After a fresh install of Debian etch i have a problem with postfix: the mailclient says: -ERR Plaintext authentication disabled.

i already checked for some options:

/etc/dovecot/dovecot.conf:
mechanisms = plain

/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login

/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

But login to the mailaccounts still fail

Has anybody the answer?

I checked the authentication with telnet

$ telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 mail.xx.yy ESMTP Postfix (Debian/GNU)
ehlo localhost
250-mail.xx.yy
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Hm, for me, it seems ok. But the server did not allow to authenticate.

Howdy Mathias,

Actually this is a (stupid) default in the Dovecot configuration on Debian, which prevents it from working with PAM or shadow authentication, that we haven’t corrected yet in the install script. In /etc/dovecot/dovecot.conf find the option labeled “disable_plaintext_auth = yes”, uncomment it, and change the “yes” to “no”.

It’ll be fixed in the next version of virtualmin-base for Debian. Sorry for the inconvenience.

FYI: Looks like it is not (yet) fixed in Virtualmin 3.62 (Pro) on Ubuntu 8.04. The option disable_plaintext_auth = yes was still there and commented out.

Indeed it is!

If you don’t hear anything regarding that on the forums here, I might open up a bug in the bug tracker about that.

Thanks,
-Eric

The Virtualmin module version isn’t relevant to this particular nuisance.

It’s gotta happen in virtualmin-base, which hasn’t seen an update lately (it takes so much more testing, and across a lot of platforms, that it’s sort of painful to roll out). But thanks for the reminder. I’d forgotten that there was an outstanding issue with virtualmin-base.

My dovecot.conf has disable_plaintext_auth = no uncommented and I still have this error if I use a mail client (evolution or Tbird). I installed roundcubem and it seems to be OK for sending mail

any other thoughts?

First, you did restart Dovecot after uncommenting that, right?

If so, what distribution are you using – and can you attach a copy of your dovecot.conf?

Thanks!
-Eric

This is my main.cf:

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

appending .domain is the MUA’s job.

append_dot_mydomain = no

Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

myhostname = mail.xx.yy
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, $mydomain, debian4064m, localhost, Debian-40-etch-64-minimal
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
smtp_bind_address = x.y.z.w
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

This is my main.cf:

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

appending .domain is the MUA’s job.

append_dot_mydomain = no

Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

myhostname = mail.xx.yy
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, $mydomain, debian4064m, localhost, Debian-40-etch-64-minimal
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
smtp_bind_address = x.y.z.w
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Eric,

My Dovecot and Postfix are working fine, but I’m curious…

QUESTION: Should/can the disable_plaintext_auth be set to YES without a problem?

Thx!
Jim

—snip of dovecot conf.d 10-auth.conf—

Disable LOGIN command and all other plaintext authentications unless

SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

matches the local IP (ie. you’re connecting from the same computer), the

connection is considered secure and plaintext authentication is allowed.

#disable_plaintext_auth = yes
disable_plaintext_auth = no