Arch Linux

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Postfix + Dovecot, simple local user auth

Hello,
I am setting up a SMTP + IMAP server using postfix and Dovecot. I have been using the Arch Wiki guidelines for both packages, as well as further documentation in the Dovecot guide.

My requirements are very simple: some virtual mailboxes aliased to a single system user (which may grow but not more than a handful).

My /etc/postfix/virtual looks like this:

abuse@mydomain.net				vmail
mail@mydomain.net					vmail
alias1@mydomain.net				vmail
alias2@mydomain.net				vmail
mail@myotherdomain.net				vmail
mail2@myotherdomain.net				vmail
[...]

vmail exists as a user, has /var/spool/mail/vmail as a home folder, which is empty and owned by vmail.

Dovecot is set to use PAM for authentication. From doveconf:

userdb {
  driver = passwd
  args = blocking=no
}
passdb {
  driver = pam
  args = session=yes failure_show_msg=yes dovecot
}

Now, I get confused when I read the Dovecot PAM authentication section in the Arch Wiki. Must I set up LDAP or SSSD even for a very simple user DB? Both LDAP and SSSD seem overkill for what I'm trying to achieve.

Can I use PAM with the existing shadow file?

My /etc/pam.d/dovecot (I believe that's the pacman default):

#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth
password include system-auth

I am not able to log to dovecot with this setup:

$ doveadm auth login vmail
Password:
passdb: vmail auth failed
extra fields:
  user=vmail
$ doveadm auth login mail@mydomain.net
Password:
passdb: mail@mydomain.net auth failed
extra fields:
  user=mail@mydomain.net

Dovecot journal:

Sep 10 12:30:28 eolo auth[4870]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=vmail rhost=  user=vmail

Any hints?
Thanks.

ERRATA:

I am indeed able to log in via doveadm, but not via email client (SMTP):

Sep 10 12:45:52 eolo auth[4960]: pam_faillock(dovecot:auth): User unknown
Sep 10 12:45:52 eolo auth[4960]: pam_unix(dovecot:auth): check pass; user unknown
Sep 10 12:45:52 eolo auth[4960]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mail@mydomain.net rhost=192.168.1.1

Last edited by gattu_marrudu (2025-09-10 12:51:46)

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

My doveconf (explicit values):

$ doveconf -N
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21.1 (49005e73)
# OS: Linux 6.15.11-hardened1-1-hardened x86_64  btrfs
# Hostname: eolo
auth_mechanisms = plain
first_valid_uid = 8
mail_location = maildir:/var/spool/mail/%u/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = session=yes failure_show_msg=yes dovecot
  driver = pam
  name = 
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = blocking=no
  driver = passwd
  name = 
}

My postconf for main.cf:

$ postconf -nf
alias_database = $alias_maps
alias_maps = lmdb:/etc/postfix/aliases
command_directory = /usr/bin
compatibility_level = 3.10
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain,
    smtp.$mydomain, imap.$mydomain
mydomain = mydomain.net
myhostname = mail.mydomain.net
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
relay_domains = $mydestination
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client
    dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
    dbl.spamhaus.org, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
    defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.net/fullchain.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
    EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.net/privkey.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
tls_eecdh_auto_curves =
tls_ffdhe_auto_groups =
unknown_local_recipient_reject_code = 550
virtual_alias_domains = mydomain.net myotherdomain.net
virtual_alias_maps = lmdb:/etc/postfix/virtual
virtual_transport = dovecot
postconf: warning: /etc/postfix/main.cf: support for parameter "smtpd_use_tls" will be removed; instead, specify "smtpd_tls_security_level"

master.cf:

$ postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
10025      inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_auth_only=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_local_domain=$myhostname
    -o smtpd_relay_restrictions=
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_login_maps=lmdb:/etc/postfix/virtual
    -o smtpd_sender_restrictions=reject_sender_login_mismatch
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
dovecot    unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e
    /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}

Vamp898

Member

Registered: 2009-01-03

Posts: 1,032

Website

Re: Postfix + Dovecot, simple local user auth

Its a bit more tricky.

