Solved Dovecot Postfix MySQL Authentication Issues

I am I a situation where I have to wipe my remote server and reinstall, Its been a while since I built a server and I am not as sharp as I use to be
I am running FreeBSD 12.1. well at least the server is... I am getting constant authentication errors like


Code:
Dec 28 22:10:18 triggerfish dovecot[21809]: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<jason@example.com>, method=PLAIN, rip=73.150.178.106, lip=x.x.x.x, TLS, session=<QFSvEM+aA8lJlrJq>
Dec 28 22:10:19 triggerfish dovecot[21809]: imap-login: Aborted login (client didn't finish SASL auth, waited 4 secs): user=<>, method=LOGIN, rip=73.150.178.106, lip=x.x.x.x, TLS, session=<FNjXEM+aBMlJlrJq>
Dec 28 22:10:19 triggerfish dovecot[21809]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=73.150.178.106, lip=x,x,x,x, TLS: Connection closed, session=<pNccEc+aBslJlrJq>
Dec 28 22:10:24 triggerfish dovecot[21809]: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<jason@example.com>, method=LOGIN, rip=73.150.178.106, lip=x,x,x,x, TLS, session=<hukLEc+aBclJlrJq>

results of postconf -n are

Code:
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
meta_directory = /usr/local/libexec/postfix
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_recipient_maps = mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client rhsbl.sorbs.net, reject_rbl_client db.wpbl.info, reject_rbl_client cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client query.bondedsender.org permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unlisted_sender, permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/ssl/more/server.crt
smtpd_tls_key_file = /usr/local/etc/ssl/more/server.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/usr/local/etc/postfix/mysql-virtual-domains-maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

Not sure if I need to post main.cf.

I have been beating my head against the screen for a week and thought I'd try here. Probably some stupid typo or stupid action on my part. Feel free to slap me around
 
Note, imap-login is a Dovecot issue, and not a Postfix one, and you want to troubleshoot your Dovecot settings.

Depending on how old your old setup was, an issue might be, that you had Dovecot 1.x on there, and this is not available anymore. Nowadays, we use Dovecot 2.x. If this is the case, you have to do some reading on how to translate some variety of 1.x settings to the corresponding 2.x ones.

Another obstacle is which authentication protocol should be used. In this respect you are mostly limited by the abilities on the clients sides. I figure the most common secure denominator is CRAM-MD5. This is understood by Thunderbird, Outlook, Androids, and all Apple-Mail-Clients (iOS and macOS). HTTP-Digest-MD5 is worse, while the much superior protocols CRAM-SHA256 or CRAM-SHA512 are still not widely adopted. It was only less than a year ago that it became available by security/cyrus-sasl. So, one problem might be, that the clients don’t speak the authentication protocol which Dovecot expects. Here you would start troubleshooting by finding out what authentication method is adjusted on the clients side, and what protocols are offered by Dovecot.

Final note. Many people seam to believe that clear text authentication over TLS is save. It is not. Organizations do have DPI-Firewalls, and the Admins may capture clear text passwords.

Last note. I consider MySQL an overkill for less than let’s say a few hundreds of users. In case you figure, MySQL is not of Paramount importance for your use case, perhaps you might want to read my BLog post about a Mail Service employing the latest Postfix and the latest Dovecot on the latest FreeBSD, but having the credentials in files and not in a database.

Home Mail Server with TLS and non-Plaintext Authentication
 
thanks. I have pretty much screwed this up beyond hope. Although a smaller server , I was hosting 5 domains before I got hacked.. I liked to use Postfixadmin so my sites could control their own email; It been probably 5 years since I build a server and it seems like I just don't have it anymore. Let me restore to an earlier point and see
 
If you don't have the configuration files, then that's what the problem is. Postfix can't read them to configure how to access MySQL (which may or may not be configured properly either) in order to know:
  • user maildirs (virtual_mailbox_maps)
  • valid domains for the server (virtual_mailbox_domains)
  • valid email addresses (virtual_alias_maps)
 
Back
Top