You are not logged in.

Pages: 1 2

#1 2025-09-10 12:38:27

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Postfix + Dovecot, simple local user auth

Hello,
I am setting up a SMTP + IMAP server using postfix and Dovecot. I have been using the Arch Wiki guidelines for both packages, as well as further documentation in the Dovecot guide.

My requirements are very simple: some virtual mailboxes aliased to a single system user (which may grow but not more than a handful).

My /etc/postfix/virtual looks like this: 

abuse@mydomain.net				vmail
mail@mydomain.net					vmail
alias1@mydomain.net				vmail
alias2@mydomain.net				vmail
mail@myotherdomain.net				vmail
mail2@myotherdomain.net				vmail
[...]

vmail exists as a user, has /var/spool/mail/vmail as a home folder, which is empty and owned by vmail.

Dovecot is set to use PAM for authentication. From doveconf: 

userdb {
  driver = passwd
  args = blocking=no
}
passdb {
  driver = pam
  args = session=yes failure_show_msg=yes dovecot
}

Now, I get confused when I read the Dovecot PAM authentication section in the Arch Wiki. Must I set up LDAP or SSSD even for a very simple user DB? Both LDAP and SSSD seem overkill for what I'm trying to achieve.

Can I use PAM with the existing shadow file?

My /etc/pam.d/dovecot (I believe that's the pacman default):

#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth
password include system-auth

I am not able to log to dovecot with this setup:


$ doveadm auth login vmail
Password:
passdb: vmail auth failed
extra fields:
  user=vmail
$ doveadm auth login mail@mydomain.net
Password:
passdb: mail@mydomain.net auth failed
extra fields:
  user=mail@mydomain.net

Dovecot journal:


Sep 10 12:30:28 eolo auth[4870]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=vmail rhost=  user=vmail

Any hints?
Thanks.

ERRATA:

I am indeed able to log in via doveadm, but not via email client (SMTP):

Sep 10 12:45:52 eolo auth[4960]: pam_faillock(dovecot:auth): User unknown
Sep 10 12:45:52 eolo auth[4960]: pam_unix(dovecot:auth): check pass; user unknown
Sep 10 12:45:52 eolo auth[4960]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mail@mydomain.net rhost=192.168.1.1

Last edited by gattu_marrudu (2025-09-10 12:51:46)

Offline

#2 2025-09-10 13:44:50

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

My doveconf (explicit values):

$ doveconf -N
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21.1 (49005e73)
# OS: Linux 6.15.11-hardened1-1-hardened x86_64  btrfs
# Hostname: eolo
auth_mechanisms = plain
first_valid_uid = 8
mail_location = maildir:/var/spool/mail/%u/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = session=yes failure_show_msg=yes dovecot
  driver = pam
  name = 
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = blocking=no
  driver = passwd
  name = 
}

My postconf for main.cf: 

$ postconf -nf
alias_database = $alias_maps
alias_maps = lmdb:/etc/postfix/aliases
command_directory = /usr/bin
compatibility_level = 3.10
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain,
    smtp.$mydomain, imap.$mydomain
mydomain = mydomain.net
myhostname = mail.mydomain.net
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
relay_domains = $mydestination
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client
    dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
    dbl.spamhaus.org, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
    defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.net/fullchain.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
    EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.net/privkey.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
tls_eecdh_auto_curves =
tls_ffdhe_auto_groups =
unknown_local_recipient_reject_code = 550
virtual_alias_domains = mydomain.net myotherdomain.net
virtual_alias_maps = lmdb:/etc/postfix/virtual
virtual_transport = dovecot
postconf: warning: /etc/postfix/main.cf: support for parameter "smtpd_use_tls" will be removed; instead, specify "smtpd_tls_security_level"

master.cf:

$ postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
10025      inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_auth_only=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_local_domain=$myhostname
    -o smtpd_relay_restrictions=
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_login_maps=lmdb:/etc/postfix/virtual
    -o smtpd_sender_restrictions=reject_sender_login_mismatch
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
dovecot    unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e
    /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}

Offline

#3 2025-09-10 15:26:43

Vamp898
Member
Registered: 2009-01-03
Posts: 1,032
Website

Re: Postfix + Dovecot, simple local user auth

Its a bit more tricky.

