Postfix upgrade breaks emails accounts from Mac OS X

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
Hi,

I apologize if tht has already been posted, but I could not find any
reference.

I recently upgraded my postfix server from 2.11.6 to 3.2.3_1.

Postfix server runs on a FreeBSD OS. The upgrade was seamless for all
the users except the users connecting from a Mac:

- a Mac that never used the Mail app could connect immediately to
  posftix SMTP, using any mail account

- a Mac that previouslu sued Mail app could connect to account that we
  never used before, but could not connect to pre-existing accounts

- furthermore, if you create a new Mac user, he can use any email
  account.

In the second case above, if I remove the previous email account on the
Mac and recreate it, then it works.

Is that a know problem? Is there a fix?

Thanks in advance,

Olivier
--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Viktor Dukhovni


> On Feb 1, 2018, at 11:31 PM, Olivier <[hidden email]> wrote:
>
> I apologize if tht has already been posted, but I could not find any
> reference.
>
> I recently upgraded my postfix server from 2.11.6 to 3.2.3_1.
>
> Postfix server runs on a FreeBSD OS. The upgrade was seamless for all
> the users except the users connecting from a Mac:
>
> - a Mac that never used the Mail app could connect immediately to
>  posftix SMTP, using any mail account
>
> - a Mac that previouslu sued Mail app could connect to account that we
>  never used before, but could not connect to pre-existing accounts
>
> - furthermore, if you create a new Mac user, he can use any email
>  account.
>
> In the second case above, if I remove the previous email account on the
> Mac and recreate it, then it works.
>
> Is that a know problem? Is there a fix?

Users read their mail via IMAP, and Postfix is not an IMAP server.
Perhaps your certificate changed and was pinned to the IMAP account
on the client.  Or some SASL issue, or other IMAP settings.  Look
in the IMAP logs.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
Viktor Dukhovni <[hidden email]> writes:

>> On Feb 1, 2018, at 11:31 PM, Olivier <[hidden email]> wrote:
>>
>> I apologize if tht has already been posted, but I could not find any
>> reference.
>>
>> I recently upgraded my postfix server from 2.11.6 to 3.2.3_1.
>>
>> Postfix server runs on a FreeBSD OS. The upgrade was seamless for all
>> the users except the users connecting from a Mac:
>>
>> - a Mac that never used the Mail app could connect immediately to
>>  posftix SMTP, using any mail account
>>
>> - a Mac that previouslu sued Mail app could connect to account that we
>>  never used before, but could not connect to pre-existing accounts
>>
>> - furthermore, if you create a new Mac user, he can use any email
>>  account.
>>
>> In the second case above, if I remove the previous email account on the
>> Mac and recreate it, then it works.
>>
>> Is that a know problem? Is there a fix?
>
> Users read their mail via IMAP, and Postfix is not an IMAP server.
> Perhaps your certificate changed and was pinned to the IMAP account
> on the client.  Or some SASL issue, or other IMAP settings.  Look
> in the IMAP logs.

I apologize for being abiguous. It is a problem of authentication to
SMTP (they have no problem with IMAP). And the certificate has not
changed (same machine, same name, same file); and cyrus saslauthd has
not changed either.

Best regards,

Olivier

--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Viktor Dukhovni


> On Feb 2, 2018, at 12:03 AM, Olivier <[hidden email]> wrote:
>
> I apologize for being abiguous. It is a problem of authentication to
> SMTP (they have no problem with IMAP). And the certificate has not
> changed (same machine, same name, same file); and cyrus saslauthd has
> not changed either.

And you're also not posting the relevant logs because you'll get more
"inspired" suggestions if everyone has to guess the cause?  Right? :-)

You've also not explained what you mean by deleting and recreating the
account.

The only random guess that comes to mind is your SASL library may now
claims to support OAUTH, but really does not.  Apple's Mail.app tends
to be fond of that particular SASL mechanism.  Of course without logs
that's just crazy wild speculation.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
Viktor Dukhovni <[hidden email]> writes:

>> On Feb 2, 2018, at 12:03 AM, Olivier <[hidden email]> wrote:
>>
>> I apologize for being abiguous. It is a problem of authentication to
>> SMTP (they have no problem with IMAP). And the certificate has not
>> changed (same machine, same name, same file); and cyrus saslauthd has
>> not changed either.
>
> And you're also not posting the relevant logs because you'll get more
> "inspired" suggestions if everyone has to guess the cause?  Right? :-)

The log are below.

