dovecot - Jan 2021 - New dovecot server, authentication confusion

I've set up a new dovecot+postfix instance with virtual (not system) users.

I've a few questions, mostly about auth.? I /think/ that postfix handles
auth by asking dovecot.

Users need to provide user + password to send (smtps) and receive
(imaps).? I see where I've configured this for dovecot, which is
/etc/dovecot/passwd.db.? That file contains lines like this:

    jeff at mobilitains.fr:{BLF-CRYPT}$2y$05$c...

What concerns me is that I see occasional log items like this:

    Jan 24 11:26:33 nantes-m1 postfix/smtpd[4597]: fatal: no SASL
    authentication mechanisms

(Also, I can't connect with thunderbird.)

But I think I've configured SASL auth, so I'm not sure what to look at /
how to debug this.? I'm looking for suggestions how to approach this.

I do not see how postfix knows who is allowed to connect, however.? Am I
correct that postfix delegates SASL to dovecot?? This is the relevant
config, I think:

    [T] jeff at nantes-m1:log $ doveconf -n
    # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.5.7.2 ()
    # OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS
    # Hostname: nantes-m1.p27.eu
    auth_verbose = yes
    mail_location = mbox:~/mail:INBOX=/var/mail/%u
    mail_privileged_group = mail
    namespace inbox {
    ? inbox = yes
    ? location     ? mailbox Archive {
    ??? auto = subscribe
    ??? special_use = \Archive
    ? }
    ? mailbox Drafts {
    ??? auto = subscribe
    ??? special_use = \Drafts
    ? }
    ? mailbox Junk {
    ??? auto = subscribe
    ??? special_use = \Junk
    ? }
    ? mailbox Sent {
    ??? auto = subscribe
    ??? special_use = \Sent
    ? }
    ? mailbox Trash {
    ??? auto = subscribe
    ??? special_use = \Trash
    ? }
    ? prefix     }
    passdb {
    ? args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
    ? driver = passwd-file
    }
    plugin {
    ? sieve = file:~/sieve;active=~/.dovecot.sieve
    ? sieve_after = /var/mail/vmail/sieve-after
    ? sieve_before = /var/mail/vmail/sieve-before
    ? sieve_dir = ~/sieve
    }
    protocols = " imap"
    ssl = required
    ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
    ssl_client_ca_dir = /etc/ssl/certs
    ssl_dh = # hidden, use -P to show it
    ssl_key = # hidden, use -P to show it
    userdb {
    ? args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
    ? driver = static
    }
    protocol lda {
    ? deliver_log_format = msgid=%m: %$
    ? mail_plugins = sieve
    ? postmaster_address = postmaster@{{ primary_domain }}
    ? quota_full_tempfail = yes
    ? rejection_reason = Your message to <%t> was automatically
    rejected:%n%r
    }
    protocol imap {
    ? imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
    tb-lsub-flags
    ? mail_max_userip_connections = 20
    }
    [T] jeff at nantes-m1:log $

    [T] jeff at nantes-m1:log $ postconf -n | grep -i sasl
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions    
reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
    smtpd_relay_restrictions = permit_mynetworks
    permit_sasl_authenticated defer_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain     smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot

    [T] jeff at nantes-m1:log $ postconf -Mf
    smtp?????? inet? n?????? -?????? y?????? -?????? -?????? smtpd
    submission inet? n?????? -?????? y?????? -?????? -?????? smtpd
    ??? -o syslog_name=postfix/submission
    ??? -o smtpd_tls_security_level=encrypt
    ??? -o smtpd_sasl_auth_enable=yes
    ??? -o smtpd_client_restrictions    ??? -o smtpd_helo_restrictions    ??? -o
smtpd_sender_restrictions    ??? -o smtpd_recipient_restrictions    ??? -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
    ??? -o milter_macro_daemon_name=ORIGINATING
    smtps????? inet? n?????? -?????? y?????? -?????? -?????? smtpd
    ??? -o syslog_name=postfix/smtps
    ??? -o smtpd_tls_wrappermode=yes
    ??? -o smtpd_sasl_auth_enable=yes
    ??? -o smtpd_reject_unlisted_recipient=no
    ??? -o smtpd_client_restrictions    ??? -o smtpd_helo_restrictions    ??? -o
smtpd_sender_restrictions    ??? -o smtpd_recipient_restrictions    ??? -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
    ??? -o milter_macro_daemon_name=ORIGINATING
    ...

Many thanks for any pointers.

I'm also a bit confused on how to test it, really, short of connecting
with a regular email client (mutt, thunderbird, etc.).? If there are
more appropriate tools that I've missed, I'm quite open to pointers.

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210124/f18a45e4/attachment.html>

On 24/01/2021 15:42, Jeff Abrahamson wrote:
>
> I've set up a new dovecot+postfix instance with virtual (not system)
> users.
>
> [...]
Thanks to several responses here (many thanks!) and much further
hacking, I have moved further.

I now have two problems that I'm hitting my head on.? (I've posted my
config below.)

  * Delivery has a permission error, but I don't see what is causing it.
  * Authorisation on sending is failing.