Dovecot should use the system users by default, without setting up anything at all. That should be the default config that comes with dovecot.

https://doc.dovecot.org/2.4.1/core/conf … asswd.html

If you want postfix to use that, you have to enable the SASL Backend in dovecot and make postfix use that

https://www.postfix.org/SASL_README.html#server_dovecot

I did it exactly that way and it works flawless. You do _not_ need to setup LDAP/SSSD or anything else.

Last edited by Vamp898 (2025-09-10 15:30:36)

Offline

#4 2025-09-10 16:19:31

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

In my default dovecot config (/usr/share/doc/dovecot/example-config/conf.d/auth-system.conf.ext), pam is the active passdb: 

# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb {
  driver = pam
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
  # [cache_key=<key>] [<service name>]
  #args = dovecot
}

I copied the file to /etc/dovecot/conf.d/ and left the PAM module as is which I believe is the default (see my first post above).

I also added the service auth section, now the config looks like this: 

$ doveconf -n
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21.1 (49005e73)
# OS: Linux 6.15.11-hardened1-1-hardened x86_64  btrfs
# Hostname: eolo
auth_mechanisms = plain login
first_valid_uid = 8
mail_location = maildir:/var/spool/mail/%u/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"
}

I still can't log in, but now Dovecot doesn't log the failure, Postfix does:

Sep 10 16:08:43 eolo postfix/submission/smtpd[8504]: connect from router.mydomain.net[192.168.1.1]
Sep 10 16:08:43 eolo postfix/submission/smtpd[8504]: NOQUEUE: reject: RCPT from router.mydomain.local[192.168.1.1]: 554 5.7.1 <router.mydomain.local[192.168.1.1]>: Client host rejected: Access denied; from=<mail@mydomain.net> to=<mail@mydomain.net> proto=ESMTP helo=<[192.168.1.39]>
Sep 10 16:08:44 eolo postfix/submission/smtpd[8504]: NOQUEUE: lost connection after RCPT from router.mydomain.local[192.168.1.1]
Sep 10 16:08:44 eolo postfix/submission/smtpd[8504]: disconnect from router.mydomain.local[192.168.1.1] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5

Offline

#5 2025-09-10 16:22:34

Vamp898
Member
Registered: 2009-01-03
Posts: 1,032
Website

Re: Postfix + Dovecot, simple local user auth

So login neither works on Dovecot nor on Postfix?

But the daemon is up and running? And listening on the Network Port you want it to listen? What exactly does your IMAP Client say?

Offline

#6 2025-09-10 17:01:53

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

Login works locally on Dovecot: 

 $ doveadm auth login vmail
Password: 
passdb: vmail auth succeeded
extra fields:
  user=vmail
  
userdb extra fields:
  vmail
  system_groups_user=vmail
  uid=1000
  gid=1000
  home=/var/spool/mail/vmail/
  auth_mech=PLAIN

Thunderbird says:

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
<router.mydomain.local[192.168.1.1]>: Client host rejected: Access denied.
Please check the message recipient "mail@mydomain.net" and try again.

I wonder if some Postfix sender restrictions are getting in the way (I also get incoming mail rejected), but it seems pretty default to me.

Offline

#7 2025-09-15 02:13:45

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

I think I narrowed down the source of the problem but I haven't found a solution yet.

Locally I can log into Dovecot with my Unix account (vmail) but it seems like Dovecot is expecting the full email as the user name, in fact I get 

Sep 15 01:54:47 eolo auth[52500]: pam_faillock(dovecot:auth): User unknown
Sep 15 01:54:47 eolo auth[52500]: pam_unix(dovecot:auth): check pass; user unknown
Sep 15 01:54:47 eolo auth[52500]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mail@example.net rhost=192.168.1.1

The mapping between mail@example.net and vmail is set up in /etc/postfix/virtual. This is working as I can see incoming mail to that address land in the right mailbox in the filesystem.

