Re: dovecot sasl with postfix, smtp auth not available
On 2023-04-23 11:53, Benny Pedersen wrote: dovecot--- via dovecot skrev den 2023-04-23 20:25: I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. That is because "smtp" is not the same as "smtpd". http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587 when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org FYI, +1... Especially since some email clients STILL fallback to insecure password auth attempts on port 25, resulting in sending email passwords across the internet in plain text. Everyone should adopt this policy by default. Turning off AUTH on insecure connections has shown to reduce email compromise levels by up to 90%. Reminder, this also applies to POP/IMAP. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
Hi Badli, thanks for the information. A few hints: If possible, please avoid using HTML mails. And for outputs like 'postconf -n': please use an attached text file if your MUA (OL) isn't able to transfer them in a proper way. I would suggest the following changes: 1. postconf -n [...] smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot As Benny already wrote: delete them from your main.cf as port 25 should not be used for authentication. 2. postconf -M [...] smtps inet n - - - - smtpd [...] -o smtpd_client_restrictions= permit_sasl_authenticated, reject ---^ -o milter_macro_daemon_name= ORIGINATING --^ In master.cf: please take care that you don't specify whitespaces around the '=', at least if you're using the short form shown above. Some more examples, where you should check and change the master.cf regarding this: submission inet n - - - - smtpd [...] -o smtpd _sasl_security_options= noanonymous -o smtpd_client_restrictions= permit_sasl_authenticated, reject -o smtpd_sender_login_maps= hash:/etc/postfix/virtual -o smtpd_sender_restrictions= reject_sender_login_mismatch -o smtpd_recipient_restrictions= reject_non_fqdn_recipient ... Regarding the authentication part(s) itself: The configuration of the submission port seems correct to me and authentication should work. You can test it this way: openssl s_client -connect www.zystro.xyz:587 -starttls smtp For the smtps port you should add at least the following to the existing configuration of your master.cf: smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_tls_security_level=encrypt -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous You can test it this way: openssl s_client -connect www.zystro.xyz:465 After connecting successfully (to 465 & 587), in both cases using 'ehlo foo' you should see entries like these: [...] 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN [...] If not, we need the logs. ;-) HTH and regards, Markus ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
Hi Markus,
The output as follows.
1. postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
cafile = /etc/letsencrypt/live/www.zystro.xyz/cert.
pem
compatibility_level = 3.5
disable_vrfy_command = yes
home_mailbox = Mailbox
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 1048576000
maximal_backoff_time = 3h
message_size_limit = 10485760
minimal_backoff_time = 180s
mydestination = $mydomain, $myhostname, localhost
mydomain = zystro.xyz
myhostname = www.zystro.xyz
mynetworks_style = host
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_always_send_ehlo = yes
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtp_sasl_auth_enable = yes
smtp_tls_CAfile = $cafile
smtp_tls_cert_file = $tcert
smtp_tls_key_file = $tkey
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_dire
ctory}/smtp_scache
smtpd_banner = $myhostname
smtpd_client_restrictions = reject_rbl_client dnsbl
.sorbs.net
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostn
ame, reject_non_fqdn_helo_hostname, reject_unknown_
helo_hostname
smtpd_recipient_limit = 40
smtpd_recipient_restrictions = reject_invalid_hostn
ame, reject_unknown_recipient_domain, reject_unauth
_destination, reject_rbl_client sbl.spamhaus.org, p
ermit
smtpd_relay_restrictions = permit_mynetworks permit
_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_timeout = 30s
smtpd_tls_cert_file = $tcert
smtpd_tls_key_file = $tkey
smtpd_tls_security_level = encrypt
strict_rfc821_envelopes = yes
tcert = /etc/letsencrypt/live/www.zystro.xyz/fullch
ain.pem
tkey = /etc/letsencrypt/live/www.zystro.xyz/privkey
.pem
virtual_alias_maps = hash:/etc/postfix/virtual
root@www:~#
2. postconf -M
smtp inet n - y - -
smtpd
pickup unix n - y 60 1
pickup
cleanup unix n - y - 0
cleanup
qmgr unix n - n 300 1
qmgr
