On 12/07/2024 23:13, John R. Levine via Postfix-users wrote:
Hi, now that Viktor spotted the config error and fixed yesterday's
problem, I'm back with what I hope is another dumb question. Having
wrestled Cyrus authentication to a draw, now I'm trying Dovecot which
I would have hoped would be easier. It's the same Debian box.
First I set up Dovecot and got its password and user databases
working. I can log in for IMAP or POP and it works fine. I have auth
debug turned on so it has lots to say about the auth request:
Jul 12 17:00:12 debian12 systemd[1]: Reloaded dovecot.service -
Dovecot IMAP/POP3 email server.
Jul 12 17:00:34 debian12 dovecot[50374]: auth: Debug: Loading modules
from directory: /usr/lib/dovecot/modules/auth
Jul 12 17:00:34 debian12 dovecot[50374]: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Jul 12 17:00:34 debian12 dovecot[50374]: auth: Debug: Read auth token
secret from /run/dovecot/auth-token-secret.dat
Jul 12 17:00:34 debian12 dovecot[50374]: auth: Debug: passwd-file
/etc/dovecot/users:Read 3 users in 0 secs
Jul 12 17:00:34 debian12 dovecot[50374]: auth: Debug: auth client
connected (pid=50378)
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug: client in:
AUTH 1 PLAIN service=pop3 secured=tls
session=wc+dLBMdP/6sEJ0B lip=172.16.157.132
rip=172.16.157.1 lport=995 rport=65087 resp=<hidden>
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
passwd-file(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>):
Performing passdb lookup
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
passwd-file(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>): lookup:
user=m...@exotic.qy file=/etc/dovecot/users
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
passwd-file(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>): Finished
passdb lookup
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
auth(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>): Auth request
finished
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug: client passdb
out: OK 1 user=m...@exotic.qy
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug: master in:
REQUEST 288227329 50378 1
f96e98986ac3499414a988ea001efb34 session_pid=50382
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
passwd-file(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>):
Performing userdb lookup
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
passwd-file(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>): lookup:
user=m...@exotic.qy file=/etc/dovecot/users
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug:
passwd-file(m...@exotic.qy,172.16.157.1,<wc+dLBMdP/6sEJ0B>): Finished
userdb lookup
Jul 12 17:00:50 debian12 dovecot[50374]: auth: Debug: master userdb
out: USER 288227329 m...@exotic.qy uid=1000 gid=1000
home=/home/mailuser/users/user2 auth_mech=PLAIN
Jul 12 17:00:50 debian12 dovecot[50374]: pop3-login: Login:
user=<m...@exotic.qy>, method=PLAIN, rip=172.16.157.1,
lip=172.16.157.132, mpid=50382, TLS, session=<wc+dLBMdP/6sEJ0B>
Jul 12 17:00:51 debian12 dovecot[50374]:
pop3(m...@exotic.qy)<50382><wc+dLBMdP/6sEJ0B>: Disconnected: Logged
out top=0/0, retr=0/0, del=0/1, size=275
Then, having done what I think the postfix and dovecot manuals said, I
try port 465 SMTP AUTH with the same user:
Jul 12 17:01:24 debian12 postfix/submissions/smtpd[50383]: connect
from unknown[172.16.157.1]
Jul 12 17:01:44 debian12 postfix/submissions/smtpd[50383]: warning:
SASL authentication failure: Password verification failed
Jul 12 17:01:44 debian12 postfix/submissions/smtpd[50383]: warning:
unknown[172.16.157.1]: SASL plain authentication failed:
authentication failure, sasl_username=m...@exotic.qy
Jul 12 17:01:46 debian12 postfix/submissions/smtpd[50383]: disconnect
from unknown[172.16.157.1] ehlo=1 auth=0/1 quit=1 commands=2/3
It looks like postfix didn't even try to contact the auth server. It
has the usual socket configured
and lsof says that Dovecot is listening on that socket. The socket is
owned by postfix and I am
reasonably sure the directories in the path allow postfix to open it.
I'm baffled.
Actual config stuff below, since this is my own test system. TIA.
R's,
John
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 3.6
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = test.qy, $myhostname, debian12.qy, localhost.qy,
localhost
myhostname = debian12.qy
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_sasl_type = dovecot
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_path = private/auth
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtputf8_enable = yes
virtual_gid_maps = static:1000
virtual_mailbox_base = /home/mailuser
virtual_mailbox_domains = exotic.qy
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:1000
# lsof | grep private/auth
dovecot 50124 root 58u unix
0x0000000027be7a65 0t0 944146 /var/spool/postfix/private/auth
type=STREAM (LISTEN)
# dovecot -n
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 6.1.0-18-arm64 aarch64 Debian 12.6
# Hostname: debian12.qy
auth_debug = yes
auth_mechanisms = plain login
auth_username_chars =
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace {
inbox = yes
location =
mailbox {
special_use = \Drafts
name = Drafts
}
mailbox {
special_use = \Junk
name = Junk
}
mailbox {
special_use = \Sent
name = Sent
}
mailbox {
special_use = \Sent
name = Sent Messages
}
mailbox {
special_use = \Trash
name = Trash
}
prefix =
name = inbox
}
passdb {
args = /etc/dovecot/users
driver = passwd-file
}
protocols = " imap pop3"
service replication-notify-fifo {
name = aggregator
}
service anvil-auth-penalty {
name = anvil
}
service auth-worker {
name = auth-worker
}
service {
unix_listener {
group = postfix
mode = 0666
user = postfix
path = /var/spool/postfix/private/auth
}
name = auth
}
service config {
name = config
}
... there is more but it doesn't say anything about auth or postfix ...
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
Hi John
I didn't see anywhere what your value of smtpd_sasl_type is (as
applicable to the sasl type used by the smtp server. This is the setting
that matters in this context). If you left it at the default value it
will be = cyrus and not dovecot.
Not relevant to this context I did see that you had set smtp_sasl_type =
dovecot which is the setting for the smtp client. In any case the smtp
client only supports cyrus not dovecot sasl so that setting is invalid,
though not your current issue.
https://www.postfix.org/SASL_README.html#server_dovecot
"The Postfix SMTP and the LMTP client can authenticate with a remote
SMTP server via the Cyrus SASL framework. At this time, the Dovecot SASL
implementation does not provide client functionality."
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
