After a fresh install of Debian etch i have a problem with postfix: the mailclient says: -ERR Plaintext authentication disabled.
i already checked for some options:
/etc/dovecot/dovecot.conf:
mechanisms = plain
/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
But login to the mailaccounts still fail
Has anybody the answer?
I checked the authentication with telnet
$ telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 mail.xx.yy ESMTP Postfix (Debian/GNU)
ehlo localhost
250-mail.xx.yy
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Hm, for me, it seems ok. But the server did not allow to authenticate.
Joe
July 11, 2007, 6:33am
3
Howdy Mathias,
Actually this is a (stupid) default in the Dovecot configuration on Debian, which prevents it from working with PAM or shadow authentication, that we haven’t corrected yet in the install script. In /etc/dovecot/dovecot.conf find the option labeled “disable_plaintext_auth = yes”, uncomment it, and change the “yes” to “no”.
It’ll be fixed in the next version of virtualmin-base for Debian. Sorry for the inconvenience.
fuerst
October 12, 2008, 9:05am
4
FYI: Looks like it is not (yet) fixed in Virtualmin 3.62 (Pro) on Ubuntu 8.04. The option disable_plaintext_auth = yes was still there and commented out.
Eric
October 12, 2008, 10:49am
5
Indeed it is!
If you don’t hear anything regarding that on the forums here, I might open up a bug in the bug tracker about that.
Thanks,
-Eric
Joe
October 12, 2008, 3:28pm
6
FYI: Looks like it is not (yet) fixed in Virtualmin 3.62 (Pro) on Ubuntu 8.04. The option disable_plaintext_auth = yes was still there and commented out.
The Virtualmin module version isn’t relevant to this particular nuisance.
It’s gotta happen in virtualmin-base, which hasn’t seen an update lately (it takes so much more testing, and across a lot of platforms, that it’s sort of painful to roll out). But thanks for the reminder. I’d forgotten that there was an outstanding issue with virtualmin-base.
stefen
November 6, 2008, 3:47pm
7
My dovecot.conf has disable_plaintext_auth = no uncommented and I still have this error if I use a mail client (evolution or Tbird). I installed roundcubem and it seems to be OK for sending mail
any other thoughts?
Eric
November 18, 2008, 1:52am
8
First, you did restart Dovecot after uncommenting that, right?
If so, what distribution are you using – and can you attach a copy of your dovecot.conf?
Thanks!
-Eric
This is my main.cf:
See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
myhostname = mail.xx.yy
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, $mydomain, debian4064m, localhost, Debian-40-etch-64-minimal
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
smtp_bind_address = x.y.z.w
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
This is my main.cf:
See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
myhostname = mail.xx.yy
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, $mydomain, debian4064m, localhost, Debian-40-etch-64-minimal
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
smtp_bind_address = x.y.z.w
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
Eric,
My Dovecot and Postfix are working fine, but I’m curious…
QUESTION: Should/can the disable_plaintext_auth be set to YES without a problem?
Thx!
Jim
—snip of dovecot conf.d 10-auth.conf—
Disable LOGIN command and all other plaintext authentications unless
SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
matches the local IP (ie. you’re connecting from the same computer), the
connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes
disable_plaintext_auth = no