New dovecot server, authentication confusion
Jeff Abrahamson
jeff at p27.eu
Sun Jan 24 16:40:12 EET 2021
I've set up a new dovecot+postfix instance with virtual (not system) users.
I've a few questions, mostly about auth. I /think/ that postfix handles
auth by asking dovecot.
Users need to provide user + password to send (smtps) and receive
(imaps). I see where I've configured this for dovecot, which is
/etc/dovecot/passwd.db. That file contains lines like this:
jeff at mobilitains.fr:{BLF-CRYPT}$2y$05$c...
What concerns me is that I see occasional log items like this:
Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no SASL
authentication mechanisms
(Also, I can't connect with thunderbird.)
But I think I've configured SASL auth, so I'm not sure what to look at /
how to debug this. I'm looking for suggestions how to approach this.
I do not see how postfix knows who is allowed to connect, however. Am I
correct that postfix delegates SASL to dovecot? This is the relevant
config, I think:
[T] jeff at nantes-m1:log $ doveconf -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS
# Hostname: nantes-m1.p27.eu
auth_verbose = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
driver = passwd-file
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = " imap"
ssl = required
ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
driver = static
}
protocol lda {
deliver_log_format = msgid=%m: %$
mail_plugins = sieve
postmaster_address = postmaster@{{ primary_domain }}
quota_full_tempfail = yes
rejection_reason = Your message to <%t> was automatically
rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags
mail_max_userip_connections = 20
}
[T] jeff at nantes-m1:log $
[T] jeff at nantes-m1:log $ postconf -n | grep -i sasl
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
[T] jeff at nantes-m1:log $ postconf -Mf
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
...
Many thanks for any pointers.
I'm also a bit confused on how to test it, really, short of connecting
with a regular email client (mutt, thunderbird, etc.). If there are
more appropriate tools that I've missed, I'm quite open to pointers.
--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
http://p27.eu/jeff/
http://transport-nantes.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210124/2df3ec39/attachment-0001.html>
More information about the dovecot
mailing list