<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>I've set up a new dovecot+postfix instance with virtual (not
      system) users.<br>
    </p>
    <p>I've a few questions, mostly about auth.  I <i>think</i> that
      postfix handles auth by asking dovecot.<br>
    </p>
    <p>Users need to provide user + password to send (smtps) and receive
      (imaps).  I see where I've configured this for dovecot, which is
      /etc/dovecot/passwd.db.  That file contains lines like this:</p>
    <blockquote>
      <p><tt><a class="moz-txt-link-abbreviated"
            href="mailto:jeff@mobilitains.fr">jeff@mobilitains.fr</a>:{BLF-CRYPT}$2y$05$c...</tt></p>
    </blockquote>
    <p>What concerns me is that I see occasional log items like this:</p>
    <blockquote>
      <p><tt>Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no
          SASL authentication mechanisms</tt><br>
      </p>
    </blockquote>
    <p>(Also, I can't connect with thunderbird.)<br>
    </p>
    <p>But I think I've configured SASL auth, so I'm not sure what to
      look at / how to debug this.  I'm looking for suggestions how to
      approach this.<br>
    </p>
    <p>I do not see how postfix knows who is allowed to connect,
      however.  Am I correct that postfix delegates SASL to dovecot? 
      This is the relevant config, I think:</p>
    <blockquote>
      <p><tt>[T] jeff@nantes-m1:log $ doveconf -n<br>
          # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf<br>
          # Pigeonhole version 0.5.7.2 ()<br>
          # OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS <br>
          # Hostname: nantes-m1.p27.eu<br>
          auth_verbose = yes<br>
          mail_location = mbox:~/mail:INBOX=/var/mail/%u<br>
          mail_privileged_group = mail<br>
          namespace inbox {<br>
            inbox = yes<br>
            location = <br>
            mailbox Archive {<br>
              auto = subscribe<br>
              special_use = \Archive<br>
            }<br>
            mailbox Drafts {<br>
              auto = subscribe<br>
              special_use = \Drafts<br>
            }<br>
            mailbox Junk {<br>
              auto = subscribe<br>
              special_use = \Junk<br>
            }<br>
            mailbox Sent {<br>
              auto = subscribe<br>
              special_use = \Sent<br>
            }<br>
            mailbox Trash {<br>
              auto = subscribe<br>
              special_use = \Trash<br>
            }<br>
            prefix = <br>
          }<br>
          passdb {<br>
            args = username_format=%u scheme=blf-crypt
          /etc/dovecot/passwd.db<br>
            driver = passwd-file<br>
          }<br>
          plugin {<br>
            sieve = <a class="moz-txt-link-freetext" href="file:~/sieve;active=~/.dovecot.sieve">file:~/sieve;active=~/.dovecot.sieve</a><br>
            sieve_after = /var/mail/vmail/sieve-after<br>
            sieve_before = /var/mail/vmail/sieve-before<br>
            sieve_dir = ~/sieve<br>
          }<br>
          protocols = " imap"<br>
          ssl = required<br>
          ssl_cert =
          </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem<br>
          ssl_client_ca_dir = /etc/ssl/certs<br>
          ssl_dh = # hidden, use -P to show it<br>
          ssl_key = # hidden, use -P to show it<br>
          userdb {<br>
            args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n<br>
            driver = static<br>
          }<br>
          protocol lda {<br>
            deliver_log_format = msgid=%m: %$<br>
            mail_plugins = sieve<br>
            postmaster_address = postmaster@{{ primary_domain }}<br>
            quota_full_tempfail = yes<br>
            rejection_reason = Your message to <%t> was
          automatically rejected:%n%r<br>
          }<br>
          protocol imap {<br>
            imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
          tb-lsub-flags<br>
            mail_max_userip_connections = 20<br>
          }<br>
          [T] jeff@nantes-m1:log $ <br>
          <br>
        </tt></p>
      <p><tt>[T] jeff@nantes-m1:log $ postconf -n | grep -i sasl<br>
          broken_sasl_auth_clients = yes<br>
          smtpd_recipient_restrictions =
reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender<br>
          smtpd_relay_restrictions = permit_mynetworks
          permit_sasl_authenticated defer_unauth_destination<br>
          smtpd_sasl_auth_enable = yes<br>
          smtpd_sasl_authenticated_header = yes<br>
          smtpd_sasl_local_domain =<br>
          smtpd_sasl_path = private/auth<br>
          smtpd_sasl_security_options = noanonymous<br>
          smtpd_sasl_type = dovecot<br>
          <br>
        </tt><tt>[T] jeff@nantes-m1:log $ postconf -Mf</tt><tt><br>
        </tt><tt>smtp       inet  n       -       y       -      
          -       smtpd</tt><tt><br>
        </tt><tt>submission inet  n       -       y       -      
          -       smtpd</tt><tt><br>
        </tt><tt>    -o syslog_name=postfix/submission</tt><tt><br>
        </tt><tt>    -o smtpd_tls_security_level=encrypt</tt><tt><br>
        </tt><tt>    -o smtpd_sasl_auth_enable=yes</tt><tt><br>
        </tt><tt>    -o smtpd_client_restrictions=</tt><tt><br>
        </tt><tt>    -o smtpd_helo_restrictions=</tt><tt><br>
        </tt><tt>    -o smtpd_sender_restrictions=</tt><tt><br>
        </tt><tt>    -o smtpd_recipient_restrictions=</tt><tt><br>
        </tt><tt>    -o
          smtpd_relay_restrictions=permit_sasl_authenticated,reject</tt><tt><br>
        </tt><tt>    -o milter_macro_daemon_name=ORIGINATING</tt><tt><br>
        </tt><tt>smtps      inet  n       -       y       -      
          -       smtpd</tt><tt><br>
        </tt><tt>    -o syslog_name=postfix/smtps</tt><tt><br>
        </tt><tt>    -o smtpd_tls_wrappermode=yes</tt><tt><br>
        </tt><tt>    -o smtpd_sasl_auth_enable=yes</tt><tt><br>
        </tt><tt>    -o smtpd_reject_unlisted_recipient=no</tt><tt><br>
        </tt><tt>    -o smtpd_client_restrictions=</tt><tt><br>
        </tt><tt>    -o smtpd_helo_restrictions=</tt><tt><br>
        </tt><tt>    -o smtpd_sender_restrictions=</tt><tt><br>
        </tt><tt>    -o smtpd_recipient_restrictions=</tt><tt><br>
        </tt><tt>    -o
          smtpd_relay_restrictions=permit_sasl_authenticated,reject</tt><tt><br>
        </tt><tt>    -o milter_macro_daemon_name=ORIGINATING<br>
          ...</tt><br>
      </p>
    </blockquote>
    <p>Many thanks for any pointers.</p>
    <p>I'm also a bit confused on how to test it, really, short of
      connecting with a regular email client (mutt, thunderbird, etc.). 
      If there are more appropriate tools that I've missed, I'm quite
      open to pointers.<br>
    </p>
    <pre class="moz-signature" cols="72">-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

<a class="moz-txt-link-freetext" href="http://p27.eu/jeff/">http://p27.eu/jeff/</a>
<a class="moz-txt-link-freetext" href="http://transport-nantes.com/">http://transport-nantes.com/</a></pre>
  </body>
</html>