I've set up a new dovecot+postfix instance with virtual (not system) users.
I've a few questions, mostly about auth.? I /think/ that postfix handles
auth by asking dovecot.
Users need to provide user + password to send (smtps) and receive
(imaps).? I see where I've configured this for dovecot, which is
/etc/dovecot/passwd.db.? That file contains lines like this:
jeff at mobilitains.fr:{BLF-CRYPT}$2y$05$c...
What concerns me is that I see occasional log items like this:
Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no SASL
authentication mechanisms
(Also, I can't connect with thunderbird.)
But I think I've configured SASL auth, so I'm not sure what to look at /
how to debug this.? I'm looking for suggestions how to approach this.
I do not see how postfix knows who is allowed to connect, however.? Am I
correct that postfix delegates SASL to dovecot?? This is the relevant
config, I think:
[T] jeff at nantes-m1:log $ doveconf -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS
# Hostname: nantes-m1.p27.eu
auth_verbose = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
? inbox = yes
? location ? mailbox Archive {
??? auto = subscribe
??? special_use = \Archive
? }
? mailbox Drafts {
??? auto = subscribe
??? special_use = \Drafts
? }
? mailbox Junk {
??? auto = subscribe
??? special_use = \Junk
? }
? mailbox Sent {
??? auto = subscribe
??? special_use = \Sent
? }
? mailbox Trash {
??? auto = subscribe
??? special_use = \Trash
? }
? prefix }
passdb {
? args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
? driver = passwd-file
}
plugin {
? sieve = file:~/sieve;active=~/.dovecot.sieve
? sieve_after = /var/mail/vmail/sieve-after
? sieve_before = /var/mail/vmail/sieve-before
? sieve_dir = ~/sieve
}
protocols = " imap"
ssl = required
ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
? args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
? driver = static
}
protocol lda {
? deliver_log_format = msgid=%m: %$
? mail_plugins = sieve
? postmaster_address = postmaster@{{ primary_domain }}
? quota_full_tempfail = yes
? rejection_reason = Your message to <%t> was automatically
rejected:%n%r
}
protocol imap {
? imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags
? mail_max_userip_connections = 20
}
[T] jeff at nantes-m1:log $
[T] jeff at nantes-m1:log $ postconf -n | grep -i sasl
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions
reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
[T] jeff at nantes-m1:log $ postconf -Mf
smtp?????? inet? n?????? -?????? y?????? -?????? -?????? smtpd
submission inet? n?????? -?????? y?????? -?????? -?????? smtpd
??? -o syslog_name=postfix/submission
??? -o smtpd_tls_security_level=encrypt
??? -o smtpd_sasl_auth_enable=yes
??? -o smtpd_client_restrictions ??? -o smtpd_helo_restrictions ??? -o
smtpd_sender_restrictions ??? -o smtpd_recipient_restrictions ??? -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
??? -o milter_macro_daemon_name=ORIGINATING
smtps????? inet? n?????? -?????? y?????? -?????? -?????? smtpd
??? -o syslog_name=postfix/smtps
??? -o smtpd_tls_wrappermode=yes
??? -o smtpd_sasl_auth_enable=yes
??? -o smtpd_reject_unlisted_recipient=no
??? -o smtpd_client_restrictions ??? -o smtpd_helo_restrictions ??? -o
smtpd_sender_restrictions ??? -o smtpd_recipient_restrictions ??? -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
??? -o milter_macro_daemon_name=ORIGINATING
...
Many thanks for any pointers.
I'm also a bit confused on how to test it, really, short of connecting
with a regular email client (mutt, thunderbird, etc.).? If there are
more appropriate tools that I've missed, I'm quite open to pointers.
--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
http://p27.eu/jeff/
http://transport-nantes.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210124/2df3ec39/attachment-0001.html>