How do I get Dovecot to get the user mapping from Postfix and use the Unix system passdb (currently /etc/shadow) for authentication?

Examples online describe more complex setups involving user databases, which is an oversized solution for me.

Offline

#8 2025-09-15 05:28:33

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

You can configure dovecot to strip away any domain part:

# /etc/dovecot/conf.d/10-auth-conf

auth_username_format = %Ln

Offline

#9 2025-09-15 12:06:00

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

-thc wrote:

You can configure dovecot to strip away any domain part:

# /etc/dovecot/conf.d/10-auth-conf

auth_username_format = %Ln

That would not log in myalias@mydomain.tld` as `vmail` though, would it?

Offline

#10 2025-09-15 12:26:52

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

No.

Be aware that /etc/aliases and /etc/postfix/virtual are "just" mailbox mappings and have nothing to do with the authentication. You already configured dovecot for passdb/userdb authentication (you may check omitting the args) - the error has to be there somewhere.

Offline

#11 2025-09-15 12:34:08

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

I think my problem is that Dovecot is not able to map the virtual user to the real user. There is no instruction for it to look at /etc/postfix/virtual. How do I set up that?

Offline

#12 2025-09-15 12:44:08

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

I somehow missed it: Are you literally trying to authenticate with "myalias@mydomain.tld" as a username?
Why?

Offline

#13 2025-09-15 13:00:53

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

-thc wrote:

I somehow missed it: Are you literally trying to authenticate with "myalias@mydomain.tld" as a username?
Why?

I believe that's what my MUA is sending (of course, using actual email address in /etc/postfix/virtual).

When I try sending an email from the account I am setting up, I get this from Postfix:

Sep 15 12:53:01 eolo postfix/submission/smtpd[55029]: NOQUEUE: reject: RCPT from router.mydomain.local[192.168.1.1]: 554 5.7.1 <router.mydomain.local[192.168.1.1]>: Client host rejected: Access denied; from=<mail@example.net> to=<some-other-email@any.net> proto=ESMTP helo=<[192.168.1.39]>
S

When I try to access my SMTP mailbox, I get this from Dovecot: 

Sep 15 12:57:04 eolo auth[55051]: pam_faillock(dovecot:auth): User unknown
Sep 15 12:57:04 eolo auth[55051]: pam_unix(dovecot:auth): check pass; user unknown
Sep 15 12:57:04 eolo auth[55051]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mail@example.net rhost=192.168.1.1
Sep 15 12:57:04 eolo auth[55051]: pam_faillock(dovecot:auth): User unknown
Sep 15 12:57:06 eolo dovecot[55022]: auth-worker(55051): conn unix:auth-worker (pid=55049,uid=76): auth-worker<3>: pam(mail@example.net,192.168.1.1,<NNxuidY+QqfAqAEB>): unknown user

"ruser" is the email address my MUA is logging in with.

Offline

#14 2025-09-15 13:09:41

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

OK, rethinking about your comment I tried to use `vmail` as a user name in my Thunderbird settings and I can authenticate into IMAP. thanks!

I carried over the full-email login name from another server setup that used Postfixadmin with PGSql, probably more mapping was done there and I didn't realize that my new setup requires the actual user name.

SMTP is still not working: even if I change the user name to vmail, I still get "Client host rejected: Access denied" in Postfix.

Last edited by gattu_marrudu (2025-09-15 13:12:59)

Offline

#15 2025-09-15 15:05:26

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

Yep - SMTP is the real tricky part because you have to allow it without authentication.

"Client host rejected: Access denied" literally means: No configured or default smtpd_* restriction allows access from this IP address.

Just something to think about: You allow "permit_mynetworks" - but "mynetworks" is undefined/default. Is it possible that your clients IP address matches any of the spamhaus blacklists?

Offline

#16 2025-09-15 16:01:44

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

It may be worth mentioning my network setup: the mail server is running as an lxc in an address range of 10.0.3.0/24. The host is in an address range of 192.168.1.0/24 (the router to the WWW is 192.168.1.1). I just verified that my public IP is not in the spamhaus blacklist.