> You've also not explained what you mean by deleting and recreating the
> account.

I am not a Mac user, byt from the Mail app, select Files/Account and
remove the account that makes problem and recreate it the same.

> The only random guess that comes to mind is your SASL library may now
> claims to support OAUTH, but really does not.  Apple's Mail.app tends
> to be fond of that particular SASL mechanism.  Of course without logs
> that's just crazy wild speculation.

Thank you,

Olivier

A failing connection:AMTP authentication:
Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]
Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: Anonymous TLS connection established from unknown[118.174.201.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 29 16:44:59 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
Jan 29 16:45:05 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
Jan 29 16:45:11 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed: Connection lost to authentication server
Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: disconnect from unknown[118.174.201.202] ehlo=2 starttls=1 auth=0/4 quit=1 commands=4/8


A successful SMTP authentication with same credentionls but from a
different Mac:

Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: connect from Mac-4.desktops.cs.ait.ac.th[192.41.170.243]
Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: Anonymous TLS connection established from mac-4.desktops.cs.ait.ac.th[192.41.170.243]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Viktor Dukhovni


> On Feb 2, 2018, at 12:39 AM, Olivier <[hidden email]> wrote:
>
>> You've also not explained what you mean by deleting and recreating the
>> account.
>
> I am not a Mac user, but from the Mail app, select Files/Account and
> remove the account that makes problem and recreate it the same.

Right, so this is a client-side change, which helps the Mac forget
whatever wrong settings it had before.  Perhaps an incorrect SASL
setting, or an incorrect port number.

>> The only random guess that comes to mind is your SASL library may now
>> claims to support OAUTH, but really does not.  Apple's Mail.app tends
>> to be fond of that particular SASL mechanism.  Of course without logs
>> that's just crazy wild speculation.
>
> Thank you,
>
> Olivier
>
> A failing connection:AMTP authentication:
> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]
> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: Anonymous TLS connection established from unknown[118.174.201.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Jan 29 16:44:59 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
> Jan 29 16:45:05 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
> Jan 29 16:45:11 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
> Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed: Connection lost to authentication server
> Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: disconnect from unknown[118.174.201.202] ehlo=2 starttls=1 auth=0/4 quit=1 commands=4/8

Is this the submission service on port 587, or inbound mail on
port 25?

> A successful SMTP authentication with same credentionls but from a
> different Mac:
>
> Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: connect from Mac-4.desktops.cs.ait.ac.th[192.41.170.243]
> Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: Anonymous TLS connection established from mac-4.desktops.cs.ait.ac.th[192.41.170.243]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Ditto, and you don't show the rest of the session, where's see an actual login mechanism...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

@lbutlr
In reply to this post by Olivier Nicole-2
On 1 Feb 2018, at 21:31, Olivier [hidden email]> wrote:
> Is that a know problem? Is there a fix?

It is not. I have a postfix 3.2 install and primary use Macs to access it. Works fine one new and old accounts.

However, this sounds like a dovecot issue, not a postfix issue. And you didn't provide any logs for the "can't use old accounts" events, so it's hard to say.

Or maybe you are using something other than dovecot, in which case use dovecot.

Ah, I see reading ahead that you are using cyrus.

I found cyrus to be poorly documented and fragile, and switched to dovecot on recommendations on this list. I've been pleased with it.

In all likelihood, the settings for authentication need to be updated on the Macs. Generally the Mac does a good job of setting the accounts up correctly, but it will not change the settings when your server changes.

Check the port number and the authentication method and make sure they match a working account.

<https://www.dropbox.com/s/85xy4tc24i5twqr/Screenshot%202018-02-03%2010.06.26.png?dl=0>

(That is for macOS High Sierra v10.13, earlier versions may look different)

I suspect either the port is wrong or the Authentication method is wrong, or both are wrong.


