dovecot and postfix, authentication issue
Greetings from a new dovecot user.
Have setup dovecot on openSuse 15.4 with postfix as the MTA. Both are the latest version in that distribution.
Simple virtual user setup using /etc/dovecot/passwd
Dovecot seems to be working and all the defined users are authenticating well enough for imapsync to migrate files to the mailboxes.
However, when attempting to send test mail via postfix, only some users are authenticated and have mail delivered. Using swaks (smtp toolkit) the failures are: 550 5.1.1 some.user@mydomain.com: Recipient address rejected: User unknown in local recipient table
I'm puzzled, probably some simple thing overlooked. To avoid clutter, I won't include postfix items unless asked.
dovecot --version 2.3.20 (80a5ac675d)
dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.14.21-150400.24.66-default x86_64 # Hostname: flitch auth_verbose = ob-fuskate disable_plaintext_auth = no first_valid_uid = 100 info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
On 6/7/23 10:17, joe a wrote:
Greetings from a new dovecot user.
Have setup dovecot on openSuse 15.4 with postfix as the MTA. Both are the latest version in that distribution.
Simple virtual user setup using /etc/dovecot/passwd
Dovecot seems to be working and all the defined users are authenticating well enough for imapsync to migrate files to the mailboxes.
However, when attempting to send test mail via postfix, only some users are authenticated and have mail delivered. Using swaks (smtp toolkit) the failures are: 550 5.1.1 some.user@mydomain.com: Recipient address rejected: User unknown in local recipient table
I'm puzzled, probably some simple thing overlooked. To avoid clutter, I won't include postfix items unless asked.
dovecot --version 2.3.20 (80a5ac675d)
dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.14.21-150400.24.66-default x86_64 # Hostname: flitch auth_verbose = ob-fuskate disable_plaintext_auth = no first_valid_uid = 100 info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
The issue you're experiencing might be due to the fact that you have two passdb and userdb blocks in your configuration. Dovecot will use the first passdb and userdb that successfully authenticate a user, and ignore the rest.
In your configuration, the first passdb block uses PAM for authentication, and the first userdb block uses the system's passwd file. The second passdb and userdb blocks, which use a Dovecot-specific passwd file and static userdb, will only be used if PAM authentication fails.
If some of your users are defined in the Dovecot passwd file and not in the system's passwd file, they will not be able to authenticate because Dovecot will stop at the first passdb and userdb blocks.
To fix this, you could merge your passdb and userdb blocks into single blocks that use both PAM and passwd-file/static methods. Here's an example:
passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
--
just an fyi
postfix runs it's own authenticaion especially with virtual users
please note below is based on pgsql but the concept is the same for passwd - have not used that for a while
simply put virtual users both with postfix & dovecot works way better with a pgsql database running the show
-rw-r--r-- 1 root vmail uarch 565B Feb 20 05:30 pgsql-aliases.cf -rw-r--r-- 1 root vmail uarch 434B Feb 20 05:30 pgsql-canonical.cf -rw-r--r-- 1 root vmail uarch 457B Feb 20 05:31 pgsql-mydestination.cf -rw-r--r-- 1 root vmail uarch 568B Feb 20 05:31 pgsql-virtual.cf
# cat pgsql-virtual.cf # **** pgsql-virtual.cf *** # # pgsql config file for alias lookups on postfix # comments are ok. # # the user name and password to log into the pgsql server hosts = dovecot-mail18.scom.ca:5433 user = pgsql password = xxxxxxxx # the database name on the servers dbname = xxxxxxx # the table name table = email_users # #Select source email address alias (ie sales@ etc aliases ) where_field = source
#Select destination email account address (final delivery) select_field = destination
#Account Status (1=good) additional_conditions = and status = '1'
in main.cf (postfix)
dovecot_destination_recipient_limit = 1 virtual_transport = dovecot
#Postgres Stuff mydestination = pgsql:/usr/home/postfix/config/pgsql-mydestination.cf #virtual_maps=pgsql:/usr/home/postfix/config/pgsql-virtual.cf alias_maps=pgsql:/usr/home/postfix/config/pgsql-aliases.cf #sender_canonical_maps = pgsql:/usr/home/postfix/config/pgsql-canonical.cf
dovecot config :
# cat dovecot-pgsql.conf driver = pgsql connect = host=dovecot-mail18.scom.ca port=5433 dbname=xxxx user=pgsql password=xxxx default_pass_scheme = PLAIN
password_query = SELECT username as user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
user_query = SELECT home, uid, gid FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
#iterate_query = SELECT user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
iterate_query = SELECT "username" as user, domain FROM email_users WHERE status = True and alias_flag = False
I can help further if needbe (more complete info), just trying to point you in the right direction.