Dovecot should use the system users by default, without setting up anything at all. That should be the default config that comes with dovecot.

https://doc.dovecot.org/2.4.1/core/conf … asswd.html

If you want postfix to use that, you have to enable the SASL Backend in dovecot and make postfix use that

https://www.postfix.org/SASL_README.html#server_dovecot

I did it exactly that way and it works flawless. You do _not_ need to setup LDAP/SSSD or anything else.

Last edited by Vamp898 (2025-09-10 15:30:36)

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

In my default dovecot config (/usr/share/doc/dovecot/example-config/conf.d/auth-system.conf.ext), pam is the active passdb:

# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb {
  driver = pam
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
  # [cache_key=<key>] [<service name>]
  #args = dovecot
}

I copied the file to /etc/dovecot/conf.d/ and left the PAM module as is which I believe is the default (see my first post above).

I also added the service auth section, now the config looks like this:

$ doveconf -n
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21.1 (49005e73)
# OS: Linux 6.15.11-hardened1-1-hardened x86_64  btrfs
# Hostname: eolo
auth_mechanisms = plain login
first_valid_uid = 8
mail_location = maildir:/var/spool/mail/%u/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"
}

I still can't log in, but now Dovecot doesn't log the failure, Postfix does:

Sep 10 16:08:43 eolo postfix/submission/smtpd[8504]: connect from router.mydomain.net[192.168.1.1]
Sep 10 16:08:43 eolo postfix/submission/smtpd[8504]: NOQUEUE: reject: RCPT from router.mydomain.local[192.168.1.1]: 554 5.7.1 <router.mydomain.local[192.168.1.1]>: Client host rejected: Access denied; from=<mail@mydomain.net> to=<mail@mydomain.net> proto=ESMTP helo=<[192.168.1.39]>
Sep 10 16:08:44 eolo postfix/submission/smtpd[8504]: NOQUEUE: lost connection after RCPT from router.mydomain.local[192.168.1.1]
Sep 10 16:08:44 eolo postfix/submission/smtpd[8504]: disconnect from router.mydomain.local[192.168.1.1] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5

Vamp898

Member

Registered: 2009-01-03

Posts: 1,032

Website

Re: Postfix + Dovecot, simple local user auth

So login neither works on Dovecot nor on Postfix?

But the daemon is up and running? And listening on the Network Port you want it to listen? What exactly does your IMAP Client say?

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

Login works locally on Dovecot:

 $ doveadm auth login vmail
Password: 
passdb: vmail auth succeeded
extra fields:
  user=vmail
  
userdb extra fields:
  vmail
  system_groups_user=vmail
  uid=1000
  gid=1000
  home=/var/spool/mail/vmail/
  auth_mech=PLAIN

Thunderbird says:

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
<router.mydomain.local[192.168.1.1]>: Client host rejected: Access denied.
Please check the message recipient "mail@mydomain.net" and try again.

I wonder if some Postfix sender restrictions are getting in the way (I also get incoming mail rejected), but it seems pretty default to me.

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

I think I narrowed down the source of the problem but I haven't found a solution yet.

Locally I can log into Dovecot with my Unix account (vmail) but it seems like Dovecot is expecting the full email as the user name, in fact I get

Sep 15 01:54:47 eolo auth[52500]: pam_faillock(dovecot:auth): User unknown
Sep 15 01:54:47 eolo auth[52500]: pam_unix(dovecot:auth): check pass; user unknown
Sep 15 01:54:47 eolo auth[52500]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mail@example.net rhost=192.168.1.1

The mapping between mail@example.net and vmail is set up in /etc/postfix/virtual. This is working as I can see incoming mail to that address land in the right mailbox in the filesystem.

How do I get Dovecot to get the user mapping from Postfix and use the Unix system passdb (currently /etc/shadow) for authentication?

Examples online describe more complex setups involving user databases, which is an oversized solution for me.

