Postfix/Dovecot Why am I getting authentication not enabled?

[altiris]

Ive read postfix and dovecot documentation all over, I have re-read the ones i used as guides to set this up, I have tried as much as I can but everytime I try checking if PLAIN AUTH login is working over SASL using telnet localhost 25 command I keep getting "503 5.5.1 Error: authentication not enabled". I dont know what to do! I am stuck, I am asking for some assistance. I will post my config files, as well as documentation I have looked at to help set this up.

/etc/postfix/main.cf

Code: Select all

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = MYCOMPUTER.MYDOMAIN
mydomain = MYDOMAIN
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.10.0/24, 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
 
  
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
smtpd_sasl_local_domain =
smtpd_client_restrictions = sleep 5
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_authenticated_header = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client dnsbl-1.uceprotect.net, permit
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_unknown_sender_domain,
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/pki/tls/private/mail.MYDOMAIN.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.MYDOMAIN.crt
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 0
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
content_filter=amavisfeed:[127.0.0.1]:10024
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

/etc/postfix/maser.cf

Code: Select all

amavisfeed unix    -       -       n        -      2     lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
	-o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

/etc/dovecot/dovecot.conf

Code: Select all

protocols = imap pop3 lmtp
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
!include conf.d/*.conf
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
passdb {
  driver = pam
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = postfix
    mode = 0600
    user = postfix
  }
  user = root
}
ssl_cert = </etc/pki/tls/certs/mail.MYDOMAIN.crt
ssl_key = </etc/pki/tls/private/mail.MYDOMAIN.key
ssl_cipher_list = ALL:!LOW:!SSLv2
userdb {
  driver = passwd
}
userdb {
  driver = passwd
}

/etc/dovecot/conf.d/10-auth.conf

Code: Select all

disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext

/etc/dovecot/conf.d/10-master.conf (not sure if I am to uncomment the port number)

Code: Select all

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }
  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1
  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0
  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = 64M
}
service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }
  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}
service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = 256M
  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}
service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}
service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  # permissions make it readable only by root, but you may need to relax these
  # permissions. Users that have access to this socket are able to get a list
  # of all usernames and get results of everyone's userdb lookups.
  unix_listener auth-userdb {
    mode = 0600
    user = postfix
    group = postfix
  }
  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}
  # Auth process is run as this user.
  #user = $default_internal_user
}
service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
}
service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}

/etc/dovecot/conf.d/10-ssl.conf

Code: Select all

ssl = yes
ssl_cert = </etc/pki/tls/certs/mail.MYDOMAIN.crt
ssl_key = </etc/pki/tls/private/mail.MYDOMAIN.key
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = ALL:!LOW:!SSLv2

References
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
http://www.unixmen.com/install-postfix- ... entos-6-4/ (I did not follow all of these steps such as disabling seliux or setting up squirrelmail...thats about it that I didnt follow)
http://wiki.centos.org/HowTos/postfix_sasl

[altiris]

Anyone have any ideas? Also, apparently I am sending passwords and username fields through plaintext because I have "disable_plaintext_auth = yes and I an supposed to use sha256 or something and store in a database? I never heard of this.

[altiris]

Alright so I decided to just start from scratch and here is what I have noticed. So I have configured postfix and dovecot with as much as the unixmen link states to config that I have as a link in OP. I have then followed this http://www.postfix.org/SASL_README.html ... asl_enable to add the rest of the options. I noticed that when I only have

Code: Select all

smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes

Then when doing telnet localhost 25 I have these two fields in the output

250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN

However, as soon as I add smtpd_tls_auth_only = yes those two AUTH lines no longer appear in the output. Also, if I add smtpd_sasl_security_options = noanonymous, noplaintext and then do a telnet localhost 25 the connection force closes and I do not get a 220 myhostname.mydomain.com reading like I normally do. So it sems like TLS isnt being correctly enabled?

[nicodemus]

I just posted a link in your other post (about creating a PEM file) that I used to configure SMTP-AUTH/TLS successfully. It doesn't go as far as Dovecot (my next challenge) but you might want to take a look. I know it might mean you have to start from scratch again, but I guess that's part of the learning process. I think I've rebuilt mine about 6 times already!

