Serhiy Kolesnyk
2011-Jul-29 22:58 UTC
[Dovecot] Dovecot 2.0.x + Sendmail 8.14.4 SMTP AUTH not working
Hello!
After moving from Centos 5.6 to Centos 6, I figured that Sendmail
minor version was updated from 8.13.x to 8.14 and Dovecto from 1.2 to
2.0.x
In previous configuration SMTP auth worked fine (no SASAUTHD
neccessary) for virtual users table. Dovecot was authenticating
virtual users virtual checking dovecot.passwd file. I'm not sure how
Sendmail was processing SMTP AUTH for virtual users connecting via
email clients since there was no obvious connection to Dovecot
authentication. But SMTP AUTH was working and virtual users could send
email via SSL.
Now after this recent upgrade I looked into Dovecot conf changes and
updated it according. POP/IMAP are working and Sendmail does deliver
incoming mail to the mbox folders.
What stopped working is SMTP AUTH.
Here's maillog excerpt of authentication process:
Jul 29 23:46:11 one2action sendmail[2865]: AUTH: available
mech=CRAM-MD5 DIGEST-MD5 LOGIN GSSAPI PLAIN, allowed mech=LOGIN PLAIN
Jul 29 23:46:11 one2action sendmail[2865]: STARTTLS=server,
get_verify: 0 get_peer: 0x0
Jul 29 23:46:11 one2action sendmail[2865]: STARTTLS=server,
relay=136-31-132-95.pool.ukrtel.net [95.132.31.136],
version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Jul 29 23:46:11 one2action sendmail[2865]: STARTTLS=server,
cert-subject=, cert-issuer=, verifymsg=ok
Jul 29 23:46:11 one2action sendmail[2865]: AUTH: available
mech=CRAM-MD5 DIGEST-MD5 LOGIN GSSAPI PLAIN, allowed mech=LOGIN PLAIN
Jul 29 23:46:11 one2action sendmail[2865]: p6TMkB95002865: --- 220
one2action.com ESMTP Sendmail 8.14.4/8.14.4; Fri, 29 Jul 2011 23:46:11
+0100
Jul 29 23:46:11 one2action sendmail[2865]: STARTTLS=read, info: fds=8/4, err=2
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: <-- EHLO astronaut
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: ---
250-one2action.com Hello 136-31-132-95.pool.ukrtel.net
[95.132.31.136], pleased to meet you
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: ---
250-ENHANCEDSTATUSCODES
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250-PIPELINING
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250-8BITMIME
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250-SIZE
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250-DSN
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250-ETRN
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: ---
250-AUTH LOGIN PLAIN
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250-DELIVERBY
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 250 HELP
Jul 29 23:46:12 one2action sendmail[2865]: STARTTLS=read, info: fds=8/4, err=2
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: <-- AUTH LOGIN
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 334 VXNlcm5hbWU6
Jul 29 23:46:12 one2action sendmail[2865]: STARTTLS=read, info: fds=8/4, err=2
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 334 UGFzc3dvcmQ6
Jul 29 23:46:12 one2action sendmail[2865]: STARTTLS=read, info: fds=8/4, err=2
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 535
5.7.0 authentication failed
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: AUTH
failure (LOGIN): generic failure (-1) SASL(-1): generic failure:
checkpass failed, relay=136-31-132-95.pool.ukrtel.net [95.132.31.136]
Jul 29 23:46:12 one2action sendmail[2865]: STARTTLS=read, info: fds=8/4, err=2
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: --- 421
4.4.1 one2action.com Lost input channel from
136-31-132-95.pool.ukrtel.net [95.132.31.136]
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865: lost input
channel from 136-31-132-95.pool.ukrtel.net [95.132.31.136] to TLSMTA
after auth
Jul 29 23:46:12 one2action sendmail[2865]: p6TMkB95002865:
136-31-132-95.pool.ukrtel.net [95.132.31.136] did not issue
MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
Here's dovecot -n
# dovecot -n
# 2.0.beta6 (3156315704ef): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.39.1-linode34 i686 CentOS Linux release 6.0 (Final)
auth_cache_negative_ttl = 3600 s
auth_debug_passwords = yes
auth_mechanisms = plain login DIGEST-MD5 cram-md5
auth_worker_max_count = 3
default_client_limit = 10
default_process_limit = 5
disable_plaintext_auth = no
listen = *
log_path = /var/log/dovecot.log
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
args = scheme=MD5-CRYPT username_format=%u /etc/dovecot/dovecot.passwd
driver = passwd-file
}
passdb {
args = dovecot
driver = pam
}
passdb {
args = /etc/passwd
driver = passwd-file
}
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = smmsp
mode = 0666
user = smmsp
}
unix_listener dovecot-auth {
group = smmsp
mode = 0666
user = smmsp
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl_cert = </etc/pki/tls/certs/sendmail.pem
ssl_cipher_list = TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH
ssl_key = </etc/pki/tls/certs/sendmail.pem
userdb {
args = username_format=%u /etc/dovecot/dovecot.passwd
driver = passwd-file
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster at example.com
}
protocol imap {
imap_client_workarounds = delay-newmail
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
}
As I understand Sendmail now can't find Dovecot authentication via
userdb and that's why a client isn't authenticated. Please help.
Alexander Dalloz
2011-Jul-30 22:21 UTC
[Dovecot] Dovecot 2.0.x + Sendmail 8.14.4 SMTP AUTH not working
Am 30.07.2011 00:58, schrieb Serhiy Kolesnyk:> As I understand Sendmail now can't find Dovecot authentication via > userdb and that's why a client isn't authenticated. Please help.Sendmail has never worked against dovecot's sasl implementation. To use SMTP AUTH with Sendmail you will have to use Cyrus-SASL. Check your previous setup in detail. Alexander