-thc

Member

Registered: 2017-03-15

Posts: 992

Re: Postfix + Dovecot, simple local user auth

You can configure dovecot to strip away any domain part:

# /etc/dovecot/conf.d/10-auth-conf

auth_username_format = %Ln

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

You can configure dovecot to strip away any domain part:

# /etc/dovecot/conf.d/10-auth-conf

auth_username_format = %Ln

That would not log in myalias@mydomain.tld` as `vmail` though, would it?

-thc

Member

Registered: 2017-03-15

Posts: 992

Re: Postfix + Dovecot, simple local user auth

No.

Be aware that /etc/aliases and /etc/postfix/virtual are "just" mailbox mappings and have nothing to do with the authentication. You already configured dovecot for passdb/userdb authentication (you may check omitting the args) - the error has to be there somewhere.

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

I think my problem is that Dovecot is not able to map the virtual user to the real user. There is no instruction for it to look at /etc/postfix/virtual. How do I set up that?

-thc

Member

Registered: 2017-03-15

Posts: 992

Re: Postfix + Dovecot, simple local user auth

I somehow missed it: Are you literally trying to authenticate with "myalias@mydomain.tld" as a username?
Why?

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

I somehow missed it: Are you literally trying to authenticate with "myalias@mydomain.tld" as a username?
Why?

I believe that's what my MUA is sending (of course, using actual email address in /etc/postfix/virtual).

When I try sending an email from the account I am setting up, I get this from Postfix:

Sep 15 12:53:01 eolo postfix/submission/smtpd[55029]: NOQUEUE: reject: RCPT from router.mydomain.local[192.168.1.1]: 554 5.7.1 <router.mydomain.local[192.168.1.1]>: Client host rejected: Access denied; from=<mail@example.net> to=<some-other-email@any.net> proto=ESMTP helo=<[192.168.1.39]>
S

When I try to access my SMTP mailbox, I get this from Dovecot:

Sep 15 12:57:04 eolo auth[55051]: pam_faillock(dovecot:auth): User unknown
Sep 15 12:57:04 eolo auth[55051]: pam_unix(dovecot:auth): check pass; user unknown
Sep 15 12:57:04 eolo auth[55051]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mail@example.net rhost=192.168.1.1
Sep 15 12:57:04 eolo auth[55051]: pam_faillock(dovecot:auth): User unknown
Sep 15 12:57:06 eolo dovecot[55022]: auth-worker(55051): conn unix:auth-worker (pid=55049,uid=76): auth-worker<3>: pam(mail@example.net,192.168.1.1,<NNxuidY+QqfAqAEB>): unknown user

"ruser" is the email address my MUA is logging in with.

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

OK, rethinking about your comment I tried to use `vmail` as a user name in my Thunderbird settings and I can authenticate into IMAP. thanks!

I carried over the full-email login name from another server setup that used Postfixadmin with PGSql, probably more mapping was done there and I didn't realize that my new setup requires the actual user name.

SMTP is still not working: even if I change the user name to vmail, I still get "Client host rejected: Access denied" in Postfix.

Last edited by gattu_marrudu (2025-09-15 13:12:59)

-thc

Member

Registered: 2017-03-15

Posts: 992

Re: Postfix + Dovecot, simple local user auth

Yep - SMTP is the real tricky part because you have to allow it without authentication.

"Client host rejected: Access denied" literally means: No configured or default smtpd_* restriction allows access from this IP address.

Just something to think about: You allow "permit_mynetworks" - but "mynetworks" is undefined/default. Is it possible that your clients IP address matches any of the spamhaus blacklists?

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

It may be worth mentioning my network setup: the mail server is running as an lxc in an address range of 10.0.3.0/24. The host is in an address range of 192.168.1.0/24 (the router to the WWW is 192.168.1.1). I just verified that my public IP is not in the spamhaus blacklist.

I added these two ranges to mynetworks in any case.

