Re: dovecot sasl with postfix, smtp auth not available

Mon, 24 Apr 2023 04:01:26 -0700 

Hi Badli,

thanks for the information.

A few hints:
If possible, please avoid using HTML mails.
And for outputs like 'postconf -n': please use an attached text file if your MUA (OL) isn't able to transfer them in a proper way. 


I would suggest the following changes:



1. postconf -n

[...]

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
As Benny already wrote: delete them from your main.cf as port 25 should not be used for authentication. 




2. postconf -M

[...]

smtps inet n - - - -        smtpd

[...]

-o smtpd_client_restrictions= permit_sasl_authenticated, reject


-------------------------------^


-o milter_macro_daemon_name= ORIGINATING


------------------------------^
In master.cf: please take care that you don't specify whitespaces around the '=', at least if you're using the short form shown above.
Some more examples, where you should check and change the master.cf regarding this: 


submission inet n - - - -    smtpd

[...]

-o smtpd _sasl_security_options= noanonymous
-o smtpd_client_restrictions= permit_sasl_authenticated, reject
-o smtpd_sender_login_maps= hash:/etc/postfix/virtual
-o smtpd_sender_restrictions= reject_sender_login_mismatch
-o smtpd_recipient_restrictions= reject_non_fqdn_recipient ...




Regarding the authentication part(s) itself:
The configuration of the submission port seems correct to me and authentication should work. You can test it this way: 

openssl s_client -connect www.zystro.xyz:587 -starttls smtp
For the smtps port you should add at least the following to the existing configuration of your master.cf: 


smtps inet n - - - -      smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING


      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
      -o smtpd_sasl_security_options=noanonymous


You can test it this way:

openssl s_client -connect www.zystro.xyz:465
After connecting successfully (to 465 & 587), in both cases using 'ehlo foo' you should see entries like these: 

[...]
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
[...]


If not, we need the logs. ;-)

HTH and regards,
Markus



_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to