2

I'm using Dovecot to get Imap access to my mail server (on Raspbian). I'm using system users and am able to successfully test logins (doveadm auth test ...). But I'm not able to get auth option via telnet:

sudo telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.mydomain.org ESMTP Postfix

sudo telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

I'm missing the [AUTH=PLAIN] status, which is mentioned in the wiki. I don't get any errors on systemctl status. I don't know what else to try! Can u help me?

Thanks!!

My dovecot config dovecot -n

# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.19.42-v7+ armv7l Debian 9.9 
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = yes
debug_log_path = /etc/dovecot/log/debug.txt
info_log_path = /etc/dovecot/log/info.txt
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext

passdb {
  driver = shadow
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap lmtp sieve

service auth-worker {
  name = auth-worker
}
service {
  unix_listener {
    group = postfix
    mode = 0660
    user = postfix
    path = /var/spool/postfix/private/auth
  }
  name = auth
}

service {
  inet_listener {
    port = 143
    name = imap
  }
  inet_listener {
    port = 993
    ssl = yes
    name = imaps
  }
  name = imap-login
}

service {
  unix_listener {
    group = postfix
    mode = 0600
    user = postfix
    path = /var/spool/postfix/private/dovecot-lmtp
  }
  name = lmtp
}

ssl_cert = /etc/letsencrypt/live/mail.mydomain.org/cert.pem
ssl_key =  # hidden, use -P to show it
userdb {
  driver = passwd
}
verbose_ssl = yes
protocol lmtp {
  mail_plugins = quota sieve
  postmaster_address = pi@mydomain.org
}
protocol lda {
  ...
}
protocol imap {
  ...
}
protocol sieve {
  ...
}

My Postfix /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
myhostname = mail.mydomain.org
mydomain = mydomain.org
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
#relay_domains =
#home_mailbox = Maildir/
inet_protocols = ipv4, ipv6

# TLS
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.mydomain.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.mydomain.org/privkey.pem

# Authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain

# when mail location = maildir:~/.maildir
mailbox_transport = lmtp:unix:private/dovecot-lmtp
# Virtual user scenario
virtual_transport = lmtp:unix:private/dovecot-lmtp

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

My Postfix /etc/postfix/master.cf

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Netstat sudo netstat -tulpn | grep LISTEN:

tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      7055/dovecot        
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      7055/dovecot        
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      6999/master         
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      7055/dovecot        
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      6999/master         
tcp6       0      0 :::443                  :::*                    LISTEN      657/apache2         
tcp6       0      0 :::4190                 :::*                    LISTEN      7055/dovecot        
tcp6       0      0 :::993                  :::*                    LISTEN      7055/dovecot        
tcp6       0      0 :::587                  :::*                    LISTEN      6999/master         
tcp6       0      0 :::143                  :::*                    LISTEN      7055/dovecot        
tcp6       0      0 :::80                   :::*                    LISTEN      657/apache2         
tcp6       0      0 :::25                   :::*                    LISTEN      6999/master

EDIT 1: I got this error for the command openssl s_client -connect localhost:imaps

write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 198 bytes
Verification: OK
---

But it turns out that I forgot < right before the ssl_cert and ssl_key path.

User Rebo
  • 123
  • 5

1 Answers1

1

Works as designed.

That is precisely the purpose of the smtpd_sasl_security_options=noplaintext in postfix and disable_plaintext_auth=yes in dovecot. These options prevent (offering) authentication via insecure channels. You can verify that your server offers authentication via secured channels by initiating a secure SMTP connection:

$ (echo EHLO localhost; sleep 1) | openssl s_client -starttls smtp -connect localhost:submission
..
220 example.com ESMTP Postfix
..
250-AUTH PLAIN LOGIN

Same thing for a secure IMAP connection:

$ sleep 1 | openssl s_client -connect localhost:imaps
..
* OK [CAPABILITY IMAP4rev1 .. AUTH=PLAIN AUTH=LOGIN]

There is absolutely nothing wrong with having plaintext auth disabled. Just configure all your mail clients to access mail via TLS. You might even want to disable plaintext IMAP to prevent mistakes.

anx
  • 6,875
  • 4
  • 22
  • 45