Hi there, I'm in a bit of a dilemma and wonder if anyone can help. Over the weekend I bought a new dedicated server and moved my mail/web over to it. I'd used the Sarge[1] tutorial at workaround.org for the old server and as I'd wanted to move to Dovecot for a while I decided to use their Etch[2] tutorial for the new one. For the most part everything's working nicely, but I seem to be having problems with (mostly non-SSL) SMTP authentication. In this install Postfix passes SASL authentication to Dovecot. For most clients using SSL this works fine, but as soon as SSL is off it fails. This is despite having disable_plaintext_auth set to 'no'. Furthermore it appears that some clients w/SSL are also failing. Outlook being the major culprit. I'm completely stumped. I've pasted a copy of the output from dovecot -n below. Thanks in advance! Rodti [1] http://workaround.org/articles/ispmail-sarge [2] http://workaround.org/articles/ispmail-etch --------------------------------------------- # 1.0.13: /etc/dovecot/dovecot.conf log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap imaps pop3 pop3s disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_privileged_group: mail mail_location: maildir:/home/vmail/%d/%n/Maildir mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv namespace: type: private separator: . prefix: INBOX. inbox: yes auth default: mechanisms: plain login cram-md5 passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
On Mon, 2008-09-01 at 13:29 +0100, Rodti MacLeary wrote:> In this install Postfix passes SASL authentication to Dovecot. For most > clients using SSL this works fine, but as soon as SSL is off it fails. > This is despite having disable_plaintext_auth set to 'no'. Furthermore it > appears that some clients w/SSL are also failing. Outlook being the major > culprit. I'm completely stumped.Dovecot's disable_plaintext_auth setting doesn't affect Postfix.> I've pasted a copy of the output from dovecot -n below.Logs would be much more helpful. Set auth_debug=yes and show logs of a successful and a failing session. Both Dovecot and Postfix logs. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080901/8482901d/attachment-0002.bin>
On Mon, 2008-09-01 at 13:29 +0100, Rodti MacLeary wrote:> auth default: > mechanisms: plain login cram-md5 > passdb: > driver: sql > args: /etc/dovecot/dovecot-sql.confOh, one guess: Do you store passwords in CRAM-MD5 or plaintext format? If not, maybe your clients are trying to use CRAM-MD5 and it's failing because of that? Logs would show that anyway. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080901/9564b980/attachment-0002.bin>
Hi This sounds to me like the failing Outlook clients might fall over to CRAM-MD5 and you need to use the %m to map out the method sasl uses to return the right password. Then you need to either use the source packet from ubuntu intrepid and apply this patch http://hg.dovecot.org/dovecot-1.1/rev/3fcfe8d316b6 Or download the release candidate of 1.1.3 Also I use a sql query to get the password in the form: password_query = SELECT id as user, passwd as password FROM passwds WHERE id = '%u' AND model = '%m' -Roger Rodti MacLeary wrote:> Hi there, I'm in a bit of a dilemma and wonder if anyone can help. > > Over the weekend I bought a new dedicated server and moved my mail/web over > to it. I'd used the Sarge[1] tutorial at workaround.org for the old server > and as I'd wanted to move to Dovecot for a while I decided to use their > Etch[2] tutorial for the new one. For the most part everything's working > nicely, but I seem to be having problems with (mostly non-SSL) SMTP > authentication. > > In this install Postfix passes SASL authentication to Dovecot. For most > clients using SSL this works fine, but as soon as SSL is off it fails. > This is despite having disable_plaintext_auth set to 'no'. Furthermore it > appears that some clients w/SSL are also failing. Outlook being the major > culprit. I'm completely stumped. > > I've pasted a copy of the output from dovecot -n below. > > Thanks in advance! > > Rodti > > [1] http://workaround.org/articles/ispmail-sarge > [2] http://workaround.org/articles/ispmail-etch > --------------------------------------------- > # 1.0.13: /etc/dovecot/dovecot.conf > log_timestamp: %Y-%m-%d %H:%M:%S > protocols: imap imaps pop3 pop3s > disable_plaintext_auth: no > login_dir: /var/run/dovecot/login > login_executable(default): /usr/lib/dovecot/imap-login > login_executable(imap): /usr/lib/dovecot/imap-login > login_executable(pop3): /usr/lib/dovecot/pop3-login > mail_privileged_group: mail > mail_location: maildir:/home/vmail/%d/%n/Maildir > mail_executable(default): /usr/lib/dovecot/imap > mail_executable(imap): /usr/lib/dovecot/imap > mail_executable(pop3): /usr/lib/dovecot/pop3 > mail_plugin_dir(default): /usr/lib/dovecot/modules/imap > mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap > mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 > pop3_uidl_format(default): > pop3_uidl_format(imap): > pop3_uidl_format(pop3): %08Xu%08Xv > namespace: > type: private > separator: . > prefix: INBOX. > inbox: yes > auth default: > mechanisms: plain login cram-md5 > passdb: > driver: sql > args: /etc/dovecot/dovecot-sql.conf > userdb: > driver: passwd > userdb: > driver: static > args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes > socket: > type: listen > client: > path: /var/spool/postfix/private/auth > mode: 432 > user: postfix > group: postfix > master: > path: /var/run/dovecot/auth-master > mode: 384 > user: vmail > > > > >
On Mon, 01 Sep 2008 17:17:27 +0300, Timo Sirainen <tss at iki.fi> wrote:>> Extracts of /var/log/mail.log attached below. Nothing new in mail.err. > > Those are only Postfix's logs. See Dovecot's logs. > http://wiki.dovecot.org/LoggingSorry, I pulled these from syslog: Sep 1 13:52:36 localhost dovecot: imap-login: Login: user=<user at domain.tld>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS Sep 1 13:52:57 localhost dovecot: imap-login: Login: user=<user at domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Sep 1 13:52:57 localhost dovecot: IMAP(user at domain.tld): Disconnected: Logged out Sep 1 13:53:01 localhost dovecot: imap-login: Login: user=<user at domain.tld>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS Sep 1 13:53:08 localhost postfix/smtpd[6047]: connect from unknown[xxx.xxx.xxx.xxx] Sep 1 13:53:09 localhost postfix/smtpd[6047]: lost connection after EHLO from unknown[xxx.xxx.xxx.xxx] Sep 1 13:53:09 localhost postfix/smtpd[6047]: disconnect from unknown[xxx.xxx.xxx.xxx] Sep 1 13:53:12 localhost postfix/smtpd[6047]: connect from unknown[xxx.xxx.xxx.xxx]
On Mon, 01 Sep 2008 15:35:56 +0300, Timo Sirainen <tss at iki.fi> wrote:> Oh, one guess: Do you store passwords in CRAM-MD5 or plaintext format? > If not, maybe your clients are trying to use CRAM-MD5 and it's failing > because of that? Logs would show that anyway.All passwords are hashed in the MySQL database. They were in plain text on the old system. Could this be the problem? r.
On 1 Sep 2008, at 13:34, Timo Sirainen wrote:> On Mon, 2008-09-01 at 13:29 +0100, Rodti MacLeary wrote: >> In this install Postfix passes SASL authentication to Dovecot. For >> most >> clients using SSL this works fine, but as soon as SSL is off it >> fails. >> This is despite having disable_plaintext_auth set to 'no'. >> Furthermore it >> appears that some clients w/SSL are also failing. Outlook being >> the major >> culprit. I'm completely stumped. > > Dovecot's disable_plaintext_auth setting doesn't affect Postfix.Not sure which of the following actually fixed it, but added 'broken_sasl_auth_clients = yes' to my Postfix main.cf and changed my dovecot.conf 'mechanisms' to 'login plain' instead of 'plain login'. Now all is well. Thanks to everyone for their help, particularly Roger for his offlist advice on installing 1.1.3. r.