[altiris]

I just posted a link in your other post (about creating a PEM file) that I used to configure SMTP-AUTH/TLS successfully. It doesn't go as far as Dovecot (my next challenge) but you might want to take a look. I know it might mean you have to start from scratch again, but I guess that's part of the learning process. I think I've rebuilt mine about 6 times already!

Ahh thanks, I had already configured them a few days after making the OP from the way Postfix documentation says to do it, it looks incredibly similar to the post you gave me so I should be good to go. Maybe you can help me out but I have re-done my configuration, at least with postfix and I still can not get it to work. Trying to do telnet localhost 25 returns that its connected but the 220 FQD line does not appear.

I found this random guide http://www.adomas.org/2006/08/postfix-dovecot/ and it talks about configuring and having saslauthd running....I didn't think I needed this because I thought this was for CyrusASAL but the the guy in the guide is also configuring Dovecot so I guess i do need it. I only added the START=yes line to /etc/sysconfig/saslauthd . I also followed what he said and made a smtpd.conf file in /etc/postfix/saslauthd which I also had to make that directory...seems weird. Still even after all of this, same problem...do I really need to do all of this saslauthd stuff?

Here is my new main.cf and master.cf file

Code: Select all

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = necc-data.domain.com
mydomain = domain.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.10.0/24, 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
 
  
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destiantion, reject_sender_login_mismatch, permit
smtpd_sasl_local_domain = $mydomain
smtp_sasl_mechanism_filter = plain, login
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = yes
smtp_tls_CAfile = /etc/pki/CA/cacert.pem
smtpd_tls_CAfile = /etc/pki/CA/cacert.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/necc-data-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/necc-data-key.pem
smtpd_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache
tls_random_source = dev:/dev/urando

Code: Select all

amavisfeed unix    -       -       n        -      2     smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=192.168.10.0/24,127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATIN

Does this look about right, more concerned with master.cf as I have less experience in that. Do I need to all more parameters in submission category or no because they are already in main.cf ?

[nicodemus]

Sorry, I can't help as I haven't really gone as far as submission or Dovecot (yet).

I'm using Cyrus SASL and when I run rpm -qa | grep sasl, it returns:

Code: Select all

cyrus-sasl-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

Everything has worked (so far) so I'm expecting some major challenges in due course!

When I telnet in (from localhost or another host on the LAN), it takes several seconds for the 220 response to appear, then I can initiate the conversation with <EHLO ...> and all the expected 250 responses come back. I have no idea why there's such a delay in the initial 220 response coming back as everything else is almost instant.

If you're not getting the 220 reply, could your firewall or SELinux be interfering? Maybe disable them temporarily and try again or look at the logs. I suppose it's a long shot, but that would be my first guess. As I implied, I haven't gone with any other configurations yet so don't know if anything else that you've done might be interfering.

[altiris]

Sorry, I can't help as I haven't really gone as far as submission or Dovecot (yet).

I'm using Cyrus SASL and when I run rpm -qa | grep sasl, it returns:

Code: Select all

cyrus-sasl-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

Everything has worked (so far) so I'm expecting some major challenges in due course!

When I telnet in (from localhost or another host on the LAN), it takes several seconds for the 220 response to appear, then I can initiate the conversation with <EHLO ...> and all the expected 250 responses come back. I have no idea why there's such a delay in the initial 220 response coming back as everything else is almost instant.

If you're not getting the 220 reply, could your firewall or SELinux be interfering? Maybe disable them temporarily and try again or look at the logs. I suppose it's a long shot, but that would be my first guess. As I implied, I haven't gone with any other configurations yet so don't know if anything else that you've done might be interfering.

Alright well thanks, I would offer some help but I am in this situation and have never touched Cyrus. For anyone else, Ive gone through debugging this by whitelistiing the options, as soon as I have smtpd_sasl_auth_enable = yes uncommented, doing telnet localhost 25 no longer returns a 220...however doing telnet localhost 587 does give me back 220 response.