tlsmgr unix - - y 1000? 1
tlsmgr
rewrite unix - - y - -
trivial-rewrite
bounce unix - - y - 0
bounce
defer unix - - y - 0
bounce
trace unix - - y - 0
bounce
verify unix - - y - 1
verify
flush unix n - y 1000? 0
flush
proxymap unix - - n - -
proxymap
proxywrite unix - - n - 1
proxymap
smtp unix - - y - -
smtp
relay unix - - y - -
smtp -o syslog_name=postfix/$service_name
showq unix n - y - -
showq
error unix - - y - -
error
retry unix - - y - -
error
discard unix - - y - -
discard
local unix - n n - -
local
virtual unix - n n - -
virtual
lmtp unix - - y - -
lmtp
anvil unix - - y - 1
anvil
scache unix - - y - 1
scache
postlog unix-dgram n - n - 1
postlogd
maildrop unix - n n - -
pipe flags=DRXhu user=vmail argv=/usr/bin/mai
ldrop -d ${recipient}
uucp unix - n n - -
pipe flags=Fqhu user=uucp argv=uux -r -n -z -
a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - -
pipe flags=F user=ftn argv=/usr/lib/ifmail/if
mail -r $nexthop ($recipient)
bsmtp unix - n n - -
pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp
/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2
pipe flags=R user=scalemail argv=/usr/lib/sca
lemail/bin/scalemail-store ${nexthop} ${user} ${ext
ension}
mailman unix - n n - -
pipe flags=FRX user=list argv=/usr/lib/mailma
n/bin/postfix-to-mailman.py ${nexthop} ${user}
smtps inet n - - - -
smtpd -o syslog_name=postfix/smtps -o smtpd_t
ls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions= permit_sasl_authenticat
ed, reject -o milter_macro_daemon_name= ORIGINATING
submission inet n - - - -
smtpd -o smtpd_etrn_restrictions=reject -o sm
tpd_enforce_tls=yes -o smtpd_tls_security_level=enc
rypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_ty
pe=dovecot -o smtpd_sasl_path=private/auth -o smtpd
_sasl_security_options= noanonymous -o smtpd_sasl_l
ocal_domain=$mydomain -o smtpd_client_restrictions=
permit_sasl_authenticated, reject -o smtpd_sender_
login_maps= hash:/etc/postfix/virtual -o smtpd_send
er_restrictions= reject_sender_login_mismatch -o sm
tpd_recipient_restrictions= reject_non_fqdn_recipie
nt, reject_unknown_recipient_domain, permit_sasl_au
thenticated,reject
root@www:~#
Regards,
-badli
From: Markus Winkler
Sent: Monday, April 24, 2023, 05:33
To: dovecot@dovecot.org
Subject: Re: dovecot sasl with postfix, smtp auth not available
Hi Badli,
On 23.04.23 05:15, Badli Al Rashid wrote:
> Anybody got any ideas ?
please post the output of:
1) postconf -n
2) postconf -M
Regards,
Markus
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing l
Re: dovecot sasl with postfix, smtp auth not available
HI Benny, master.cf already have enteries for 465 and 587 as I followed the guide. Noted and thank you. Regards, -badli From: Benny Pedersen Sent: Monday, April 24, 2023, 02:54 To: dovecot@dovecot.org Subject: Re: dovecot sasl with postfix, smtp auth not available dovecot--- via dovecot skrev den 2023-04-23 20:25: >> I tried to enable it on postfix smtp_sasl_auth_enable, but it is was >> not advertise. > > That is because "smtp" is not the same as "smtpd". > > http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587 when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
Hi Badli, On 23.04.23 05:15, Badli Al Rashid wrote: Anybody got any ideas ? please post the output of: 1) postconf -n 2) postconf -M Regards, Markus ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
dovecot--- via dovecot skrev den 2023-04-23 20:25: I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. That is because "smtp" is not the same as "smtpd". http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587 when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. That is because "smtp" is not the same as "smtpd". http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
Hi, There is also a feature in postfix where AUTH is only advertised over TLS (i.e. port 465, or port 25/587 after STARTTLS). https://www.postfix.org/postconf.5.html#smtpd_tls_auth_only On 23-04-2023 14:41, Badli Al Rashid wrote: > logs No logs as I have to redo a new setup. > bound to fail I was only trying to check if the smtp-auth is advertise by doing ehlo. > where is this change ? My client ip was listed in sorbs.net. I could not connect to the smtp server. > how do you know its postfix ? Because i did an apt install postfix on the node. dovecot is on the same node. Regards, -badli *From:* Benny Pedersen *Sent:* Sunday, April 23, 2023, 20:22 *To:* dovecot@dovecot.org *Subject:* Re: dovecot sasl with postfix, smtp auth not available Badli Al Rashid skrev den 2023-04-23 13:06: My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl. then post doveconf -n that shows it I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails. logs I could authenticate normally using port 465 / 587 but it is block at the moment. where is this change ? When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. # telnet 127.0.0.1 25 bound to fail Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ? how do you know its postfix ? to help more its esitiential to know witch part failing random questions gives random answers ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
