Score:0

SMTP authentication issues with Postfix Dovecot

in flag
Sam

I had bought a domain example.com and a VPS, and I used iRedMail to set up a mailserver.

Not wanting iRedMail to mess up with my Nginx, I decided to install Nginx and Roundcube by myself. However, it says the SMTP server doesn't support auth. SMTP is all right.

[02-Oct-2021 23:40:16 +0000]: <5gl20r7b> PHP Error: SMTP server does not support authentication (POST /?_task=mail&_unlock=loading1633218016462&_framed=1&_action=send)
[02-Oct-2021 23:40:16 +0000]: <5gl20r7b> SMTP Error: Authentication failure:   in /var/www/mail/program/lib/Roundcube/rcube.php on line 1702 (POST /?_task=mail&_unlock=loading1633218016462&_framed=1&_action=send)

And postconf -n output.

root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailq_path = /usr/bin/mailq
message_size_limit = 15728640
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = example.com
myhostname = example.com
mynetworks = 127.0.0.1 [::1]
myorigin = example.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = drop
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12340
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

EDIT: Following some questions, I enabled:

postconf | grep smtp_sasl_auth_enable
smtp_sasl_auth_enable = yes

But using openssl s_client, I got:

503 5.5.1 Error: authentication not enabled

UPDATE:

After setting smtpd_sasl_auth_enable = yes I had a chance to input my password, but it says password is wrong. I am using a password manager so the password should be correct. Besides, I can use the credentials to login via imap.

535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6

EDIT: On /var/log/maillog, I saw this fatal: specify a password table via the `smtp_sasl_password_maps' configuration parameter So I used postconf | grep smtp_sasl_password_maps smtp_sasl_password_maps = Maybe that's what's wrong. But it shouldn't be empty, as I used iredmail, so what should it be?

anx avatar
fr flag
anx
You may be offering encrypted&authenticated submission on a different port than the one roundcube is trying to submit mail to? Your postfix configuration & logs and/or the roundcube configuration would help diagnose this.
anx avatar
fr flag
anx
Note that it is kind of odd to offer both IMAP and POP3 when you are going to access your mail via a webmail client. If enabling that that was a mistake, disable pop3 in Dovecot.
anx avatar
fr flag
anx
Are you setting up a *new* server? Are you aware that Ubuntu has a more recent LTS release 20.04, which should now almost always be the preferred version as it will still receive standard support when the older release no longer does?
Sam avatar
in flag
Sam
This is a vps, and the 'latest' server they provide was Ubuntu 18.04.
jp flag
This is an issue between Roundcube and Postfix SMTP. I removed your Dovecot configuration from the question as the problem has nothing to do with it: Dovecot is not an SMTP server.
Nikita Kipriyanov avatar
za flag
Since `openssl s_client` shows auth is not enabled, I am sure this is not related to Roundcube either. The problem is in the Postfix. Enable debug for 127.0.0.1, restart it and read through huge logs for hints. // I *strongly* recommend running two distinct `smtpd` instances: one on the port 25 without authentication and relaying (only to receive incoming mail from other servers), and another on the 587 "submision" port, with authentication and relaying (to receive mail submitted from mail clients, e.g. roundcube and relay it to other servers). The default `master.cf` has provisions for that.
Nikita Kipriyanov avatar
za flag
I think this is SASL library issue. Without correctly instantiated library Postfix won't enable auth. But I have absolutely no experience with Dovecot SASL, I am always using Cyrus SASL. If you can consider switching switch to Cyrus SASL (you can still use Dovecot IMAP), I think I could be able to help.
sebix avatar
ie flag
What's dovecot's sasl configuration? Does postfix log anything about SASL?
anx avatar
fr flag
anx
Typically, you set `smtpd_sasl_auth_enable` (note the `d` for *daemon*, as opposed to smtp in a client - such as outgoing - role) inside your master.cf file - only on specific services, not including the port 25 service to receive mail from other servers. Your `postconf -M` output would tell, and if you quoted the full command line of your s_client test, that would tell which one you are testing.
Sam avatar
in flag
Sam
root@mail:~# doveconf | grep sasl imapc_sasl_mechanisms =
Score:0
in flag
Sam

Finally I managed to set up my services. Here's few points you should care if you wish to set up yours.

Enable smtp_sasl_auth_enable and smtpd_sasl_auth_enable. I don't know why it is not enabled by default. Set smtp_sasl_password_maps , so it knows where to find the password. On roundcube, set tls:// prefix, and if using self signed certificate, set in smtp options

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.