Discussion:
No AUTH PLAIN with dovecot 2.0.19
Michael Wechner
2014-09-29 12:53:38 UTC
Permalink
Hi

I have installed the package dovecot-postfix on Ubuntu 12.04 LTS:

dovecot --version: 2.0.19
postconf -d | grep version: 2.9.6

and receiving email works very fine, but relaying email does not work.

I think the problem is that after STARTTLS the authentication is not
being executed

250-AUTH PLAIN
250-AUTH=PLAIN

which means using telnet returns

telnet mx2.wyona.com 587
Trying 50.116.54.197...
Connected to node3.wyona.com.
Escape character is '^]'.
220 node3.members.linode.com ESMTP Postfix (Ubuntu)
EHLO letscallitevil.com
250-node3.members.linode.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

So far I have used dovecot version 1.2.9, which works very fine, but the
configuration

/etc/dovecot/dovecot.conf

seems to be very different in the case of dovecot version 2.0.19.

I have checked all kind of tutorials for several days now, like for example

https://help.ubuntu.com/10.04/serverguide/postfix.html

but nothing helped.

Any pointers or help is very much appreciated.

Thanks

Michael
Reindl Harald
2014-09-29 13:01:08 UTC
Permalink
Post by Michael Wechner
dovecot --version: 2.0.19
postconf -d | grep version: 2.9.6
and receiving email works very fine, but relaying email does not work.
I think the problem is that after STARTTLS the authentication is not
being executed
250-AUTH PLAIN
250-AUTH=PLAIN
which means using telnet returns
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
Post by Michael Wechner
telnet mx2.wyona.com 587
Trying 50.116.54.197...
Connected to node3.wyona.com.
Escape character is '^]'.
220 node3.members.linode.com ESMTP Postfix (Ubuntu)
oh my god, another server in the linode-zombie network
that's bad neigbourhood and you should avoid a PTR
ending with "members.linode.com" which is generic
and here blocked because i have never seen any legit
mail from Linode but 24 hours each day attacks or
spam delivery attempts

http://www.mxpolice.com/email-security/importance-of-ptr-records-for-reliable-mail-delivery/
Post by Michael Wechner
EHLO letscallitevil.com
250-node3.members.linode.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140929/93f3a750/attachment.sig>
Reindl Harald
2014-09-29 13:07:20 UTC
Permalink
Post by Reindl Harald
Post by Michael Wechner
which means using telnet returns
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
Post by Michael Wechner
telnet mx2.wyona.com 587
Trying 50.116.54.197...
Connected to node3.wyona.com.
Escape character is '^]'.
220 node3.members.linode.com ESMTP Postfix (Ubuntu)
oh my god, another server in the linode-zombie network
that's bad neigbourhood and you should avoid a PTR
ending with "members.linode.com" which is generic
and here blocked because i have never seen any legit
mail from Linode but 24 hours each day attacks or
spam delivery attempts
http://www.mxpolice.com/email-security/importance-of-ptr-records-for-reliable-mail-delivery/
errata, with "node" at the begin: luck
/^li[0-9]{1,3}[\.\-][0-9]{1,3}\.members\.linode\.com$/ REJECT Generic DNS-Reverse-Lookup
Post by Reindl Harald
Post by Michael Wechner
EHLO letscallitevil.com
250-node3.members.linode.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140929/4fab06b2/attachment.sig>
Michael Wechner
2014-09-29 13:21:41 UTC
Permalink
Hi Harald

Thanks very much for your quick reply. Please see my answers inline below
Post by Reindl Harald
Post by Michael Wechner
dovecot --version: 2.0.19
postconf -d | grep version: 2.9.6
and receiving email works very fine, but relaying email does not work.
I think the problem is that after STARTTLS the authentication is not
being executed
250-AUTH PLAIN
250-AUTH=PLAIN
which means using telnet returns
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
right, but when requesting for example mail.wyona.com, then I can see AUTH

telnet mail.wyona.com 587
Trying 195.226.6.75...
Connected to mx1.wyona.com.
Escape character is '^]'.
220 mail.wyona.com ESMTP Postfix (Ubuntu)
EHLO wyona.com
250-mail.wyona.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

or also when using ngrep

T 195.226.6.75:587 -> 10.10.1.102:58990 [AP]
250-mail.wyona.com..250-PIPELINING..250-SIZE
10240000..250-VRFY..250-ETRN..250-STARTTLS..250-AUTH
PLAIN..250-AUTH=PLAIN..250-ENHANCEDSTATUSCODES.
.250-8BITMIME..250 DSN..