> logs No logs as I have to redo a new setup. > bound to fail I was only trying to check if the smtp-auth is advertise by doing ehlo. > where is this change ? My client ip was listed in sorbs.net. I could not connect to the smtp server. > how do you know its postfix ? Because i did an apt install postfix on the node. dovecot is on the same node. Regards, -badli From: Benny Pedersen Sent: Sunday, April 23, 2023, 20:22 To: dovecot@dovecot.org Subject: Re: dovecot sasl with postfix, smtp auth not available Badli Al Rashid skrev den 2023-04-23 13:06: > My apologies, i am not using dovecot for submission server using > postfix with dovecot-sasl. then post doveconf -n that shows it > I was not able to authenticate if I use a webmail when testing using > username to authenticate with smtp connection it fails. logs > I could authenticate normally using port 465 / 587 but it is block at > the moment. where is this change ? > When checking there was no smtp-auth on the smtp listed. I tried to > enable it on postfix > smtp_sasl_auth_enable, but it is was not advertise. > > # telnet 127.0.0.1 25 bound to fail > Should the smtp be advertise with smtp-auth when dovecot-sasl is > enable on the postfix ? how do you know its postfix ? to help more its esitiential to know witch part failing random questions gives random answers ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
Badli Al Rashid skrev den 2023-04-23 13:06: My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl. then post doveconf -n that shows it I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails. logs I could authenticate normally using port 465 / 587 but it is block at the moment. where is this change ? When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. # telnet 127.0.0.1 25 bound to fail Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ? how do you know its postfix ? to help more its esitiential to know witch part failing random questions gives random answers ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
Hi, My apologies, i am not using dovecot for submission server using postfix with dovecot-sasl. I was not able to authenticate if I use a webmail when testing using username to authenticate with smtp connection it fails. I could authenticate normally using port 465 / 587 but it is block at the moment. When checking there was no smtp-auth on the smtp listed. I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. # telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 www.zystro.xyz ehlo x.zystro.xyz 250-www.zystro.xyz 250-PIPELINING 250-SIZE 10485760 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING 421 4.4.2 www.zystro.xyz Error: timeout exceeded Connection closed by foreign host. Should the smtp be advertise with smtp-auth when dovecot-sasl is enable on the postfix ? Thank you. Regards, -badli From: dovecot--- via dovecot Sent: Sunday, April 23, 2023, 15:22 To: dovecot@dovecot.org Subject: Re: dovecot sasl with postfix, smtp auth not available > On 04-22-2023 11:15 pm, Badli Al Rashid wrote: > I have set up dovecot sasl with postfix. When I check the smtp with ehlo > there is no auth advertise. There shouldn't be on port 25. Users should do email submission on port 587 or 465. But if you really want there to be... http://www.postfix.org/postconf.5.html#smtp_sasl_auth_enable FYI; Just in case it was confusing, dovecot does not take submission email nor answers ehlo, that is a postfix thing. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
On 04-22-2023 11:15 pm, Badli Al Rashid wrote: I have set up dovecot sasl with postfix. When I check the smtp with ehlo there is no auth advertise. There shouldn't be on port 25. Users should do email submission on port 587 or 465. But if you really want there to be... http://www.postfix.org/postconf.5.html#smtp_sasl_auth_enable FYI; Just in case it was confusing, dovecot does not take submission email nor answers ehlo, that is a postfix thing. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
