dovecot - Apr 2009 - Postfix, Dovecot SASL and Entourage smtps authentication fails.

Tere.

Recently just migrated from Sendmail 8.14.3 to Postfix 2.5.6 and
switched from Cyrus-sasl 2.1.22 to Dovecot 1.1.13 sasl, all are compiled
from source and I have used Dovecot for a long time, since alpha versions.

Everything worked well for Outlook Express, Outlook and Thunderbird
clients, but Microsoft Entourage 2004 or 2008 clients smtps fails -
"Authentication failed because Entourage doesn't support any of the
available authentication methods."

Similar case like -
http://archives.neohapsis.com/archives/postfix/2008-09/thread.html#145

I tried everything, the config is like described in Postfix and Dovecot
sites - http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

I also tried in main.cf smtpd_sasl_security_options =forward_secrecy
like described in
http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options

But none helped.

So I switched back to Cyrus-sasl and Entourage works well like before
with sendmail.

I started to search what may be the reason, and seems with Dovecot sasl
Postfix wont advertise needed stuff in ehlo:

With Cyrus:

telnet localhost 25
Trying 127.0.0.1...
Connected to localdomain.localhost.
Escape character is '^]'.
220 my.host.ee ESMTP
EHLO example.com
250-my.host.ee
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS

With dovecot:
telnet localhost 25
Trying 127.0.0.1...
Connected to localdomain.localhost.
Escape character is '^]'.
220 my.host.ee ESMTP
EHLO example.com
starttls
220 2.0.0 Ready to start TLS


Setting with Cyrus in main.cf smtpd_tls_auth_only = no gives even more
but still nothing with Dovecot:

telnet localhost 25
Trying 127.0.0.1...
Connected to localdomain.localhost.
Escape character is '^]'.
220 my.host.eeESMTP
EHLO example.com
250-my.host.ee
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

So is this a Entourage or Dovecot or Postfix bug? I really like to drop
the Cyrus and use only Dovecot sasl.

Any hint is welcome.

-- 
Mart

On Wed, 2009-04-15 at 12:33 +0300, Mart Pirita wrote:
> With dovecot:
> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localdomain.localhost.
> Escape character is '^]'.
> 220 my.host.ee ESMTP
> EHLO example.com
> starttls
> 220 2.0.0 Ready to start TLS
Are you saying that EHLO doesn't return anything when using Dovecot
SASL? Something's very broken then.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090415/d070dc13/attachment-0002.bin>

Tere.
>
> Are you saying that EHLO doesn't return anything when using Dovecot
> SASL? 
Yes.
> Something's very broken then.
>
>   
Hmm, but what?

Dovecot is compiled with options:

./configure \
        --prefix=/usr \
        --with-ssl=/usr/local/ssl \
        --with-ssldir=/etc/ssl \
        --with-rawlog \
        --sysconfdir=/etc \
        --without-vpopmail \
        --disable-ipv6 \
        --with-pam \
        --without-passwd-file \
        --without-checkpassword \
        --without-bsdauth \
        --without-static-userdb \
        --without-passdb-userdb \
        --without-pgsql \
        --without-mysql \
        --without-sqlite \
        --with-rundir=/var/run/dovecot \
        --without-deliver \
        --without-gssapi


And runs with settings:

dovecot -n
# 1.1.13: /etc/dovecot.conf
# OS: Linux 2.6.24.2 i686 Red Hat Linux release 8.0 (Psyche)
protocols: imaps pop3 pop3s
ssl_parameters_regenerate: 0
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_log_format_elements: %u [%r] %m %c
mail_max_userip_connections(default): 90
mail_max_userip_connections(imap): 90
mail_max_userip_connections(pop3): 9
maildir_copy_preserve_filename: yes
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
imap_client_workarounds(default): outlook-idle netscape-eoh
tb-extra-mailbox-sep delay-newmail
imap_client_workarounds(imap): outlook-idle netscape-eoh
tb-extra-mailbox-sep delay-newmail
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_logout_format(pop3): bytes=%i/%o, del=%d/%m, size=%s
auth default:
  cache_size: 1024
  failure_delay: 3
  passdb:
    driver: pam
    args: cache_key=%u%r%s *
  userdb:
    driver: passwd
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix


Postfix is compiled with options:


CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\"
-DUSE_TLS
-DUSE_SSL -I/usr/local/ssl/include -DHAS_DB -I/usr/local/db4/include
-I/usr/include' \
AUXLIBS="-L/usr/local/ssl/lib -lssl -lcrypto  -L/usr/local/db4/lib -ldb
-L/usr/lib -ldl" \

And sasl and tls settings are:

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes



-- 
Mart

On Apr 15, 2009, at 5:33 AM, Mart Pirita wrote:
> Everything worked well for Outlook Express, Outlook and Thunderbird
> clients, but Microsoft Entourage 2004 or 2008 clients smtps fails -
> "Authentication failed because Entourage doesn't support any of
the
> available authentication methods."
BTW. Is it possible that all other clients are using STARTTLS (or no  
encryption) and only Entourage is trying to use smtps port?