I added these two ranges to mynetworks in any case.

I also turned up login debugging and noticed two perplexing things: 

Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: resolve_clnt: `mail@example.net' -> `other@domain.tld' -> transp=`error' host=`5.1.1 User unknown in virtual alias table' rcpt=`other@domain.tld' flags= class=alias
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: ctable_locate: install entry key mail@example.net?other@domain.tld
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: extract_addr: in: <other@domain.tld>, result: other@domain.tld
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: >>> START Client host RESTRICTIONS <<<
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=permit_sasl_authenticated
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=permit_sasl_authenticated status=0
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=reject
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: NOQUEUE: reject: RCPT from router.mynet.local[192.168.1.1]: 554 5.7.1 <router.mynet.local[192.168.1.1]>: Client host rejected: Access denied; from=<mail@example.net> to=<other@domain.tld> proto=ESMTP helo=<[192.168.1.39]>
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=reject status=2
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: >>> END Client host RESTRICTIONS <<<
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: > router.mynet.local[192.168.1.1]: 554 5.7.1 <router.mynet.local[192.168.1.1]>: Client host rejected: Access denied

1) The user is not found in the alias table, even though I set it up in /etc/postfix/virtual, created the local db with postalias, and referenced it in main.cf. Which alias is it referring to? The recipient? Obviously that wouldn't be in the alias table because it's a foreign address. Is this just a routine check to see if the recipient is in a local list and give it a preferential permit?
2) permit_sasl_authenticated status=0 doesn't sound right. Didn't I just authenticate as the sender with SASL via dovecot? I set up Dovecot as per https://www.postfix.org/SASL_README.html.

Last edited by gattu_marrudu (2025-09-16 01:30:51)

Offline

#17 2025-09-15 16:04:11

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

[removed for double posting - server glitch]

Last edited by gattu_marrudu (2025-09-15 20:59:16)

Offline

#18 2025-09-15 21:01:02

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

It looks like SMTP auth is working over telnet: 

openssl s_client -connect mail.example.net:25 -starttls smtp
[SSL stuff...]
read R BLOCK
EHLO myclient.org
250-eolo.lxcnet.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
AUTH PLAIN base64ecodedpassword1234
235 2.7.0 Authentication successful

Offline

#19 2025-09-16 05:37:13

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

1) may be irrelevant because postfix tries to resolve the client IP by decoding the mail addresses

2) postfix clearly states that the SMTP connection to the submission port is unauthenticated. Where does that connection come from and why does it not authenticate - isn't it configured as such? (Your telnet session proves it's working) Be aware that this seems to be active:

smtpd_client_restrictions=permit_sasl_authenticated,reject

despite neither being configured by you nor the default (empty).

Offline

#20 2025-09-16 12:25:14

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

I am authenticating with Thunderbird with PLAIN mechanism. I have tried both SMTP + STARTTLS (port 587) and SMTPS (port 465). I assume that logging in either way would be a proper SASL authentication? I see this line in the Dovecot with no following errors: 

Sep 16 12:04:15 eolo dovecot[56340]: imap-login: Login: user=<vmail>, method=PLAIN, rip=192.168.1.1, lip=10.0.3.10, mpid=60543, TLS, session=<************>

At the same time that I see the Postfix rejection errors.

The smtpd_client_restrictions policy is set in my master.cf:

submissions     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  #-o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_relay_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o milter_macro_daemon_name=ORIGINATING
  # SASL authentication with dovecot
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

I copy/pasted this from the Postfix + Dovecot instructions. The Postfix SASL HOWTO doesn't mention anything about master.cf.

Offline

#21 2025-09-16 13:18:25

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

Make sure that under Thunderbird > Settings > Privacy... > Saved Passwords the "smtp://..." user/password combo for the mail host is correct (and identical to "imap://..").

O.K. - the settings are in "master.cf" - that explains the client restriction behavior.

Last edited by -thc (2025-09-16 13:18:58)

Offline

#22 2025-10-26 04:32:08

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

Hi again. Getting back to this problem, which I partly solved, meaning that I am able to send emails, but they are never received.

