Hello list.
I'm trying to figure out why my postfix+dovecot successfully authenticates MS Outlook users when sending smtp, but fails when Entourage 2004 (Mac) tries to authenticate (gives the error "Authentication failed because Entourage doesn't support any of the available authentication methods.") The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH CRAM-MD5 also responds with similar challenges. Anyone have a slightes idea of whats going on? Why isnt EHLO mentioning authentication? Sorry if this is something that should be brought to dovecot list, I thought this was a better place to ask (since POP3/IMAP auth works just fine). I've included config files and outputs below: ## mail.log when Mac-clients try to authenticate Sep 4 15:12:48 ext02 postfix/smtpd[27123]: connect from unknown[192.xx.xx.147] Sep 4 15:12:48 ext02 postfix/smtpd[27123]: lost connection after EHLO from unknown[192.xx.xx.147] Sep 4 15:12:48 ext02 postfix/smtpd[27123]: disconnect from unknown[192.xx.xx.147] ## output of EHLO 220 ext02.xx.no ESMTP Postfix EHLO test.com 250-ext02.xx.no 250-PIPELINING 250-SIZE 52428800 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ## software versions postfix 2.3.8-2+etch1 dovecot 1.0.rc15-2etch4 ## output of postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 52428800 mydestination = ext02.xx.no, localhost.xx.no, localhost myhostname = ext02.xx.no mynetworks = 127.0.0.0/8, xx.xx.22.0/24, xx.xx.23.0/24 myorigin = /etc/mailname recipient_delimiter = + relayhost = softscan-relay.softcom.dk smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access cidr:/etc/postfix/allowed_clients smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:104 virtual_mailbox_base = /home/vmail/ virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 112400000 virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 101 virtual_transport = virtual virtual_uid_maps = static:101 ## output of /etc/dovecot/dovecot.conf: protocols = imap imaps pop3 pop3s disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:/home/vmail/%d/%n mail_privileged_group = mail first_valid_uid = 101 last_valid_uid = 101 protocol imap { imap_client_workarounds = outlook-idle } protocol pop3 { pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls } auth_verbose = no auth_debug = no auth_debug_passwords = no auth default { mechanisms = plain login cram-md5 passdb sql { args = /etc/dovecot/dovecot-mysql.conf } userdb sql { args = /etc/dovecot/dovecot-mysql.conf } user = root socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } - Erik |
> mynetworks = 127.0.0.0/8, xx.xx.22.0/24, xx.xx.23.0/24
> Sep 4 15:12:48 ext02 postfix/smtpd[27123]: connect from unknown[192.xx.xx.147] show a full ip address without xx |
In reply to this post by Erik Paulsen Skaalerud
Erik Paulsen Skaalerud:
> Anyone have a slightes idea of whats going on? Why isnt EHLO > mentioning authentication? This is why: > smtpd_sasl_exceptions_networks = $mynetworks Change things when you understand the consequences. Wietse |
In reply to this post by Erik Paulsen Skaalerud
Erik Paulsen Skaalerud wrote:
> The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH > LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH > CRAM-MD5 also responds with similar challenges. > Interesting. I have the same 'issue' on my home server; AUTH is not advertised when using Dovecot SASL. I never bothered with it because everything just works. Rereading the SASL readme, I gather that this is not the expected response. [root@postal ~]# telnet localhost 587 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 postal.lucasit.com ESMTP Postfix EHLO localhost 250-postal.lucasit.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN QUIT 221 2.0.0 Bye Connection closed by foreign host. [root@postal ~]# If it is, then no biggie. I've attached (inline) the usual requests in case anybody would like to take a look. Maybe it is just dumb luck that it works and I do actually have a broken config, however, AFAICT, it works as expected. FYI, this particular box is built strictly from source (loosely following LFS). [root@postal ~]# postconf -n alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix-2.3.3/html local_recipient_maps = $virtual_mailbox_maps, $alias_maps, proxy:unix:passwd.byname mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = $transport_maps, localhost, $myhostname, localhost.$mydomain, $mydomain myhostname = postal.lucasit.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README recipient_bcc_maps = ldap:vfm relayhost = smtp.charter.net sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_policy_service unix:postgrey/socket, regexp:/etc/postfix/envelope.regex, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = ldap:accounts, proxy:unix:passwd.byname smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/blacklist, check_client_access hash:/etc/postfix/hosts_bypass, reject_unauthenticated_sender_login_mismatch, permit smtpd_tls_CApath = /etc/postfix/cacerts smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/mail.lucasit.com.crt smtpd_tls_key_file = /etc/postfix/certs/mail.lucasit.com.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = hash:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport, ldap:transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = ldap:virtualforward, ldap:aliases, ldap:accountsmap virtual_gid_maps = static:35 virtual_mailbox_base = /srv/vmail/domains virtual_mailbox_maps = ldap:accounts virtual_minimum_uid = 35 virtual_uid_maps = static:35 [root@postal ~]# [root@postal ~]# grep "^[^#]" /etc/postfix/master.cf smtp inet n - - - - smtpd submission inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o smtp_fallback_relay= showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache <SNIP the extras for spam/virus filter, though I can post if needs be> And a slightly modified log snippet sending myself a test message outbound. Sep 6 00:04:31 postal postfix/smtpd[17675]: 0328681E08B: client=unknown[192.168.143.229], sasl_method=PLAIN, sasl_username=dj[_ATSYMBOL_]lucasit.com Sep 6 00:04:31 postal postfix/cleanup[17678]: 0328681E08B: hold: header Received: from [192.168.143.229] (unknown [192.168.143.229])??(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by postal.lucasit.com (Postfix) with ESMTP from unknown[192.168.143.229]; from=<dj[_ATSYMBOL_]lucasit.com> to=<dj[_ATSYMBOL_]linuxfromscratch.org> proto=ESMTP helo=<[192.168.143.229]> Sep 6 00:04:31 postal postfix/cleanup[17678]: 0328681E08B: message-id=<[hidden email]> Sep 6 00:04:31 postal postfix/smtpd[17675]: disconnect from unknown[192.168.143.229] While I don't have failure logs handy right now, bad password or no auth does fail. If you'd like me to validate that statement, I'll be more than happy to tomorrow day when I have a bit more time. I'm off, but I'm always open to other suggestions on that config. Thanks. -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. |
DJ Lucas:
> Erik Paulsen Skaalerud wrote: > > The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH > > LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH > > CRAM-MD5 also responds with similar challenges. > > > Interesting. I have the same 'issue' on my home server; AUTH is not > advertised when using Dovecot SASL. I never bothered with it because > everything just works. Rereading the SASL readme, I gather that this is > not the expected response. And where does this Postfix version come from? Some vendors insist on making "improvements". And what is the Postfix version? Wietse |
In reply to this post by DJ Lucas-2
DJ Lucas:
> Erik Paulsen Skaalerud wrote: > > The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH > > LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH > > CRAM-MD5 also responds with similar challenges. > > > Interesting. I have the same 'issue' on my home server; AUTH is not > advertised when using Dovecot SASL. I never bothered with it because > everything just works. Rereading the SASL readme, I gather that this is > not the expected response. This is incorrect. AUTH is not advertised because you have: > smtpd_tls_auth_only = yes If you change main.cf, understand the consequences. Wietse |
Free forum by Nabble | Edit this page |