hence I would assume to see it also for the new version of postfix and
dovecot, or do I misunderstand something?
Post by Reindl Harald
Post by Michael Wechner
telnet mx2.wyona.com 587
Trying 50.116.54.197...
Connected to node3.wyona.com.
Escape character is '^]'.
220 node3.members.linode.com ESMTP Postfix (Ubuntu)
oh my god, another server in the linode-zombie network
that's bad neigbourhood and you should avoid a PTR
ending with "members.linode.com" which is generic
and here blocked because i have never seen any legit
mail from Linode but 24 hours each day attacks or
spam delivery attempts
http://www.mxpolice.com/email-security/importance-of-ptr-records-for-reliable-mail-delivery/

thanks for pointing this out. I have set it now according to

https://www.linode.com/docs/networking/dns/adding-dns-records/

and it should work within the next 24 hours (at least that's what linode
says).

Thanks

Michael
Post by Reindl Harald
Post by Michael Wechner
EHLO letscallitevil.com
250-node3.members.linode.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Reindl Harald
2014-09-29 13:30:12 UTC
Permalink
Post by Michael Wechner
Hi Harald
Thanks very much for your quick reply. Please see my answers inline below
Post by Reindl Harald
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
right, but when requesting for example mail.wyona.com, then I can see AUTH
depends on the servers configuration
Post by Michael Wechner
hence I would assume to see it also for the new version of postfix
and dovecot, or do I misunderstand something?
yes, you did not read http://www.postfix.org/postconf.5.html#smtp_sasl_security_options

if the server is configured in a way it offers AUTH only
over a encrypted channel (recommended) then you need to
use STARTTLS before you see the capability and for that
telnet is just the wrong tool

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140929/8a641445/attachment.sig>
Michael Wechner
2014-09-29 13:51:41 UTC
Permalink
Post by Reindl Harald
Post by Michael Wechner
Hi Harald
Thanks very much for your quick reply. Please see my answers inline below
Post by Reindl Harald
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
right, but when requesting for example mail.wyona.com, then I can see AUTH
depends on the servers configuration
Post by Michael Wechner
hence I would assume to see it also for the new version of postfix
and dovecot, or do I misunderstand something?
yes, you did not read
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
Post by Reindl Harald
if the server is configured in a way it offers AUTH only
over a encrypted channel (recommended) then you need to
use STARTTLS before you see the capability and for that
telnet is just the wrong tool
the new server config reads (postfix mail_version = 2.7.0):

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain

and the old server config reads:

smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_rbl_client multi.uribl.com,
reject_rbl_client bl.spamcop.net,
reject_rbl_client opm.blitzed.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl.njabl.org

which means both configs are using

smtpd_sasl_security_options = noanonymous


But also when I am not using telnet, but Thunderbird for example, with
the new server I never receive a dialog to enter a password as I do with
the old server. This is the reason why I started to have the idea that
no authentication is being requested in the first place (and hence the
relay was rejected).

