<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I've set up a new dovecot+postfix instance with virtual (not
system) users.<br>
</p>
<p>I've a few questions, mostly about auth. I <i>think</i> that
postfix handles auth by asking dovecot.<br>
</p>
<p>Users need to provide user + password to send (smtps) and receive
(imaps). I see where I've configured this for dovecot, which is
/etc/dovecot/passwd.db. That file contains lines like this:</p>
<blockquote>
<p><tt><a class="moz-txt-link-abbreviated"
href="mailto:jeff@mobilitains.fr">jeff@mobilitains.fr</a>:{BLF-CRYPT}$2y$05$c...</tt></p>
</blockquote>
<p>What concerns me is that I see occasional log items like this:</p>
<blockquote>
<p><tt>Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no
SASL authentication mechanisms</tt><br>
</p>
</blockquote>
<p>(Also, I can't connect with thunderbird.)<br>
</p>
<p>But I think I've configured SASL auth, so I'm not sure what to
look at / how to debug this. I'm looking for suggestions how to
approach this.<br>
</p>
<p>I do not see how postfix knows who is allowed to connect,
however. Am I correct that postfix delegates SASL to dovecot?
This is the relevant config, I think:</p>
<blockquote>
<p><tt>[T] jeff@nantes-m1:log $ doveconf -n<br>
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf<br>
# Pigeonhole version 0.5.7.2 ()<br>
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS <br>
# Hostname: nantes-m1.p27.eu<br>
auth_verbose = yes<br>
mail_location = mbox:~/mail:INBOX=/var/mail/%u<br>
mail_privileged_group = mail<br>
namespace inbox {<br>
inbox = yes<br>
location = <br>
mailbox Archive {<br>
auto = subscribe<br>
special_use = \Archive<br>
}<br>
mailbox Drafts {<br>
auto = subscribe<br>
special_use = \Drafts<br>
}<br>
mailbox Junk {<br>
auto = subscribe<br>
special_use = \Junk<br>
}<br>
mailbox Sent {<br>
auto = subscribe<br>
special_use = \Sent<br>
}<br>
mailbox Trash {<br>
auto = subscribe<br>
special_use = \Trash<br>
}<br>
prefix = <br>
}<br>
passdb {<br>
args = username_format=%u scheme=blf-crypt
/etc/dovecot/passwd.db<br>
driver = passwd-file<br>
}<br>
plugin {<br>
sieve = <a class="moz-txt-link-freetext" href="file:~/sieve;active=~/.dovecot.sieve">file:~/sieve;active=~/.dovecot.sieve</a><br>
sieve_after = /var/mail/vmail/sieve-after<br>
sieve_before = /var/mail/vmail/sieve-before<br>
sieve_dir = ~/sieve<br>
}<br>
protocols = " imap"<br>
ssl = required<br>
ssl_cert =
</etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem<br>
ssl_client_ca_dir = /etc/ssl/certs<br>
ssl_dh = # hidden, use -P to show it<br>
ssl_key = # hidden, use -P to show it<br>
userdb {<br>
args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n<br>
driver = static<br>
}<br>
protocol lda {<br>
deliver_log_format = msgid=%m: %$<br>
mail_plugins = sieve<br>
postmaster_address = postmaster@{{ primary_domain }}<br>
quota_full_tempfail = yes<br>
rejection_reason = Your message to <%t> was
automatically rejected:%n%r<br>
}<br>
protocol imap {<br>
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags<br>
mail_max_userip_connections = 20<br>
}<br>
[T] jeff@nantes-m1:log $ <br>
<br>
</tt></p>
<p><tt>[T] jeff@nantes-m1:log $ postconf -n | grep -i sasl<br>
broken_sasl_auth_clients = yes<br>
smtpd_recipient_restrictions =
reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender<br>
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination<br>
smtpd_sasl_auth_enable = yes<br>
smtpd_sasl_authenticated_header = yes<br>
smtpd_sasl_local_domain =<br>
smtpd_sasl_path = private/auth<br>
smtpd_sasl_security_options = noanonymous<br>
smtpd_sasl_type = dovecot<br>
<br>
</tt><tt>[T] jeff@nantes-m1:log $ postconf -Mf</tt><tt><br>
</tt><tt>smtp inet n - y -
- smtpd</tt><tt><br>
</tt><tt>submission inet n - y -
- smtpd</tt><tt><br>
</tt><tt> -o syslog_name=postfix/submission</tt><tt><br>
</tt><tt> -o smtpd_tls_security_level=encrypt</tt><tt><br>
</tt><tt> -o smtpd_sasl_auth_enable=yes</tt><tt><br>
</tt><tt> -o smtpd_client_restrictions=</tt><tt><br>
</tt><tt> -o smtpd_helo_restrictions=</tt><tt><br>
</tt><tt> -o smtpd_sender_restrictions=</tt><tt><br>
</tt><tt> -o smtpd_recipient_restrictions=</tt><tt><br>
</tt><tt> -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject</tt><tt><br>
</tt><tt> -o milter_macro_daemon_name=ORIGINATING</tt><tt><br>
</tt><tt>smtps inet n - y -
- smtpd</tt><tt><br>
</tt><tt> -o syslog_name=postfix/smtps</tt><tt><br>
</tt><tt> -o smtpd_tls_wrappermode=yes</tt><tt><br>
</tt><tt> -o smtpd_sasl_auth_enable=yes</tt><tt><br>
</tt><tt> -o smtpd_reject_unlisted_recipient=no</tt><tt><br>
</tt><tt> -o smtpd_client_restrictions=</tt><tt><br>
</tt><tt> -o smtpd_helo_restrictions=</tt><tt><br>
</tt><tt> -o smtpd_sender_restrictions=</tt><tt><br>
</tt><tt> -o smtpd_recipient_restrictions=</tt><tt><br>
</tt><tt> -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject</tt><tt><br>
</tt><tt> -o milter_macro_daemon_name=ORIGINATING<br>
...</tt><br>
</p>
</blockquote>
<p>Many thanks for any pointers.</p>
<p>I'm also a bit confused on how to test it, really, short of
connecting with a regular email client (mutt, thunderbird, etc.).
If there are more appropriate tools that I've missed, I'm quite
open to pointers.<br>
</p>
<pre class="moz-signature" cols="72">--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
<a class="moz-txt-link-freetext" href="http://p27.eu/jeff/">http://p27.eu/jeff/</a>
<a class="moz-txt-link-freetext" href="http://transport-nantes.com/">http://transport-nantes.com/</a></pre>
</body>
</html>