Struggling to get dovecot working with postfix auth

Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch
Thu Oct 11 12:30:54 EEST 2018 

Hi,

I am trying to create an authenticated relay server using Postfix and Dovecot.

However I am having two problems :

(a) If I create a dovecot config entry as follows :

  unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }

Dovecot is unable to create the socket ?  I thought surely if dovecot is started as root it should create the socket before dropping privileges ?

(b) The alternative method of TCP SASL is not working either:
250 DSN
ehlo localhost
250-foobar.example.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN <none_of_your_business>
535 5.7.8 Error: authentication failed:

and in the logs...
2018-10-11T10:17:40.491483+01:00 X postfix-authrelay/smtpd[18312]: warning: X[X]: SASL PLAIN authentication failed:

####
#### postconf
####

>postconf -a
cyrus
dovecot

> postconf -c /etc/postfix-authrelay | fgrep sasl
broken_sasl_auth_clients = no
cyrus_sasl_config_path =
lmtp_sasl_auth_cache_name =
lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter =
lmtp_sasl_password_maps =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map
send_cyrus_sasl_authzid = no
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = inet:localhost:7425
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtp
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot




####
#### DOVECONF
####

> doveconf -n
# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.1 (d9bc6dfe)
# OS: Linux 4.12.14-lp150.12.19-default x86_64
# Hostname: test.example.com
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
  inet_listener {
    address = 127.0.0.1
    port = 7425
  }
  inet_listener {
    address = ::1
    port = 7425
  }
# If I disable this, dovecot loads fine, but the tcp auth is unusable ?
# If I enable this, dovecot is unable to create the socket ?
#  unix_listener /var/spool/postfix-authrelay/private/dovecot-auth {
#    group = postfix
#    mode = 0666
#    user = postfix
#  }
}
ssl = no
ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
  driver = passwd
}

More information about the dovecot mailing list