Darren Pilgrim
2013-Feb-19 11:38 UTC
[Dovecot] Dovecot auth works when tested with doveadm, but fails with Postfix
I have three postfix 2.9.5 servers: chombo, rush, yoshi. Chombo relays
to rush and yoshi for outbound email. Outbound relay requires SASL
authentication. Rush and yoshi run Dovecot 2.1.12 servers with simple
passwd-file backends.
If I create a new password hash for chombo's user, houseloki, on either
rush or yoshi:
# doveadm pw -u houseloki -p <password>
{CRAM-MD5}...
Then I add that to rush and yoshi's passwd file:
houseloki at _auth.bluerosetech.com:{CRAM-MD5}...
Then `doveadm reload`, it works fine:
# doveadm auth houseloki <password>
passdb: houseloki auth succeeded
extra fields:
user=houseloki at _auth.bluerosetech.com
So I add that username and password to the smtp_sasl_password_maps hash
file on chombo, reload postfix, and then try to relay something from
chombo, it fails with rush and yoshi logging warnings like:
Feb 19 03:32:33 yoshi postfix/smtpd[75783]: warning:
chombo.example.com[2001:db8::2]: SASL DIGEST-MD5 authentication failed:
<really long string redacted>
Rush and yoshi have other hashes in their passwd files, and if I
configure chombo to use one of those, it works fine. Those hashes use
digest-md5 and are at least a few years old. I tried that scheme
instead of the default cram-md5, as well as several others, but none
work. I've poured over the wiki and man pages, but can't find the
problem.
What am I missing? Why can I not generate new hashes correctly?
Timo Sirainen
2013-Feb-22 11:30 UTC
[Dovecot] Dovecot auth works when tested with doveadm, but fails with Postfix
If you want both CRAM-MD5 and DIGEST-MD5 auth, the password must be in plaintext format. http://wiki2.dovecot.org/Authentication/Mechanisms#Non-plaintext_authentication (In theory it would be possible to have both CRAM-MD5 and DIGEST-MD5 hashes stored in the passdb and have Dovecot use the one that's needed, but currently this isn't supported.) On 19.2.2013, at 13.38, Darren Pilgrim <list_dovecot at bluerosetech.com> wrote:> I have three postfix 2.9.5 servers: chombo, rush, yoshi. Chombo relays to rush and yoshi for outbound email. Outbound relay requires SASL authentication. Rush and yoshi run Dovecot 2.1.12 servers with simple passwd-file backends. > > If I create a new password hash for chombo's user, houseloki, on either rush or yoshi: > > # doveadm pw -u houseloki -p <password> > {CRAM-MD5}... > > Then I add that to rush and yoshi's passwd file: > > houseloki at _auth.bluerosetech.com:{CRAM-MD5}... > > Then `doveadm reload`, it works fine: > > # doveadm auth houseloki <password> > passdb: houseloki auth succeeded > extra fields: > user=houseloki at _auth.bluerosetech.com > > So I add that username and password to the smtp_sasl_password_maps hash file on chombo, reload postfix, and then try to relay something from chombo, it fails with rush and yoshi logging warnings like: > > Feb 19 03:32:33 yoshi postfix/smtpd[75783]: warning: chombo.example.com[2001:db8::2]: SASL DIGEST-MD5 authentication failed: <really long string redacted> > > Rush and yoshi have other hashes in their passwd files, and if I configure chombo to use one of those, it works fine. Those hashes use digest-md5 and are at least a few years old. I tried that scheme instead of the default cram-md5, as well as several others, but none work. I've poured over the wiki and man pages, but can't find the problem. > > What am I missing? Why can I not generate new hashes correctly? >