I tried to send emails to another domain that I use daily, and also to a disposable GuerrillaMail address.

The SMTP auth process seems to go fine, but then then it fails with 

Oct 26 04:14:20 eolo postfix/smtp[2919]: connect to mail.guerrillamail.com[178.162.170.166]:25: Connection timed out
Oct 26 04:14:20 eolo postfix/smtp[2919]: E35271B12FD: to=<vq2zvm+aykqyahbqhzgo@sharklasers.com>, relay=none, delay=30, delays=0.03/0.01/30/0, dsn=4.4.1, status=deferred (connect to mail.guerrillamail.com[178.162.170.166]:25: Connection timed out)

Why would it be trying to connect to port 25 on the recipient's address?

Offline

#23 2025-10-26 06:26:58

-thc
Member
Registered: 2017-03-15
Posts: 1,059

Re: Postfix + Dovecot, simple local user auth

You seem to lack a basic understanding of a complete SMTP transport chain when delivering an email from a client to a recipients mailbox.

If your client (Thunderbird) sends an outgoing email to "guerrillamail.com" - it follows it's configuration (Account settings > Outgoing server) to deliver the email to your own SMTP (postfix) server. Now your server holds that email in it's queue an looks at it. Postfix issues an MX DNS lookup to determine where to send this email:

[thc@box ~]$ drill guerrillamail.com -t MX 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6551
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; guerrillamail.com.	IN	MX

;; ANSWER SECTION:
guerrillamail.com.	300	IN	MX	0 mail.guerrillamail.com.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 79 msec
;; SERVER: 127.0.0.53
;; WHEN: Sun Oct 26 07:05:11 2025
;; MSG SIZE  rcvd: 56

The server responsible for handling the emails for "guerrillamail.com" is "mail.guerrillamail.com". Postfix (in your current configuration) now tries to establish a direct SMTP connection to "mail.guerrillamail.com" - which from "mail.guerrillamail.com"'s side looks like "some random dude on the internet tries to send me an email". Depending on the configuration of "mail.guerrillamail.com" this will most likely be denied.

Postfix needs to send outgoing emails to an account of an established (and probably commercial) email provider which in turn can relay this message to the mail server of "guerrillamail.com".

You have to set up a postfix "relayhost" via something like this:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_creds
smtp_sasl_security_options = noanonymous
relayhost = mail.myprovider.net

The (postmap hashed) file sasl_creds hold a valid email account for "mail.myprovider.net".

Last edited by -thc (2025-10-26 11:00:26)

Offline

#24 2025-10-26 23:21:31

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

Thanks for the explanation, thc.

I think I am having a firewall problem with my router, that is blocking all outbound traffic on port 25 and is unrelated to my mail server. I'll get back to you once I resolve that.

Offline

#25 2025-10-27 15:52:31

gattu_marrudu
Member
Registered: 2008-03-29
Posts: 84

Re: Postfix + Dovecot, simple local user auth

I did some more digging to no avail. I still can't get access to the recipient's port 25 from any machine on my network, even after resetting my router configuration, disabling the local firewall, and explicitly allowing outgoing traffic on 25.

The recipient I am testing on is a cloud server I manage, and I can reach port 25 internally. I can't even reach port 25 on gmail-smtp-in.l.google.com from my local mail server, but I can from my cloud server.

I logged into my router (OpenWRT) and tried to scan my mail server's ports straight from WAN: 

# nmap mail.mydomain.tld 
[....]
Not shown: 993 closed tcp ports (reset)
PORT      STATE    SERVICE
25/tcp    filtered smtp
80/tcp    open     http
443/tcp   open     https
465/tcp   open     smtps
587/tcp   open     submission
993/tcp   open     imaps
10025/tcp open     unknown

The same scan from another cloud server shows port 25 as open. At this point I am at a loss as to what could be blocking the port. Could the ISP be the culprit? I am on Verizon USA.

Sorry if this is taking farther away from the original post, I can open a different ticket if it's getting off topic.

Offline

Pages: 1 2

Board footer

Powered by FluxBB