Postfix and SASL via Dovecot

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix and SASL via Dovecot

Erik Paulsen Skaalerud
Hello list.

I'm trying to figure out why my postfix+dovecot successfully
authenticates MS Outlook users when sending smtp, but fails when
Entourage 2004 (Mac) tries to authenticate (gives the error
"Authentication failed because Entourage doesn't support any of the
available authentication methods.")

The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH
LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH
CRAM-MD5 also responds with similar challenges.

Anyone have a slightes idea of whats going on? Why isnt EHLO
mentioning authentication?
Sorry if this is something that should be brought to dovecot list, I
thought this was a better place to ask (since POP3/IMAP auth works
just fine).



I've included config files and outputs below:

## mail.log when Mac-clients try to authenticate
Sep  4 15:12:48 ext02 postfix/smtpd[27123]: connect from unknown[192.xx.xx.147]
Sep  4 15:12:48 ext02 postfix/smtpd[27123]: lost connection after EHLO
from unknown[192.xx.xx.147]
Sep  4 15:12:48 ext02 postfix/smtpd[27123]: disconnect from
unknown[192.xx.xx.147]

## output of EHLO
220 ext02.xx.no ESMTP Postfix
EHLO test.com
250-ext02.xx.no
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

## software versions
postfix 2.3.8-2+etch1
dovecot 1.0.rc15-2etch4

## output of postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 52428800
mydestination = ext02.xx.no, localhost.xx.no, localhost
myhostname = ext02.xx.no
mynetworks = 127.0.0.0/8, xx.xx.22.0/24, xx.xx.23.0/24
myorigin = /etc/mailname
recipient_delimiter = +
relayhost = softscan-relay.softcom.dk
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_non_fqdn_sender        reject_unknown_recipient_domain
permit_mynetworks        permit_sasl_authenticated
reject_unauth_destination      check_client_access
cidr:/etc/postfix/allowed_clients
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:104
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 112400000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = virtual
virtual_uid_maps = static:101

## output of /etc/dovecot/dovecot.conf:
protocols = imap imaps pop3 pop3s
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n
mail_privileged_group = mail
first_valid_uid = 101
last_valid_uid = 101

protocol imap {
        imap_client_workarounds = outlook-idle
}

protocol pop3 {
        pop3_uidl_format = %08Xu%08Xv
        pop3_client_workarounds = outlook-no-nuls
}

auth_verbose = no
auth_debug = no
auth_debug_passwords = no

auth default {
        mechanisms = plain login cram-md5
        passdb sql {
                args = /etc/dovecot/dovecot-mysql.conf
                }
        userdb sql {
                args = /etc/dovecot/dovecot-mysql.conf
                }
        user = root
        socket listen {
                client {
                        path = /var/spool/postfix/private/auth
                        mode = 0660
                        user = postfix
                        group = postfix
                        }
                }
}



- Erik
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and SASL via Dovecot

Алексей Доморадов
> mynetworks = 127.0.0.0/8, xx.xx.22.0/24, xx.xx.23.0/24
> Sep  4 15:12:48 ext02 postfix/smtpd[27123]: connect from unknown[192.xx.xx.147]
show a full ip address without xx
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and SASL via Dovecot

Wietse Venema
In reply to this post by Erik Paulsen Skaalerud
Erik Paulsen Skaalerud:
> Anyone have a slightes idea of whats going on? Why isnt EHLO
> mentioning authentication?

This is why:

> smtpd_sasl_exceptions_networks = $mynetworks

Change things when you understand the consequences.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and SASL via Dovecot

DJ Lucas-2
In reply to this post by Erik Paulsen Skaalerud
Erik Paulsen Skaalerud wrote:
> The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH
> LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH
> CRAM-MD5 also responds with similar challenges.
>  
Interesting.  I have the same 'issue' on my home server; AUTH is not
advertised when using Dovecot SASL.  I never bothered with it because
everything just works.  Rereading the SASL readme, I gather that this is
not the expected response.

[root@postal ~]# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 postal.lucasit.com ESMTP Postfix
EHLO localhost
250-postal.lucasit.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
[root@postal ~]#

If it is, then no biggie.  I've attached (inline) the usual requests in
case anybody would like to take a look.  Maybe it is just dumb luck that
it works and I do actually have a broken config, however, AFAICT, it
works as expected.  FYI, this particular box is built strictly from
source (loosely following LFS).