--
'You know me,' said Rincewind. 'Just when I'm getting a grip on
something Fate comes along and jumps on my fingers.' --Interesting Times

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

@lbutlr
In reply to this post by Olivier Nicole-2
On 1 Feb 2018, at 22:39, Olivier <[hidden email]> wrote:
> A failing connection:AMTP authentication:
> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]


> A successful SMTP authentication
>
> Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: connect from Mac-4.desktops.cs.ait.ac.th[192.41.170.243]

Is it also possible that the 'unknown' status of the first connection is part of the problem?


--
Footnote on the High Energy Magic building: It was here that the thaum,
hitherto believed to be the smallest possible particle of magic, was
successfully demonstrated to be made up of resons (lit: 'Thing-ies) or
reality fragments. Currently research indicates that each reson is
itself made up of a combination of at least five 'flavours', known as
'up', 'down', 'sideways', 'sex appeal' and 'peppermint'.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Karol Augustin
In reply to this post by @lbutlr
On 2018-02-03 17:09, @lbutlr wrote:

> On 1 Feb 2018, at 21:31, Olivier [hidden email]> wrote:
>> Is that a know problem? Is there a fix?
>
> It is not. I have a postfix 3.2 install and primary use Macs to access
> it. Works fine one new and old accounts.
>
> However, this sounds like a dovecot issue, not a postfix issue. And
> you didn't provide any logs for the "can't use old accounts" events,
> so it's hard to say.
>
> Or maybe you are using something other than dovecot, in which case use dovecot.
>
> Ah, I see reading ahead that you are using cyrus.
>
> I found cyrus to be poorly documented and fragile, and switched to
> dovecot on recommendations on this list. I've been pleased with it.
>
> In all likelihood, the settings for authentication need to be updated
> on the Macs. Generally the Mac does a good job of setting the accounts
> up correctly, but it will not change the settings when your server
> changes.
>
> Check the port number and the authentication method and make sure they
> match a working account.
>
> <https://www.dropbox.com/s/85xy4tc24i5twqr/Screenshot%202018-02-03%2010.06.26.png?dl=0>
>
> (That is for macOS High Sierra v10.13, earlier versions may look different)
>
> I suspect either the port is wrong or the Authentication method is
> wrong, or both are wrong.


I have few people connecting using Macs. I had similar issue when I
upgraded libssl to 1.1.0f-4 all of them couldn't connect as they are
still using TLS 1.0. I had to temporarily downgrade to 1.1.0f-3 until
the problem was fixed in 1.1.0g-1. The problem was that developers
decided to disable TLS1.0, which impacted a lot of things.

My point is: are you sure that you upgraded just postfix or maybe you
hit same issue by running apt-get upgrade or similar?

I don't know what version of Mac is still using TLS1.0 as I can't stand
Macs and avoid them at all cost. I also don't know if using TLS1.0 is
account sticky which would be ridiculous.


k.

--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Viktor Dukhovni


> On Feb 3, 2018, at 1:21 PM, Karol Augustin <[hidden email]> wrote:
>
> I have few people connecting using Macs. I had similar issue when I
> upgraded libssl to 1.1.0f-4 all of them couldn't connect as they are
> still using TLS 1.0. I had to temporarily downgrade to 1.1.0f-3 until
> the problem was fixed in 1.1.0g-1. The problem was that developers
> decided to disable TLS1.0, which impacted a lot of things.

This is not consistent with the OP's logs for the failed session:

Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]
Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: Anonymous TLS connection established from unknown[118.174.201.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 29 16:44:59 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
Jan 29 16:45:05 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
Jan 29 16:45:11 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed: Connection lost to authentication server

TLS is set up just fine.  What's failing is SASL.  Perhaps there are
different authentication settings on port 587 than on 25, and remaking
the email account has the effect of switching the submission port?

Other factors to consider:

   http://www.postfix.org/postconf.5.html#smtpd_sasl_local_domain
   http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
In reply to this post by @lbutlr
"@lbutlr" <[hidden email]> writes:

> On 1 Feb 2018, at 22:39, Olivier <[hidden email]> wrote:
>> A failing connection:AMTP authentication:
>> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]
>
>
>> A successful SMTP authentication
>>
>> Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: connect from Mac-4.desktops.cs.ait.ac.th[192.41.170.243]
>
> Is it also possible that the 'unknown' status of the first connection
> is part of the problem?