Happy Thursday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 7/5/2023 11:26 PM, jeremy ardley via dovecot wrote:
On 6/7/23 10:17, joe a wrote:
Greetings from a new dovecot user.
Have setup dovecot on openSuse 15.4 with postfix as the MTA. Both are the latest version in that distribution.
Simple virtual user setup using /etc/dovecot/passwd
Dovecot seems to be working and all the defined users are authenticating well enough for imapsync to migrate files to the mailboxes.
However, when attempting to send test mail via postfix, only some users are authenticated and have mail delivered. Using swaks (smtp toolkit) the failures are: 550 5.1.1 some.user@mydomain.com: Recipient address rejected: User unknown in local recipient table
I'm puzzled, probably some simple thing overlooked. To avoid clutter, I won't include postfix items unless asked.
dovecot --version 2.3.20 (80a5ac675d)
dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.14.21-150400.24.66-default x86_64 # Hostname: flitch auth_verbose = ob-fuskate disable_plaintext_auth = no first_valid_uid = 100 info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
The issue you're experiencing might be due to the fact that you have two passdb and userdb blocks in your configuration. Dovecot will use the first passdb and userdb that successfully authenticate a user, and ignore the rest.
In your configuration, the first passdb block uses PAM for authentication, and the first userdb block uses the system's passwd file. The second passdb and userdb blocks, which use a Dovecot-specific passwd file and static userdb, will only be used if PAM authentication fails.
If some of your users are defined in the Dovecot passwd file and not in the system's passwd file, they will not be able to authenticate because Dovecot will stop at the first passdb and userdb blocks.
To fix this, you could merge your passdb and userdb blocks into single blocks that use both PAM and passwd-file/static methods. Here's an example:
passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
On 7/6/2023 1:09 AM, Paul Kudla wrote:
just an fyi
postfix runs it's own authenticaion especially with virtual users
please note below is based on pgsql but the concept is the same for passwd - have not used that for a while
simply put virtual users both with postfix & dovecot works way better with a pgsql database running the show
-rw-r--r-- 1 root vmail uarch 565B Feb 20 05:30 pgsql-aliases.cf -rw-r--r-- 1 root vmail uarch 434B Feb 20 05:30 pgsql-canonical.cf -rw-r--r-- 1 root vmail uarch 457B Feb 20 05:31 pgsql-mydestination.cf -rw-r--r-- 1 root vmail uarch 568B Feb 20 05:31 pgsql-virtual.cf
# cat pgsql-virtual.cf # **** pgsql-virtual.cf *** # # pgsql config file for alias lookups on postfix # comments are ok. # # the user name and password to log into the pgsql server hosts = dovecot-mail18.scom.ca:5433 user = pgsql password = xxxxxxxx # the database name on the servers dbname = xxxxxxx # the table name table = email_users # #Select source email address alias (ie sales@ etc aliases ) where_field = source
#Select destination email account address (final delivery) select_field = destination
#Account Status (1=good) additional_conditions = and status = '1'
in main.cf (postfix)
dovecot_destination_recipient_limit = 1 virtual_transport = dovecot
#Postgres Stuff mydestination = pgsql:/usr/home/postfix/config/pgsql-mydestination.cf #virtual_maps=pgsql:/usr/home/postfix/config/pgsql-virtual.cf alias_maps=pgsql:/usr/home/postfix/config/pgsql-aliases.cf #sender_canonical_maps = pgsql:/usr/home/postfix/config/pgsql-canonical.cf
dovecot config :
# cat dovecot-pgsql.conf driver = pgsql connect = host=dovecot-mail18.scom.ca port=5433 dbname=xxxx user=pgsql password=xxxx default_pass_scheme = PLAIN
password_query = SELECT username as user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
user_query = SELECT home, uid, gid FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
#iterate_query = SELECT user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
iterate_query = SELECT "username" as user, domain FROM email_users WHERE status = True and alias_flag = False
I can help further if needbe (more complete info), just trying to point you in the right direction.
Happy Thursday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 7/5/2023 11:26 PM, jeremy ardley via dovecot wrote:
On 6/7/23 10:17, joe a wrote:
Greetings from a new dovecot user.
Have setup dovecot on openSuse 15.4 with postfix as the MTA. Both are the latest version in that distribution.
Simple virtual user setup using /etc/dovecot/passwd
Dovecot seems to be working and all the defined users are authenticating well enough for imapsync to migrate files to the mailboxes.
