Patrick Ben Koetter wrote:
> * JP <post...@postfix.exjay.com>:
>> i'll guess the solution to my problem will be something simple and
>> obvious, because i know i ain't the first person to do this, but i've
>> been staring at it for days and can't see what's wrong.
>>
>> os x snow leopard server; postfix 2.5.5; dovecot 1.1.17apple0.5
>>
>> trying to get SMTP auth working via SASL. using a plain password
>> scheme and plain auth scheme over SSL. client is apple mail.
>> deliveries are working, and dovecot's pop3s and imaps are working
>> just fine. but when i attempt to use smtp auth, postfix says
>>
>> SASL plain authentication failed
>> unable to lookup user record
>
> Your Postfix uses Dovecot SASL. Have you tried to authenticate using
a telnet
> session, sending AUTH identity on command line?
>
> p...@rick
>
>
>> scoured months worth of list archives and didn't see anything
>> specific to this. other eyes are appreciated! thanks.
>>
>> # postconf -n
>> biff = no
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> daemon_directory = /usr/libexec/postfix
>> debug_peer_level = 2
>> enable_server_options = yes
>> header_checks = pcre:/etc/postfix/custom_header_checks
>> html_directory = /usr/share/doc/postfix/html
>> inet_interfaces = all
>> mail_owner = _postfix
>> mailbox_size_limit = 0
>> mailbox_transport = dovecot
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/share/man
>> message_size_limit = 10485760
>> mydomain = example.com
>> mydomain_fallback = localhost
>> mynetworks = 127.0.0.0/8,192.168.61.0/24
>> newaliases_path = /usr/bin/newaliases
>> queue_directory = /private/var/spool/postfix
>> readme_directory = /usr/share/doc/postfix
>> recipient_delimiter = +
>> relayhost =
>> sample_directory = /usr/share/doc/postfix/examples
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = _postdrop
>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
>> reject
>> smtpd_enforce_tls = no
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = reject_invalid_helo_hostname
>> reject_non_fqdn_helo_hostname
>> smtpd_pw_server_security_options = plain, login cram-md5
>> smtpd_recipient_restrictions = permit_sasl_authenticated
>> permit_mynetworks reject_unauth_destination check_policy_service
>> unix:private/policy reject
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_path = private/auth
>> smtpd_sasl_type = dovecot
>> smtpd_tls_CAfile =
>>
/etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.chain.pem
>> smtpd_tls_cert_file =
>>
/etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem
>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>> smtpd_tls_key_file =
>>
/etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem
>> smtpd_use_pw_server = yes
>> smtpd_use_tls = yes
>> unknown_local_recipient_reject_code = 550
>> virtual_alias_maps =
>> virtual_gid_maps = static:5000
>> virtual_mailbox_base = /etc/postfix/datastore
>> virtual_mailbox_domains = osx.example.com
>> virtual_mailbox_maps = hash:/etc/postfix/datausers
>> virtual_minimum_uid = 100
>> virtual_uid_maps = static:5000
>>
>>
>>
>>
>> # dovecotd -n
>> # 1.1.17apple0.5: /private/etc/dovecot/dovecot.conf
>> Warning: fd limit 256 is lower than what Dovecot can use under full load
>> (more than 456). Either grow the limit or change
>> login_max_processes_count and max_mail_processes settings
>> # OS: Darwin 10.2.0 i386 hfs
>> base_dir: /var/run/dovecot
>> syslog_facility: local6
>> protocols: pop3s imaps
>> ssl_cert_file:
>>
/etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem
>> ssl_key_file:
>>
/etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem
>> ssl_cipher_list: ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL
>> disable_plaintext_auth: no
>> login_dir: /var/run/dovecot/login
>> login_executable(default): /usr/libexec/dovecot/imap-login
>> login_executable(imap): /usr/libexec/dovecot/imap-login
>> login_executable(pop3): /usr/libexec/dovecot/pop3-login
>> login_user: _dovecot
>> login_process_per_connection: no
>> max_mail_processes: 200
>> mail_max_userip_connections(default): 20
>> mail_max_userip_connections(imap): 20
>> mail_max_userip_connections(pop3): 10
>> verbose_proctitle: yes
>> first_valid_uid: 6
>> first_valid_gid: 6
>> mail_access_groups: mail
>> mail_location: maildir:/etc/postfix/datastore/%d/%n
>> mail_debug: yes
>> mail_executable(default): /usr/libexec/dovecot/imap
>> mail_executable(imap): /usr/libexec/dovecot/imap
>> mail_executable(pop3): /usr/libexec/dovecot/pop3
>> mail_process_sharing: full
>> mail_max_connections: 5
>> mail_plugins(default): quota imap_quota
>> mail_plugins(imap): quota imap_quota
>> mail_plugins(pop3): quota
>> mail_plugin_dir(default): /usr/lib/dovecot/imap
>> mail_plugin_dir(imap): /usr/lib/dovecot/imap
>> mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
>> auth default:
>> verbose: yes
>> debug: yes
>> debug_passwords: yes
>> passdb:
>> driver: passwd-file
>> args: username_format=%n /etc/postfix/datastore/%d-passwd
>> userdb:
>> driver: passwd-file
>> args: username_format=%n /etc/postfix/datastore/%d-passwd
>> socket:
>> type: listen
>> client:
>> path: /var/spool/postfix/private/auth
>> mode: 432
>> user: postfix
>> group: postfix
>> plugin:
>> quota_warning: storage=100%% /usr/libexec/dovecot/quota-exceeded.sh
>> quota: maildir:User quota
>> sieve: /var/spool/imap/dovecot/sieve-scripts/%u/dovecot.sieve
>>
>>> Your Postfix uses Dovecot SASL. Have you tried to authenticate
using a telnet
>>> session, sending AUTH identity on command line?
>>>
>> Escape character is '^]'.
>> 220 osx-106.example.com ESMTP Postfix
>> EHLO foobie.example.com
>> 250-osx-106.example.com
>> 250-PIPELINING
>> 250-SIZE 10485760
>> 250-VRFY
>> 250-ETRN
>> 250-AUTH LOGIN PLAIN CRAM-MD5
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>> AUTH PLAIN 1a1dc91c907325c69271ddf0c944bc72blahblahblah
>> 535 Error: authentication failed
>
> Postfix and Dovecot both use the Dovecot authentication methods.
> Dovecot works, Postfix doesn't. Where's the difference?
>
> What happens if you try an IMAP "login" on command line and send the same
> credentials?
>
> If you send the same credentials and it succeeds, then something between
> Postfix and the Dovecot auth socket is probably wrong.
>
> If IMAP login fails too, then you probably send the wrong credentials
during
> SMTP AUTH and you should find out what is sent during IMAP login.
>
> p...@rick
yes, the imap login works. i agree that it is obviously something
between postfix and dovecot, and that's where i'm stuck.
my configuration is the same simple config that is well documented on
both the postfix and dovecot sites.
as it should be, the socket is
srw-rw---- 1 _postfix _postfix 0 Dec 4 08:51
/var/spool/postfix/private/auth
lsof shows the socket is open by dovecot-auth (which is running as root):
dovecot-a 63614 root 5u unix 0x0888b990 0t0
/var/spool/postfix/private/auth
i haven't seen the socket opened by postfix. i'm assuming that that
event is transient.
so both postfix and dovecot have read/write access to the socket.
the credentials sent are the same whether they're sent via a true mail
client or via the command line. when sent via the command line, they're
generated via perl -MMIME::Base64 -e 'print
encode_base64("\0username\0password");'and i've verified they're correct
via decode_base64
any other insight would be appreciated. thanks.
