New dovecot server, authentication confusion

Jeff Abrahamson jeff at p27.eu
Sun Jan 24 16:40:12 EET 2021 

I've set up a new dovecot+postfix instance with virtual (not system) users.

I've a few questions, mostly about auth.  I /think/ that postfix handles
auth by asking dovecot.

Users need to provide user + password to send (smtps) and receive
(imaps).  I see where I've configured this for dovecot, which is
/etc/dovecot/passwd.db.  That file contains lines like this:

    jeff at mobilitains.fr:{BLF-CRYPT}$2y$05$c...

What concerns me is that I see occasional log items like this:

    Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no SASL
    authentication mechanisms

(Also, I can't connect with thunderbird.)

But I think I've configured SASL auth, so I'm not sure what to look at /
how to debug this.  I'm looking for suggestions how to approach this.

I do not see how postfix knows who is allowed to connect, however.  Am I
correct that postfix delegates SASL to dovecot?  This is the relevant
config, I think:

    [T] jeff at nantes-m1:log $ doveconf -n
    # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.5.7.2 ()
    # OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS
    # Hostname: nantes-m1.p27.eu
    auth_verbose = yes
    mail_location = mbox:~/mail:INBOX=/var/mail/%u
    mail_privileged_group = mail
    namespace inbox {
      inbox = yes
      location =
      mailbox Archive {
        auto = subscribe
        special_use = \Archive
      }
      mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
      }
      mailbox Junk {
        auto = subscribe
        special_use = \Junk
      }
      mailbox Sent {
        auto = subscribe
        special_use = \Sent
      }
      mailbox Trash {
        auto = subscribe
        special_use = \Trash
      }
      prefix =
    }
    passdb {
      args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
      driver = passwd-file
    }
    plugin {
      sieve = file:~/sieve;active=~/.dovecot.sieve
      sieve_after = /var/mail/vmail/sieve-after
      sieve_before = /var/mail/vmail/sieve-before
      sieve_dir = ~/sieve
    }
    protocols = " imap"
    ssl = required
    ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
    ssl_client_ca_dir = /etc/ssl/certs
    ssl_dh = # hidden, use -P to show it
    ssl_key = # hidden, use -P to show it
    userdb {
      args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
      driver = static
    }
    protocol lda {
      deliver_log_format = msgid=%m: %$
      mail_plugins = sieve
      postmaster_address = postmaster@{{ primary_domain }}
      quota_full_tempfail = yes
      rejection_reason = Your message to <%t> was automatically
    rejected:%n%r
    }
    protocol imap {
      imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
    tb-lsub-flags
      mail_max_userip_connections = 20
    }
    [T] jeff at nantes-m1:log $

    [T] jeff at nantes-m1:log $ postconf -n | grep -i sasl
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =
    reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
    smtpd_relay_restrictions = permit_mynetworks
    permit_sasl_authenticated defer_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot

    [T] jeff at nantes-m1:log $ postconf -Mf
    smtp       inet  n       -       y       -       -       smtpd
    submission inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
    smtps      inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_reject_unlisted_recipient=no
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
    ...

Many thanks for any pointers.

I'm also a bit confused on how to test it, really, short of connecting
with a regular email client (mutt, thunderbird, etc.).  If there are
more appropriate tools that I've missed, I'm quite open to pointers.

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210124/2df3ec39/attachment-0001.html>

More information about the dovecot mailing list