Thanks

Michael
Reindl Harald
2014-09-29 14:00:59 UTC
Permalink
Post by Reindl Harald
Post by Reindl Harald
Post by Michael Wechner
Hi Harald
Thanks very much for your quick reply. Please see my answers inline below
Post by Reindl Harald
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
right, but when requesting for example mail.wyona.com, then I can see
AUTH
Post by Reindl Harald
depends on the servers configuration
Post by Michael Wechner
hence I would assume to see it also for the new version of postfix
and dovecot, or do I misunderstand something?
yes, you did not read
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
Post by Reindl Harald
if the server is configured in a way it offers AUTH only
over a encrypted channel (recommended) then you need to
use STARTTLS before you see the capability and for that
telnet is just the wrong tool
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
* check postfix master.cf for chroot - only explicit "n" disabled it
* check configuration of the private/dovecot-auth (permissions and so on)
* look at your logs careful
____________________________________________________________________

that is my part in dovecot.conf:

service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
____________________________________________________________________

that's my part in postfix's main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
____________________________________________________________________

well, both are unchanged for a very long time and survived
a lot of dist-upgrades (Fedora) as well as Dovecot/Postfix

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140929/be03e0b4/attachment.sig>
Michael Wechner
2014-09-29 18:45:05 UTC
Permalink
thanks very much for your configuration. It seems with dovecot 2.0.19
the configuration has changed quite a bit
and things have been splitted into several files
(http://wiki2.dovecot.org/QuickConfiguration)

sudo grep -rl postfix /etc/dovecot/*
/etc/dovecot/conf.d/10-master.conf
/etc/dovecot/conf.d/01-mail-stack-delivery.conf

and included inside dovecot.conf (!include conf.d/*.conf)

I finally found that auth_debug is inside

/etc/dovecot/conf.d/10-logging.conf

I will turn on the logging and hopefully better understand what is
happening.

Thanks

Michael
Post by Reindl Harald
Post by Reindl Harald
Post by Reindl Harald
Post by Michael Wechner
Hi Harald
Thanks very much for your quick reply. Please see my answers inline below
Post by Reindl Harald
telnet is worthless because AUTH is likely announced *after STARTTLS*
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
right, but when requesting for example mail.wyona.com, then I can see
AUTH
Post by Reindl Harald
depends on the servers configuration
Post by Michael Wechner
hence I would assume to see it also for the new version of postfix
and dovecot, or do I misunderstand something?
yes, you did not read
http://www.postfix.org/postconf.5.html#smtp_sasl_security_options
Post by Reindl Harald
if the server is configured in a way it offers AUTH only
over a encrypted channel (recommended) then you need to
use STARTTLS before you see the capability and for that
telnet is just the wrong tool
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
* check postfix master.cf for chroot - only explicit "n" disabled it
* check configuration of the private/dovecot-auth (permissions and so on)
* look at your logs careful
____________________________________________________________________
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
____________________________________________________________________
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
____________________________________________________________________
well, both are unchanged for a very long time and survived
a lot of dist-upgrades (Fedora) as well as Dovecot/Postfix
Reindl Harald
2014-09-29 18:59:57 UTC
Permalink
Post by Michael Wechner
thanks very much for your configuration. It seems with dovecot 2.0.19
the configuration has changed quite a bit
and things have been splitted into several files
it's your choice to have one dovecot.conf containing
all settings and is independent of the version

frankly my self built RPM deletes all config files
before the %files section to have no orphaned / unused
crap on the production machines and the one and only
configuration is "dovecot.conf"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140929/da391243/attachment.sig>
Michael Wechner
2014-09-30 09:11:02 UTC
Permalink
yes, that makes sense. I also did now

doveconf -n > /etc/dovecot/dovecot.conf

but I still do not know why the configuration does not work.

I have now downgraded to

Postfix 2.7.0
Dovecot 1.2.9

also using apt-get install dovecot-postfix

but it also did not work with this older version and the corresponding
"default" configuration.

But I have copied now the old configuration to this "new" setup and it
works now.
So I would argue there must be something wrong with the "default"
configuration when using the
package dovecot-postfix. I will try to find out and send a note in case
I will find out.