No, we had the same problem when connecting with an IP that has a
properly defined rev DNS.

Thank you,

Olivier

--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
In reply to this post by @lbutlr
"@lbutlr" <[hidden email]> writes:

> On 1 Feb 2018, at 21:31, Olivier [hidden email]> wrote:
>> Is that a know problem? Is there a fix?
>
> It is not. I have a postfix 3.2 install and primary use Macs to access it. Works fine one new and old accounts.
>
> However, this sounds like a dovecot issue, not a postfix issue. And you didn't provide any logs for the "can't use old accounts" events, so it's hard to say.
>
> Or maybe you are using something other than dovecot, in which case use dovecot.
>
> Ah, I see reading ahead that you are using cyrus.
>
> I found cyrus to be poorly documented and fragile, and switched to
> dovecot on recommendations on this list. I've been pleased with it.

OK, I will keep that in mind for a future upgrade :) Now I prefer to
limit my changes to minimum, so i can work out the problem one step at a
time.

> In all likelihood, the settings for authentication need to be updated on the Macs. Generally the Mac does a good job of setting the accounts up correctly, but it will not change the settings when your server changes.
>
> Check the port number and the authentication method and make sure they match a working account.
>
> <https://www.dropbox.com/s/85xy4tc24i5twqr/Screenshot%202018-02-03%2010.06.26.png?dl=0>

I checked that is what I have. Port 25 because I use port 25 and plain
password (over TLS).

Thank you,

Olivier

>
> (That is for macOS High Sierra v10.13, earlier versions may look different)
>
> I suspect either the port is wrong or the Authentication method is wrong, or both are wrong.

--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni <[hidden email]> writes:

>> On Feb 2, 2018, at 12:39 AM, Olivier <[hidden email]> wrote:
>>
>>> You've also not explained what you mean by deleting and recreating the
>>> account.
>>
>> I am not a Mac user, but from the Mail app, select Files/Account and
>> remove the account that makes problem and recreate it the same.
>
> Right, so this is a client-side change, which helps the Mac forget
> whatever wrong settings it had before.  Perhaps an incorrect SASL
> setting, or an incorrect port number.
>
>>> The only random guess that comes to mind is your SASL library may now
>>> claims to support OAUTH, but really does not.  Apple's Mail.app tends
>>> to be fond of that particular SASL mechanism.  Of course without logs
>>> that's just crazy wild speculation.
>>
>> Thank you,
>>
>> Olivier
>>
>> A failing connection:AMTP authentication:
>> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]
>> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: Anonymous TLS connection established from unknown[118.174.201.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>> Jan 29 16:44:59 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
>> Jan 29 16:45:05 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
>> Jan 29 16:45:11 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
>> Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed: Connection lost to authentication server
>> Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: disconnect from unknown[118.174.201.202] ehlo=2 starttls=1 auth=0/4 quit=1 commands=4/8
>
> Is this the submission service on port 587, or inbound mail on
> port 25?

Port 25 used for submission.

>> A successful SMTP authentication with same credentionls but from a
>> different Mac:
>>
>> Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: connect from Mac-4.desktops.cs.ait.ac.th[192.41.170.243]
>> Jan 30 17:52:38 fbsd63 postfix/smtpd[15674]: Anonymous TLS connection established from mac-4.desktops.cs.ait.ac.th[192.41.170.243]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> Ditto, and you don't show the rest of the session, where's see an
> actual login mechanism...