1.? Delivery

I send mail to jeff at mobilitains.fr, which I think should be an
authorised user.

    Jan 24 17:19:02 nantes-m1 postfix/qmgr[8025]: 8640AA0C71:
    from=<jeff at p27.eu>, size=4737, nrcpt=1 (queue active)
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
    mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
    (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
    dir owned by 4000:4000 mode=0755)
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error:
    mkdir(/var/mail/vmail//jeff/mail) failed: Permission denied
    (euid=1000(jeff) egid=1001(jeff) missing +w perm: /var/mail/vmail/,
    dir owned by 4000:4000 mode=0755)
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>: Error: Mailbox INBOX:
    Failed to autocreate mailbox: Internal error occurred. Refer to
    server log for more information. [2021-01-24 17:19:02]
    Jan 24 17:19:02 nantes-m1 dovecot:
    lda(jeff)<10628><pbr+CgasDWCEKQAAvhw8tw>:
    msgid=<45693641-2b61-815d-6129-feb9c4e3608a at p27.eu>: save failed to
    open mailbox INBOX: Mailbox INBOX: Failed to autocreate mailbox:
    Internal error occurred. Refer to server log for more information.
    [2021-01-24 17:19:02]
    Jan 24 17:19:02 nantes-m1 postfix/local[10626]: 8640AA0C71:
    to=<jeff at nantes-m1.p27.eu>, orig_to=<jeff at mobilitains.fr>,
    relay=local, delay=593, delays=593/0.01/0/0.02, dsn=4.3.0,
    status=deferred (temporary failure. Command output: lda(jeff):
    Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
    Permission denied )

Now I know what the words mean: it wants to create the mail directory
where I've asked it to, in /var/mail/vmail/%d/%n/mail, and it's hitting
a permission error, because that directory is owned by vmail and that
bit of dovecot, apparently, doesn't have permission to read/write
there.? I can see that some dovecot processes run as vmail, others as
dovecot or dovenull, still others as root (!).? I'm unclear after much
reading of docs what I /should/ see here and what I should change.

    [T] jeff at nantes-m1:postfix $ ps axfu | grep dovec
    root???????? 607? 0.0? 0.3?? 4612? 3360 ???????? Ss?? 10:12?? 0:00
    /usr/sbin/dovecot -F
    dovecot????? 637? 0.0? 0.1?? 4248? 1072 ???????? S??? 10:12?? 0:00?
    \_ dovecot/anvil
    root??????? 9852? 0.0? 0.2?? 4388? 2940 ???????? S??? 16:54?? 0:00?
    \_ dovecot/log
    dovecot???? 9907? 0.0? 0.2?? 4396? 2828 ???????? S??? 16:54?? 0:00?
    \_ dovecot/stats
    root??????? 9908? 0.0? 0.4?? 5664? 4188 ???????? S??? 16:54?? 0:00?
    \_ dovecot/config
    dovenull??? 9976? 0.0? 0.6?? 8476? 6584 ???????? S??? 16:58?? 0:00?
    \_ dovecot/imap-login
    vmail?????? 9978? 0.0? 0.5?? 6940? 5572 ???????? S??? 16:58?? 0:00?
    \_ dovecot/imap
    dovenull?? 10023? 0.0? 0.6?? 8472? 6584 ???????? S??? 17:04?? 0:00?
    \_ dovecot/imap-login
    vmail????? 10024? 0.0? 0.5?? 6884? 5516 ???????? S??? 17:04?? 0:00?
    \_ dovecot/imap
    jeff?????? 10952? 0.0? 0.0?? 8904?? 672 pts/1??? S+?? 17:33?? 0:00?
    |?????????? \_ grep --color=auto dovec
    [T] jeff at nantes-m1:postfix $

2.? Authorisation on sending

Using thunderbird I try to send an email from my workstation as
jeff at mobilitains.fr (myself, as this host sees it) to another user
(myself somewhere else).

    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: connect
    from 10.244.88.92.rev.sfr.net[92.88.244.10]
    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: Anonymous
    TLS connection established from
    10.244.88.92.rev.sfr.net[92.88.244.10]: TLSv1 with cipher
    ECDHE-RSA-AES128-SHA (128/128 bits)
    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: warning:
    SASL: Connect to private/auth failed: No such file or directory
    Jan 24 17:35:42 nantes-m1 postfix/submission/smtpd[10971]: fatal: no
    SASL authentication mechanisms
    Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning: process
    /usr/lib/postfix/sbin/smtpd pid 10971 exit status 1
    Jan 24 17:35:43 nantes-m1 postfix/master[1634]: warning:
    /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

So I'm failing to connect, but the error about private/auth is quite
unclear to me.? I think what I've configured is that plaintext auth is
disabled unless on a SSL/TLS connection, and SSL/TLS connections are
required, so plaintext over SSL/TLS is the rule.? There's an error
related to smtpd startup, though I'm unclear what that means, since
postfix is running.? I think it means it can't run smtpd to send the
mail, but why and where configured is unclear to me.