However, when attempting to send test mail via postfix, only some users are authenticated and have mail delivered. Using swaks (smtp toolkit) the failures are: 550 5.1.1 some.user@mydomain.com: Recipient address rejected: User unknown in local recipient table
I'm puzzled, probably some simple thing overlooked. To avoid clutter, I won't include postfix items unless asked.
dovecot --version 2.3.20 (80a5ac675d)
dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.14.21-150400.24.66-default x86_64 # Hostname: flitch auth_verbose = ob-fuskate disable_plaintext_auth = no first_valid_uid = 100 info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
The issue you're experiencing might be due to the fact that you have two passdb and userdb blocks in your configuration. Dovecot will use the first passdb and userdb that successfully authenticate a user, and ignore the rest.
In your configuration, the first passdb block uses PAM for authentication, and the first userdb block uses the system's passwd file. The second passdb and userdb blocks, which use a Dovecot-specific passwd file and static userdb, will only be used if PAM authentication fails.
If some of your users are defined in the Dovecot passwd file and not in the system's passwd file, they will not be able to authenticate because Dovecot will stop at the first passdb and userdb blocks.
To fix this, you could merge your passdb and userdb blocks into single blocks that use both PAM and passwd-file/static methods. Here's an example:
passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Thanks.
This is and should remain, a very small system of less that 10 users. I'd prefer to avoid any added complexity possible so prefer to pursue the "easy road", at this point anyway.
On 7/5/2023 11:26 PM, jeremy ardley via dovecot wrote:
On 6/7/23 10:17, joe a wrote:
Greetings from a new dovecot user.
Have setup dovecot on openSuse 15.4 with postfix as the MTA. Both are the latest version in that distribution.
Simple virtual user setup using /etc/dovecot/passwd
Dovecot seems to be working and all the defined users are authenticating well enough for imapsync to migrate files to the mailboxes.
However, when attempting to send test mail via postfix, only some users are authenticated and have mail delivered. Using swaks (smtp toolkit) the failures are: 550 5.1.1 some.user@mydomain.com: Recipient address rejected: User unknown in local recipient table
I'm puzzled, probably some simple thing overlooked. To avoid clutter, I won't include postfix items unless asked.
dovecot --version 2.3.20 (80a5ac675d)
dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.14.21-150400.24.66-default x86_64 # Hostname: flitch auth_verbose = ob-fuskate disable_plaintext_auth = no first_valid_uid = 100 info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
The issue you're experiencing might be due to the fact that you have two passdb and userdb blocks in your configuration. Dovecot will use the first passdb and userdb that successfully authenticate a user, and ignore the rest.
In your configuration, the first passdb block uses PAM for authentication, and the first userdb block uses the system's passwd file. The second passdb and userdb blocks, which use a Dovecot-specific passwd file and static userdb, will only be used if PAM authentication fails.
If some of your users are defined in the Dovecot passwd file and not in the system's passwd file, they will not be able to authenticate because Dovecot will stop at the first passdb and userdb blocks.
To fix this, you could merge your passdb and userdb blocks into single blocks that use both PAM and passwd-file/static methods. Here's an example:
passdb { driver = pam } passdb { args = /etc/dovecot/passwd driver = passwd-file } userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/home/vmail/%u driver = static }
Thanks for the reply.
Allow me to clarify. Dovecot itself seems to have no problem authenticating any user, as tested logging in via Thunderbird, which appears to have created the users mail directories. and using imapsync to transfer email from the "legacy" system.
The problem is that postfix does not recognize some of those users and rejects delivery. I should mention postfix and dovecot are on the same VM server.
If your example was meant to show the correct way, I cannot see any difference between that and what my posted config shows other than the sequential (contiguous?) in your example.
I followed the example shown at https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/
The PAM authentication I added at one point due to "error" statements when doing "systemctl restart dovecot.service" which mentioned PAM, yet dovecot appeared to function normally. The problem existed prior to that.
Thanks again for your comments.
On 6/7/23 19:15, joe a wrote:
If your example was meant to show the correct way, I cannot see any difference between that and what my posted config shows other than the sequential (contiguous?) in your example.
Perhaps try the different configuration out? Or even better, stick to one auithentication method only.
Jeremy
--
...
While this may be more properly asked on the postfix list,
ll /var/spool/postfix/private/
shows, among other things:
srw-rw-rw- 1 postfix postfix 0 Jul 5 21:50 dovecot srw------- 1 postfix postfix 0 Jul 5 21:37 dovecot-lmtp
Is that correct?
participants (3)
-
jeremy ardley
-
joe a
-
Paul Kudla