[root@postal ~]# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.3.3/html
local_recipient_maps = $virtual_mailbox_maps,    $alias_maps,    
proxy:unix:passwd.byname
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $transport_maps,    localhost,    $myhostname,    
localhost.$mydomain,    $mydomain
myhostname = postal.lucasit.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README
recipient_bcc_maps = ldap:vfm
relayhost = smtp.charter.net
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_recipient_restrictions = reject_non_fqdn_sender,    
reject_unknown_recipient_domain,    reject_unauth_pipelining,    
reject_non_fqdn_recipient,    permit_mynetworks,    
permit_sasl_authenticated,    reject_unauth_destination,    
reject_rbl_client zen.spamhaus.org,    check_policy_service
unix:postgrey/socket,    regexp:/etc/postfix/envelope.regex,    permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:accounts,    proxy:unix:passwd.byname
smtpd_sender_restrictions = permit_mynetworks,     check_sender_access
hash:/etc/postfix/blacklist,    check_client_access
hash:/etc/postfix/hosts_bypass,    
reject_unauthenticated_sender_login_mismatch,    permit
smtpd_tls_CApath = /etc/postfix/cacerts
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/mail.lucasit.com.crt
smtpd_tls_key_file = /etc/postfix/certs/mail.lucasit.com.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = hash:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,    ldap:transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:virtualforward,    ldap:aliases,    
ldap:accountsmap
virtual_gid_maps = static:35
virtual_mailbox_base = /srv/vmail/domains
virtual_mailbox_maps = ldap:accounts
virtual_minimum_uid = 35
virtual_uid_maps = static:35
[root@postal ~]#




[root@postal ~]# grep "^[^#]" /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
<SNIP the extras for spam/virus filter, though I can post if needs be>



And a slightly modified log snippet sending myself a test message outbound.

Sep  6 00:04:31 postal postfix/smtpd[17675]: 0328681E08B:
client=unknown[192.168.143.229], sasl_method=PLAIN,
sasl_username=dj[_ATSYMBOL_]lucasit.com
Sep  6 00:04:31 postal postfix/cleanup[17678]: 0328681E08B: hold: header
Received: from [192.168.143.229] (unknown [192.168.143.229])??(using
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client
certificate requested)??by postal.lucasit.com (Postfix) with ESMTP from
unknown[192.168.143.229]; from=<dj[_ATSYMBOL_]lucasit.com>
to=<dj[_ATSYMBOL_]linuxfromscratch.org> proto=ESMTP helo=<[192.168.143.229]>
Sep  6 00:04:31 postal postfix/cleanup[17678]: 0328681E08B:
message-id=<[hidden email]>
Sep  6 00:04:31 postal postfix/smtpd[17675]: disconnect from
unknown[192.168.143.229]

While I don't have failure logs handy right now, bad password or no auth
does fail.  If you'd like me to validate that statement, I'll be more
than happy to tomorrow day when I have a bit more time.  I'm off, but
I'm always open to other suggestions on that config.

Thanks.

-- DJ Lucas

--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix and SASL via Dovecot

Wietse Venema
DJ Lucas:
> Erik Paulsen Skaalerud wrote:
> > The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH
> > LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH
> > CRAM-MD5 also responds with similar challenges.
> >  
> Interesting.  I have the same 'issue' on my home server; AUTH is not
> advertised when using Dovecot SASL.  I never bothered with it because
> everything just works.  Rereading the SASL readme, I gather that this is
> not the expected response.

And where does this Postfix version come from? Some vendors
insist on making "improvements".

And what is the Postfix version?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and SASL via Dovecot

Wietse Venema
In reply to this post by DJ Lucas-2
DJ Lucas:
> Erik Paulsen Skaalerud wrote:
> > The weird part: EHLO doesnt mention AUTH at all, but if I type "AUTH
> > LOGIN" it responds with "334 VXNlcm5hbWU6", AUTH PLAIN and AUTH
> > CRAM-MD5 also responds with similar challenges.
> >  
> Interesting.  I have the same 'issue' on my home server; AUTH is not
> advertised when using Dovecot SASL.  I never bothered with it because
> everything just works.  Rereading the SASL readme, I gather that this is
> not the expected response.

This is incorrect.

AUTH is not advertised because you have:

> smtpd_tls_auth_only = yes

If you change main.cf, understand the consequences.

        Wietse