Feb  6 12:59:22 fbsd63 postfix/smtpd[67160]: connect from Mac-4.desktops.cs.ait.ac.th[192.41.170.149]
Feb  6 12:59:22 fbsd63 postfix/smtpd[67160]: NOQUEUE: filter: RCPT from Mac-4.desktops.cs.ait.ac.th[192.41.170.149]: <Mac-4.desktops.cs.ait.ac.th[192.41.170.149]>: Client host triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mac-4.desktops.cs.ait.ac.th>
Feb  6 12:59:22 fbsd63 postfix/smtpd[67160]: 4488C61F81: client=Mac-4.desktops.cs.ait.ac.th[192.41.170.149], sasl_method=PLAIN, sasl_username=pensri
Feb  6 13:00:22 fbsd63 postfix/smtpd[67160]: disconnect from Mac-4.desktops.cs.ait.ac.th[192.41.170.149] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8

Thank you,

Olivier


--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni <[hidden email]> writes:

>> On Feb 3, 2018, at 1:21 PM, Karol Augustin <[hidden email]> wrote:
>>
>> I have few people connecting using Macs. I had similar issue when I
>> upgraded libssl to 1.1.0f-4 all of them couldn't connect as they are
>> still using TLS 1.0. I had to temporarily downgrade to 1.1.0f-3 until
>> the problem was fixed in 1.1.0g-1. The problem was that developers
>> decided to disable TLS1.0, which impacted a lot of things.
>
> This is not consistent with the OP's logs for the failed session:
>
> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: connect from unknown[118.174.201.202]
> Jan 29 16:44:57 fbsd63 postfix/smtpd[93113]: Anonymous TLS connection established from unknown[118.174.201.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Jan 29 16:44:59 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
> Jan 29 16:45:05 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
> Jan 29 16:45:11 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed:
> Jan 29 16:45:21 fbsd63 postfix/smtpd[93113]: warning: unknown[118.174.201.202]: SASL PLAIN authentication failed: Connection lost to authentication server
>
> TLS is set up just fine.  What's failing is SASL.  Perhaps there are
> different authentication settings on port 587 than on 25, and remaking
> the email account has the effect of switching the submission port?
>
> Other factors to consider:
>
>    http://www.postfix.org/postconf.5.html#smtpd_sasl_local_domain
>    http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options

Both are left to the default (empty) on the old and new server.

Thank you,

Olivier

--
Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Viktor Dukhovni


> On Feb 6, 2018, at 1:26 AM, Olivier <[hidden email]> wrote:
>
>> TLS is set up just fine.  What's failing is SASL.  Perhaps there are
>> different authentication settings on port 587 than on 25, and remaking
>> the email account has the effect of switching the submission port?
>>
>> Other factors to consider:
>>
>>  http://www.postfix.org/postconf.5.html#smtpd_sasl_local_domain
>>  http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options
>
> Both are left to the default (empty) on the old and new server.

If recreating the account on the client side resolves the issue, and
successful authentication is PLAIN, but what was failing before the
account reset was also PLAIN, then the only conclusion is that the
client settings were wrong.  Whether the incorrect setting was the
username, the password, the port, ... hard to say.  What is clear
is that there's no Postfix issue, since merely recreating the login
on the MUA end is sufficient.

Good luck.

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix upgrade breaks emails accounts from Mac OS X

Olivier Nicole-2
Viktor Dukhovni <[hidden email]> writes:

>> On Feb 6, 2018, at 1:26 AM, Olivier <[hidden email]> wrote:
>>
>>> TLS is set up just fine.  What's failing is SASL.  Perhaps there are
>>> different authentication settings on port 587 than on 25, and remaking
>>> the email account has the effect of switching the submission port?
>>>
>>> Other factors to consider:
>>>
>>>  http://www.postfix.org/postconf.5.html#smtpd_sasl_local_domain
>>>  http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options
>>
>> Both are left to the default (empty) on the old and new server.
>
> If recreating the account on the client side resolves the issue, and
> successful authentication is PLAIN, but what was failing before the
> account reset was also PLAIN, then the only conclusion is that the
> client settings were wrong.  Whether the incorrect setting was the
> username, the password, the port, ... hard to say.  What is clear
> is that there's no Postfix issue, since merely recreating the login
> on the MUA end is sufficient.

Thank you for the help.

The problem was not postfix but a combination of cyrus-sasl and ldap: a
user LDAP encrty needs an objectClass of shadowAccount to be working,
not all my users had it (especially the older ones).

Combined to that the fact that when doing the test internally, the
autnetication could be bypassed by postfix if it did not succeed, so I
was reading false results.

I apologize for the noise.

Olivier

--