[Dovecot] Trouble adding sasl support via dovecot

[Richard Troy]

Hello Folks,

I've been the admin of a site that uses Postfix with Dovecot on RedHat
since, oh, gosh, maybe 1996? It's been a long time. I've never built it
from source, though, just used the rpms (and I wonder if maybe that's my
problem now). It just works, is reliable, and lets me be a very-part-time
administrator.

Repeatedly over the last few years I've been asked to have our mail system
"join the modern age" and provide mail sending capabilities for clients
that aren't on our internal network - via their smart-phones, from home,
etc. OK... Well, way back when the site was set up, smtp servers didn't do
any kind of "auth", but along the way to solving this problem (trying to
configure pop-before-smtp, someone mentioned that Postfix now has an auth
mechanism that uses Dovecot and I should use that instead! Great!  ...
Except that I've spent between 16 and 20 hours on this with no joy, and
while I hate having to ask for help, it's time to ask what things that are
obvious to the less ignorant that I must be doing wrong... Certainly,
given the solid history of Postfix and Dovecot, I must be the problem!

My problem statement is simply, "it should be working", but doesn't, and I
don't get any announcement of "auth" when testing connections to Postfix
as per directions here:

   http://www.postfix.org/SASL_README.html#server_test

At least I haven't broken the normal functionality!

I'm building a new server on the latest Fedora Core (16), but it's lacking
in some hardware and won't be ready for a while, so I'm working with FC
14, running Postfix 2.5.6, and Dovecot 1.2.8. It uses the "cram-md5" auth
scheme (which works fine and I'd hate to change it if I don't have to).
The system has been up and functional on these versions for a couple of
years, and quite stable, we just can't send if we're not local.

When I do "postconf-a" it indicates cyrus and dovecot, so I take it that
means Postfix has been built with sasl support. (I presume this means I
don't have to compile it from source.)

First Dovecot. Its set up to provide all protocols, but only imaps and
pop3s have ports forwarded through the firewall. Plain-text auth is
disabled, ssl is set to yes, ssl_listen is not specified, and the cert and
key files are in the default locations - and work. No cipher list is used.
Dovecot's chrooted. The protocol sections imap and pop3 take ALL the
defaults, as does lda (I've ignored sendmail_path = /usr/lib/sendmail) as
I don't think it matters. "auth default {" has mechanisms set to cram-md5,
digest-md5, plain, and login, with passdb passwd-file pointing to a file
in /etc where the cram data goes. It's not using pam, and there's an OLD
comment in the config:

# Experience says we need an empty passdb - passwd group:

which is followed by passdb passwd{}. Later, there's "userdb passwd {}.

All of that was configured long ago and has been functional.

The changes I've made to add sasl support primarily pertain to the "socket
listen section of "auth default". There, the master section remains
commented out while the client section has been uncommented, the path set
to /var/spool/postfix/private/auth, mode set to 0660, and the user and
group have been set to postfix. ...This is all as described here:

    http://www.postfix.org/SASL_README.html
and
    http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

That's it for Dovecot. Now, to Postfix itself.

>From the working environ, only listening on port 25, I simply added the
following (as per directions already cited above):

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtp_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

And, of course, permit_sasl_authenticated was added to
smtpd_recipient_restrictions.


I got the impression from the baove sources that Postfix will then use
Dovecot's authentication mechanism via a socket it finds in its
private/auth subdirectory.

NOT documented in any of those places, someone suggested I must turn on
TLS. OK...

The documentation found here:

http://www.postfix.org/TLS_README.html

claims (intimates) that it's not possible to run a site on a self-signed
certificate, however, there's ZERO budget for a signed certificate, so
unless I can get one for ten bucks somewhere, that could be a
deal-breaker here. However, we've been using self-signed certificates for
a while now and wonder why an "exception" mechanism wouldn't exist. As
that web page talks about "Netscape" I suspect it's very old and may no
longer apply.

In any event, I tried this, too (after trying without). On the good side,
an available Android phone, previously reading fine, but unable to send,
no longer complained when the setup was changed to the imap username and
password, same server address, TLS security type, and the server port of
25. HOWEVER, no mail has passed through it successfully, it just gives no
error whatsoever, so far, while the server's log reports "Relay access
denied."

Notably, when setting up TLS, Postfix complained when the
smtpd_tls_key_file was incorrect, but did not complain when it was
provided properly, suggesting it's reading and accepting my self-signed
certificate and private key.

Ideas, please?!

And, by the way, what's port 465 all about? Some clients propose that's
what should be used to send...


Thanks in advance for your help,
Richard