I also turned up login debugging and noticed two perplexing things:

Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: resolve_clnt: `mail@example.net' -> `other@domain.tld' -> transp=`error' host=`5.1.1 User unknown in virtual alias table' rcpt=`other@domain.tld' flags= class=alias
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: ctable_locate: install entry key mail@example.net?other@domain.tld
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: extract_addr: in: <other@domain.tld>, result: other@domain.tld
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: >>> START Client host RESTRICTIONS <<<
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=permit_sasl_authenticated
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=permit_sasl_authenticated status=0
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=reject
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: NOQUEUE: reject: RCPT from router.mynet.local[192.168.1.1]: 554 5.7.1 <router.mynet.local[192.168.1.1]>: Client host rejected: Access denied; from=<mail@example.net> to=<other@domain.tld> proto=ESMTP helo=<[192.168.1.39]>
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: generic_checks: name=reject status=2
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: >>> END Client host RESTRICTIONS <<<
Sep 15 14:22:35 eolo postfix/submission/smtpd[55665]: > router.mynet.local[192.168.1.1]: 554 5.7.1 <router.mynet.local[192.168.1.1]>: Client host rejected: Access denied

1) The user is not found in the alias table, even though I set it up in /etc/postfix/virtual, created the local db with postalias, and referenced it in main.cf. Which alias is it referring to? The recipient? Obviously that wouldn't be in the alias table because it's a foreign address. Is this just a routine check to see if the recipient is in a local list and give it a preferential permit?
2) permit_sasl_authenticated status=0 doesn't sound right. Didn't I just authenticate as the sender with SASL via dovecot? I set up Dovecot as per https://www.postfix.org/SASL_README.html.

Last edited by gattu_marrudu (2025-09-16 01:30:51)

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

[removed for double posting - server glitch]

Last edited by gattu_marrudu (2025-09-15 20:59:16)

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

It looks like SMTP auth is working over telnet:

openssl s_client -connect mail.example.net:25 -starttls smtp
[SSL stuff...]
read R BLOCK
EHLO myclient.org
250-eolo.lxcnet.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
AUTH PLAIN base64ecodedpassword1234
235 2.7.0 Authentication successful

-thc

Member

Registered: 2017-03-15

Posts: 992

Re: Postfix + Dovecot, simple local user auth

1) may be irrelevant because postfix tries to resolve the client IP by decoding the mail addresses

2) postfix clearly states that the SMTP connection to the submission port is unauthenticated. Where does that connection come from and why does it not authenticate - isn't it configured as such? (Your telnet session proves it's working) Be aware that this seems to be active:

smtpd_client_restrictions=permit_sasl_authenticated,reject

despite neither being configured by you nor the default (empty).

gattu_marrudu

Member

Registered: 2008-03-29

Posts: 80

Re: Postfix + Dovecot, simple local user auth

I am authenticating with Thunderbird with PLAIN mechanism. I have tried both SMTP + STARTTLS (port 587) and SMTPS (port 465). I assume that logging in either way would be a proper SASL authentication? I see this line in the Dovecot with no following errors:

Sep 16 12:04:15 eolo dovecot[56340]: imap-login: Login: user=<vmail>, method=PLAIN, rip=192.168.1.1, lip=10.0.3.10, mpid=60543, TLS, session=<************>

At the same time that I see the Postfix rejection errors.

The smtpd_client_restrictions policy is set in my master.cf:

submissions     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  #-o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_relay_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o milter_macro_daemon_name=ORIGINATING
  # SASL authentication with dovecot
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

I copy/pasted this from the Postfix + Dovecot instructions. The Postfix SASL HOWTO doesn't mention anything about master.cf.

-thc

Member

Registered: 2017-03-15

Posts: 992

Re: Postfix + Dovecot, simple local user auth

Make sure that under Thunderbird > Settings > Privacy... > Saved Passwords the "smtp://..." user/password combo for the mail host is correct (and identical to "imap://..").

O.K. - the settings are in "master.cf" - that explains the client restriction behavior.

Last edited by -thc (2025-09-16 13:18:58)