uL2ops2zQX5PaUhZ1z/FhHHVHAyyIQgRG+CWr9GNSsZQodF29wu12bQM7Cf9cO0A 49gjymXKkxDtrnSNrjlWD6DF62iA0O1/Z/xAUcySkxUOY9q0ziRxvARynr3iI/Au W9BVlE88/aYb1CUJORnrEMdj2Whad45n7fF4ui/uGocjCAni58R21wJDVYpWlWw= =/0db -----END PGP SIGNATURE-----
Am 29.09.2014 um 15:21 schrieb Michael Wechner:
depends on the servers configuration
hence I would assume to see it also for the new version of postfix and dovecot, or do I misunderstand something?
yes, you did not read http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
if the server is configured in a way it offers AUTH only over a encrypted channel (recommended) then you need to use STARTTLS before you see the capability and for that telnet is just the wrong tool
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Am 29.09.14 15:30, schrieb Reindl Harald:
AUTH
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
the new server config reads (postfix mail_version = 2.7.0):
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sender_restrictions = reject_unknown_sender_domain
and the old server config reads:
smtpd_sasl_type = dovecot smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_path = private/auth broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, reject_rbl_client multi.uribl.com, reject_rbl_client bl.spamcop.net, reject_rbl_client opm.blitzed.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org
which means both configs are using
smtpd_sasl_security_options = noanonymous
But also when I am not using telnet, but Thunderbird for example, with the new server I never receive a dialog to enter a password as I do with the old server. This is the reason why I started to have the idea that no authentication is being requested in the first place (and hence the relay was rejected).
Thanks
Michael
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUKWPtAAoJECV0ivYw6bPK/7YIAOPn+52CYWaC8KJsa6FULKSF SzilCnplLC23mRYLhQ1bnvttOMXq2XpASmh/egmkaYC49SDYfpCzawzSUn2Z3IkK KqQbUOU79t9Qc4lTgINKwuRdWrrmx7pB9iH4IggjLfWsaCOM/1yqo6Ir55A+bm0t VWk/U69rWixv0/QBNMqmcp0snJcgjYPh5HtQUHGk1bWZ4LlYwao3wonPJr4pedTo bcwq3SN7rKWCE4V4DBc6luJhqlSudMI37oCYaIw4FYyNZfYEoi4gUMfjeeHVZHrQ VGCaZPusr61GJDF2WxUw4bfoHTBvxsiBqmmaDKy00QrwJGwESI9Mabs9KJS5Mwc= =QGL9 -----END PGP SIGNATURE-----
Am 29.09.2014 um 15:51 schrieb Michael Wechner:
- check postfix master.cf for chroot - only explicit "n" disabled it
- check configuration of the private/dovecot-auth (permissions and so on)
- look at your logs careful
that is my part in dovecot.conf:
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
that's my part in postfix's main.cf:
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
well, both are unchanged for a very long time and survived a lot of dist-upgrades (Fedora) as well as Dovecot/Postfix
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
thanks very much for your configuration. It seems with dovecot 2.0.19 the configuration has changed quite a bit and things have been splitted into several files (http://wiki2.dovecot.org/QuickConfiguration)
sudo grep -rl postfix /etc/dovecot/* /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/01-mail-stack-delivery.conf
and included inside dovecot.conf (!include conf.d/*.conf)
I finally found that auth_debug is inside
/etc/dovecot/conf.d/10-logging.conf
I will turn on the logging and hopefully better understand what is happening.
Thanks
Michael
Am 29.09.14 16:00, schrieb Reindl Harald:
below
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUKaixAAoJECV0ivYw6bPKtjAH/AiMIS4I0+8q8vqJYwzs9Pzr LgQfe/O9O6HwtL0u63bkZ8SPslxKUxhpl9dmv6HcodfGxHSkaGdlcVS96o6ynjS4 rcWoco6qQ0PsRiJTT1x2IGqO8mPQgH9ovHmI+6ZKAqjWi4S8iFT6G/D6tdtmikME GqW2p2r0mE4xyn0RwU6IWb+cxEYPq3X/8GuSbQsO3Ux0AcejUBgI1ex9xfHM8xhi vfxPDNY9M1s/l+lwBiEqAjkwe99cOpuBPr9u9Mg6WS3+fGwa+Di642ZeZAy3SB63 /wYtLProbJ7enHar7t0sEb0/WvpqUvchNunlw3R1KRe/RhMSbxKYY0x4t6WLSGo= =MLa2 -----END PGP SIGNATURE-----
Am 29.09.2014 um 20:45 schrieb Michael Wechner:
it's your choice to have one dovecot.conf containing all settings and is independent of the version
frankly my self built RPM deletes all config files before the %files section to have no orphaned / unused crap on the production machines and the one and only configuration is "dovecot.conf"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
yes, that makes sense. I also did now
doveconf -n > /etc/dovecot/dovecot.conf
but I still do not know why the configuration does not work.