Thanks

Michael
Post by Reindl Harald
Post by Michael Wechner
thanks very much for your configuration. It seems with dovecot 2.0.19
the configuration has changed quite a bit
and things have been splitted into several files
it's your choice to have one dovecot.conf containing
all settings and is independent of the version
frankly my self built RPM deletes all config files
before the %files section to have no orphaned / unused
crap on the production machines and the one and only
configuration is "dovecot.conf"
Steffen Kaiser
2014-09-30 06:24:38 UTC
Permalink
Post by Reindl Harald
Post by Michael Wechner
hence I would assume to see it also for the new version of postfix
and dovecot, or do I misunderstand something?
if the server is configured in a way it offers AUTH only
over a encrypted channel (recommended) then you need to
use STARTTLS before you see the capability and for that
telnet is just the wrong tool
To test STARTTLS try this:

a) gnutls-cli -p 587 --starttls smtp
STARTTLS
^D

The ^D lets gnutls perform the SSL handshake, then you can type again.

b) openssl s_client -connect smtp:587 -starttls smtp

- --
Steffen Kaiser
Michael Wechner
2014-09-30 09:01:39 UTC
Permalink
Hi Steffen

Thanks very much for the hint. I will give it a try later today.

Michael
Post by Steffen Kaiser
Post by Reindl Harald
Post by Michael Wechner
hence I would assume to see it also for the new version of postfix
and dovecot, or do I misunderstand something?
if the server is configured in a way it offers AUTH only
over a encrypted channel (recommended) then you need to
use STARTTLS before you see the capability and for that
telnet is just the wrong tool
a) gnutls-cli -p 587 --starttls smtp
STARTTLS
^D
The ^D lets gnutls perform the SSL handshake, then you can type again.
b) openssl s_client -connect smtp:587 -starttls smtp
-- Steffen Kaiser
Robert Schetterer
2014-09-29 14:09:32 UTC
Permalink
Post by Michael Wechner
Hi
dovecot --version: 2.0.19
postconf -d | grep version: 2.9.6
and receiving email works very fine, but relaying email does not work.
I think the problem is that after STARTTLS the authentication is not
being executed
250-AUTH PLAIN
250-AUTH=PLAIN
which means using telnet returns
telnet mx2.wyona.com 587
Trying 50.116.54.197...
Connected to node3.wyona.com.
Escape character is '^]'.
220 node3.members.linode.com ESMTP Postfix (Ubuntu)
EHLO letscallitevil.com
250-node3.members.linode.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
So far I have used dovecot version 1.2.9, which works very fine, but the
configuration
/etc/dovecot/dovecot.conf
seems to be very different in the case of dovecot version 2.0.19.
I have checked all kind of tutorials for several days now, like for example
https://help.ubuntu.com/10.04/serverguide/postfix.html
but nothing helped.
Any pointers or help is very much appreciated.
Thanks
Michael
However you might fix that problem , it would better go Trusty
which has more recent version

http://packages.ubuntu.com/trusty/dovecot-core

2.2.9


Best Regards
MfG Robert Schetterer
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Michael Wechner
2014-09-29 18:47:00 UTC
Permalink
Hi Robert

Thank you for your hint!

Michael
Post by Robert Schetterer
Post by Michael Wechner
Hi
dovecot --version: 2.0.19
postconf -d | grep version: 2.9.6
and receiving email works very fine, but relaying email does not work.
I think the problem is that after STARTTLS the authentication is not
being executed
250-AUTH PLAIN
250-AUTH=PLAIN
which means using telnet returns
telnet mx2.wyona.com 587
Trying 50.116.54.197...
Connected to node3.wyona.com.
Escape character is '^]'.
220 node3.members.linode.com ESMTP Postfix (Ubuntu)
EHLO letscallitevil.com
250-node3.members.linode.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
So far I have used dovecot version 1.2.9, which works very fine, but the
configuration
/etc/dovecot/dovecot.conf
seems to be very different in the case of dovecot version 2.0.19.
I have checked all kind of tutorials for several days now, like for example
https://help.ubuntu.com/10.04/serverguide/postfix.html
but nothing helped.
Any pointers or help is very much appreciated.
Thanks
Michael
However you might fix that problem , it would better go Trusty
which has more recent version
http://packages.ubuntu.com/trusty/dovecot-core
2.2.9
Best Regards
MfG Robert Schetterer
Loading...