Mart Pirita
2009-Apr-15 09:33 UTC
[Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
Tere. Recently just migrated from Sendmail 8.14.3 to Postfix 2.5.6 and switched from Cyrus-sasl 2.1.22 to Dovecot 1.1.13 sasl, all are compiled from source and I have used Dovecot for a long time, since alpha versions. Everything worked well for Outlook Express, Outlook and Thunderbird clients, but Microsoft Entourage 2004 or 2008 clients smtps fails - "Authentication failed because Entourage doesn't support any of the available authentication methods." Similar case like - http://archives.neohapsis.com/archives/postfix/2008-09/thread.html#145 I tried everything, the config is like described in Postfix and Dovecot sites - http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL I also tried in main.cf smtpd_sasl_security_options =forward_secrecy like described in http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options But none helped. So I switched back to Cyrus-sasl and Entourage works well like before with sendmail. I started to search what may be the reason, and seems with Dovecot sasl Postfix wont advertise needed stuff in ehlo: With Cyrus: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com 250-my.host.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN starttls 220 2.0.0 Ready to start TLS With dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com starttls 220 2.0.0 Ready to start TLS Setting with Cyrus in main.cf smtpd_tls_auth_only = no gives even more but still nothing with Dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.eeESMTP EHLO example.com 250-my.host.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN So is this a Entourage or Dovecot or Postfix bug? I really like to drop the Cyrus and use only Dovecot sasl. Any hint is welcome. -- Mart
Timo Sirainen
2009-Apr-16 00:34 UTC
[Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
On Wed, 2009-04-15 at 12:33 +0300, Mart Pirita wrote:> With dovecot: > telnet localhost 25 > Trying 127.0.0.1... > Connected to localdomain.localhost. > Escape character is '^]'. > 220 my.host.ee ESMTP > EHLO example.com > starttls > 220 2.0.0 Ready to start TLSAre you saying that EHLO doesn't return anything when using Dovecot SASL? Something's very broken then. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090415/d070dc13/attachment-0002.bin>
Mart Pirita
2009-Apr-16 13:18 UTC
[Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
Tere.> > Are you saying that EHLO doesn't return anything when using Dovecot > SASL?Yes.> Something's very broken then. > >Hmm, but what? Dovecot is compiled with options: ./configure \ --prefix=/usr \ --with-ssl=/usr/local/ssl \ --with-ssldir=/etc/ssl \ --with-rawlog \ --sysconfdir=/etc \ --without-vpopmail \ --disable-ipv6 \ --with-pam \ --without-passwd-file \ --without-checkpassword \ --without-bsdauth \ --without-static-userdb \ --without-passdb-userdb \ --without-pgsql \ --without-mysql \ --without-sqlite \ --with-rundir=/var/run/dovecot \ --without-deliver \ --without-gssapi And runs with settings: dovecot -n # 1.1.13: /etc/dovecot.conf # OS: Linux 2.6.24.2 i686 Red Hat Linux release 8.0 (Psyche) protocols: imaps pop3 pop3s ssl_parameters_regenerate: 0 disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_log_format_elements: %u [%r] %m %c mail_max_userip_connections(default): 90 mail_max_userip_connections(imap): 90 mail_max_userip_connections(pop3): 9 maildir_copy_preserve_filename: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 imap_client_workarounds(default): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(imap): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(pop3): bytes=%i/%o, del=%d/%m, size=%s auth default: cache_size: 1024 failure_delay: 3 passdb: driver: pam args: cache_key=%u%r%s * userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix Postfix is compiled with options: CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DUSE_TLS -DUSE_SSL -I/usr/local/ssl/include -DHAS_DB -I/usr/local/db4/include -I/usr/include' \ AUXLIBS="-L/usr/local/ssl/lib -lssl -lcrypto -L/usr/local/db4/lib -ldb -L/usr/lib -ldl" \ And sasl and tls settings are: smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth broken_sasl_auth_clients = yes smtpd_use_tls = yes smtp_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes -- Mart
Timo Sirainen
2009-Apr-16 15:31 UTC
[Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
On Apr 15, 2009, at 5:33 AM, Mart Pirita wrote:> Everything worked well for Outlook Express, Outlook and Thunderbird > clients, but Microsoft Entourage 2004 or 2008 clients smtps fails - > "Authentication failed because Entourage doesn't support any of the > available authentication methods."BTW. Is it possible that all other clients are using STARTTLS (or no encryption) and only Entourage is trying to use smtps port?