I have now downgraded to
Postfix 2.7.0 Dovecot 1.2.9
also using apt-get install dovecot-postfix
but it also did not work with this older version and the corresponding "default" configuration.
But I have copied now the old configuration to this "new" setup and it works now. So I would argue there must be something wrong with the "default" configuration when using the package dovecot-postfix. I will try to find out and send a note in case I will find out.
Thanks
Michael
Am 29.09.14 20:59, schrieb Reindl Harald:
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUKnOmAAoJECV0ivYw6bPKFb4H/idXFbotox38frbyylVzokLH 8c/vBCjLoSG9mdgJ9/XLrTGUfKSQTU6YRUG1AYBe2thSh6umdpkNWC3Hk4xDX/79 VbFyPeDz3Ad1PAP7uEX1wumzN8DO63RuFDjeIlSaCmoACLrskSrmeF8INiRdZfUR 8Andxp+DVr5aMx0FaJmdRXDLO+H2/3/PzvXz8zpuIYvyd47/0Anfte9P2zv8QZ0n JI9bUCEZtG1hS4CInR7xS7vAD3OPIHQOonjmrLeCTHWTZ3YEYB++rTkQINNlaGNw qF7Az6qt3FzhJjVnwUppWXoVO2CZit+eCSUSYDWjaT4AECX3JxOPdN8B6UG2sUI= =HikP -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 29 Sep 2014, Reindl Harald wrote:
To test STARTTLS try this:
a) gnutls-cli -p 587 --starttls smtp STARTTLS ^D
The ^D lets gnutls perform the SSL handshake, then you can type again.
b) openssl s_client -connect smtp:587 -starttls smtp
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVCpMpnz1H7kL/d9rAQKMWQgAvT1r7TZpGX6kTPne8P/nrKKbGivJZAqo PoET7l/y7Yf/DW1VC1pgQg6pNYBAbUndTnczJz2nRmLMYNjjO7SV9GBWzMIJzZPj F7A5tN5+LV7y+2KDKM2U49E4jSe7ocm6GGFKTxl4gAegKJZU0S2KMZ3YnA8Wessl rKwgVnL8gau8H3SP7lNdi9V2WvuO4YITXt9l/gmKLlYJqly3JGEOYP714kqY5AcW 2R2h3DO9H61Mr//hlSiNslKOlYAMSkNeqjnntzzUxvcSzBub68Yx0wuP0gYROYJ0 CVbpYiAV3sfUdkK9ZG+c2Lfezrm+FicN7LYiMF88pH3EWQsLcCStjA== =isXw -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Steffen
Thanks very much for the hint. I will give it a try later today.
Michael
Am 30.09.14 08:24, schrieb Steffen Kaiser:
iQEcBAEBCgAGBQJUKnFzAAoJECV0ivYw6bPKaRMH/jR/RmgesxicF5zg+o+g6DqI 7fd8sttTeGz3umOrUR8E48frSGOrOdNSxcJEbk8othLhV3qsc0bIMKnOEopF0pIj /oPriGN+vC4bJ2w+iSyYPGdPfLHgc5Cdh/urmhxo4GRZrX5GSedEctP920AQz63B yfnLKRl3wHgFk40uomJLKG2ZLZy1YTxISIfE1pHHGCwDvy+UC2GIT0Cexes7ysTh yQ3S+dhBMknZze8N2dK969hn2TlecqjAK/il0sVlftiW4iYUtuXNA6liwOf/9Y23 aWNcqzTd1l0+EskiNlFlIvv1NVemXoZTnAR37TY+K2GnaKBvsS1j4mDZPw71O28= =fqVr -----END PGP SIGNATURE-----
Am 29.09.2014 um 14:53 schrieb Michael Wechner:
However you might fix that problem , it would better go Trusty which has more recent version
http://packages.ubuntu.com/trusty/dovecot-core
2.2.9
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
participants (4)
-
Michael Wechner
-
Reindl Harald
-
Robert Schetterer
-
Steffen Kaiser