    [T] jeff at nantes-m1:conf.d $ *cat 10-auth.conf | grep -vE '^#' |
uniq*

    disable_plaintext_auth = yes

    auth_username_chars    
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

    auth_mechanisms = plain

    !include auth-passwdfile.conf.ext
    [T] jeff at nantes-m1:conf.d $
    [T] jeff at nantes-m1:conf.d $ *cat auth-passwdfile.conf.ext *
    # Authentication for passwd-file users. Included from 10-auth.conf.
    #
    # passwd-like file with specified location.
    # <doc/wiki/AuthDatabase.PasswdFile.txt>
    #
    # This is heavily modified from the ubuntu dovecot distribution file.

    passdb {
    ? driver = passwd-file
    ? # args = scheme=CRYPT username_format=%u /etc/dovecot/users
    ? # args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db
    ? args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
    ? deny = no
    ? master = no
    ? pass = no
    ? skip = never
    ? result_failure = continue
    ? result_internalfail = continue
    ? result_success = return-ok
    }

    userdb {
    ??? driver = static
    ??? args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
    }

    [T] jeff at nantes-m1:conf.d $

My config:

    [T] jeff at nantes-m1:~ $ *doveconf -n*
    # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.5.7.2 ()
    # OS: Linux 5.4.0-64-generic x86_64 Ubuntu 20.04.1 LTS ext4
    # Hostname: nantes-m1.p27.eu
    auth_debug = yes
    auth_verbose = yes
    mail_home = /var/mail/vmail/%d/%n
    mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
    mail_privileged_group = mail
    namespace inbox {
    ? inbox = yes
    ? location     ? mailbox Archive {
    ??? auto = subscribe
    ??? special_use = \Archive
    ? }
    ? mailbox Drafts {
    ??? auto = subscribe
    ??? special_use = \Drafts
    ? }
    ? mailbox Junk {
    ??? auto = subscribe
    ??? special_use = \Junk
    ? }
    ? mailbox Sent {
    ??? auto = subscribe
    ??? special_use = \Sent
    ? }
    ? mailbox Trash {
    ??? auto = subscribe
    ??? special_use = \Trash
    ? }
    ? prefix     }
    passdb {
    ? args = username_format=%u scheme=blf-crypt /etc/dovecot/passwd.db
    ? driver = passwd-file
    }
    plugin {
    ? sieve = file:~/sieve;active=~/.dovecot.sieve
    ? sieve_after = /var/mail/vmail/sieve-after
    ? sieve_before = /var/mail/vmail/sieve-before
    ? sieve_dir = ~/sieve
    }
    protocols = " imap"
    service auth {
    ? unix_listener /var/spool/postfix/private/dovecot-auth {
    ??? group = postfix
    ??? mode = 0600
    ??? user = postfix
    ? }
    }
    service imap-login {
    ? inet_listener imaps {
    ??? port = 993
    ??? ssl = yes
    ? }
    }
    ssl_cert = </etc/letsencrypt/live/nantes-m1.p27.eu/fullchain.pem
    ssl_cipher_list    
ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW
at STRENGTH
    ssl_client_ca_dir = /etc/ssl/certs
    ssl_dh = # hidden, use -P to show it
    ssl_key = # hidden, use -P to show it
    userdb {
    ? args = uid=4000 gid=4000 home=/var/mail/vmail/%d/%n
    ? driver = static
    }
    verbose_ssl = yes
    protocol lda {
    ? deliver_log_format = msgid=%m: %$
    ? mail_plugins = sieve
    ? postmaster_address = postmaster@{{ primary_domain }}
    ? quota_full_tempfail = yes
    ? rejection_reason = Your message to <%t> was automatically
    rejected:%n%r
    }
    protocol imap {
    ? imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
    tb-lsub-flags
    ? mail_max_userip_connections = 20
    }
    [T] jeff at nantes-m1:~ $
    [T] jeff at nantes-m1:postfix $ postconf -Mf
    smtp?????? inet? n?????? -?????? y?????? -?????? -?????? smtpd
    submission inet? n?????? -?????? y?????? -?????? -?????? smtpd
    ??? -o syslog_name=postfix/submission
    ??? -o smtpd_tls_security_level=encrypt
    ??? -o smtpd_sasl_auth_enable=yes
    ??? -o smtpd_client_restrictions    ??? -o smtpd_helo_restrictions    ??? -o
smtpd_sender_restrictions    ??? -o smtpd_recipient_restrictions    ??? -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
    ??? -o milter_macro_daemon_name=ORIGINATING
    smtps????? inet? n?????? -?????? y?????? -?????? -?????? smtpd
    ??? -o syslog_name=postfix/smtps
    ??? -o smtpd_tls_wrappermode=yes
    ??? -o smtpd_sasl_auth_enable=yes
    ??? -o smtpd_reject_unlisted_recipient=no
    ??? -o smtpd_client_restrictions    ??? -o smtpd_helo_restrictions    ??? -o
smtpd_sender_restrictions    ??? -o smtpd_recipient_restrictions    ??? -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
    ??? -o milter_macro_daemon_name=ORIGINATING
    ...

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://transport-nantes.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210124/18b685ef/attachment-0001.html>