Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 22/11/2020, à 08:27

LeMoussel

[RÉSOLU] SASL LOGIN authentication failed sur postfix

Bonjour

J'ai un serveur dédié (chez ovh port smtp 587) sur lequel j'ai installé Postfix, l'authentification SMTP, Dovecot SASL & IMAP/POP3
Rem: J'ai suivi la procédure décrite dans cet article : https://guide.ubuntu-fr.org/server/postfix.html

Le problème étant que je n'arrive pas à me connecter en SMTP. J'ai l'erreur Authentication failed.

telnet smtp.monserveur.fr 587

220 GARM-95G001 Sunday, November 22, 2020
EHLO  mail.example.fr
250-OVH SMTP PROXY Hello
250-SIZE 104857600
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-STARTTLS
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
BASE64(USER)
334 UGFzc3dvcmQ6
BASE64(MOTDEPASSE)
535 5.7.1 Authentication failed
QUIT
221  Service closing transmission channel

Pourtant l'utilisateur est connu de Dovecot SASL

netcat mail.monserveur.fr 110

+OK Dovecot (Ubuntu) ready.
user USER
+OK
pass MOTDEPASSE
+OK Logged in.
quit
+OK Logging out.

La difficulté étant que je n'ai aucun message d'erreur dans les fichiers de log.

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.MON-NDD.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.MON-NDD.fr, localhost.vps.ovh.net, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

/etc/dovecot/conf.d/10-master.conf

#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    #port = 587
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user =
    #group =
  }

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =
  }
}

/etc/dovecot/conf.d/10-auth.conf

##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Dernière modification par LeMoussel (Le 23/11/2020, à 07:23)

Hors ligne

#2 Le 22/11/2020, à 09:32

bruno

Re : [RÉSOLU] SASL LOGIN authentication failed sur postfix

Modération: sujet déplacé de la section Sécurité vers la section Serveurs.

--

telnet smtp.monserveur.fr 587

    220 GARM-95G001 Sunday, November 22, 2020
    EHLO  mail.example.fr
    250-OVH SMTP PROXY Hello

Es-tu bien sût que ce soit ton serveur qui réponde ? Apparemment, non…

Attention, pour l'instant ta configuration est loin d'être sécurisée : certificat en bois, transmission éventuelle des mots de passe en clair, utilisation de IMAP (port 110) au lieu de IMAPS, etc.

#3 Le 22/11/2020, à 10:09

LeMoussel

Re : [RÉSOLU] SASL LOGIN authentication failed sur postfix

Es-tu bien sût que ce soit ton serveur qui réponde ? Apparemment, non…
En effet. `ping smtp.monserveur.fr` ne donne pas l'adresse IP de mon serveur.
Là il y a un truc qui m'échappe!


Attention, pour l'instant ta configuration est loin d'être sécurisée : certificat en bois, transmission éventuelle des mots de passe en clair, utilisation de IMAP (port 110) au lieu de IMAPS, etc.
Oui. Je commence cette configuration. Je voulais déjà confirmer la connexion SMTP. Ce qui n'est pas le cas.
Une fois ce problème résolu je m'attaquerais à la sécurisation de la configuration. J"aurais surement besoin de conseil, je ferais un autre topic sur ce point.

Dernière modification par LeMoussel (Le 22/11/2020, à 10:20)

Hors ligne

#4 Le 22/11/2020, à 10:24

bruno

Re : [RÉSOLU] SASL LOGIN authentication failed sur postfix

LeMoussel a écrit :

Es-tu bien sût que ce soit ton serveur qui réponde ? Apparemment, non…
En effet. `ping smtp.monserveur.fr` ne donne pas l'adresse IP de mon serveur.
Là il y a un truc qui m'échappe!

Regarde dans ton espace client sur OVH à la rubrique DNS. Le smtp doit toujours pointer vers les serveurs de courriel OVH.

#5 Le 22/11/2020, à 10:30

LeMoussel

Re : [RÉSOLU] SASL LOGIN authentication failed sur postfix

OK. Merci Je passe l'information à l'administrateur du serveur.

Étant nouveau sur ce forum, pour le topic sur la sécurisation de la configuration Postfix tu me recommandes quel forum ? Celui-ci ?

Hors ligne

#6 Le 22/11/2020, à 10:32

bruno

Re : [RÉSOLU] SASL LOGIN authentication failed sur postfix

Oui dans cette section car c'est un problème de configuration serveur.
Si tu n'as pas la main sur les enregistrements DNS de ton nom de domaine, cela va être compliqué de configurer une pile complète de gestion des courriels…

#7 Le 23/11/2020, à 07:21

LeMoussel

Re : [RÉSOLU] SASL LOGIN authentication failed sur postfix

SMTP, dans la rubrique DNS, configuré pour pointer sur le bon serveur. OK
Sujet résolu.

@bruno Je te remercie de ton aide.

Rem: J'ai créé le topic Configuration sécurisée de gestion des courriels avec Postfix

Hors ligne