[Dovecot] SASL + Postfix woes

Jerry jerry at seibercom.net
Mon Mar 18 14:48:59 EET 2013

Okay, I wasn't going to try and fix up the messed up mail server I was
given; however, I decided that I might as well try.


The system has a Postfix MTA and uses Dovecot for LDA and Cyrus-SASL
for SASL. That works fine.

I decided that I wanted to switch over to Dovecot for SASL. dovecot is
presently using MySQL for its database.

I make the (I thought) necessary changes in Postfix and restarted it.
Big problem. SASL is now broken. I turned on logging in Dovecot to see
what was happening, but apparently nothing is happening. There are no
entries regarding Postfix attempting to negotiate an SASL request with

This is the "dovecot -n" outout (yes, I know it is an old version)

# 1.2.17: /usr/local/etc/dovecot.conf
# OS: FreeBSD 8.3-STABLE amd64  ufs
log_path: /var/log/dovecot.log
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:/var/mail/vhost/seibercom.net/gerard
mail_plugins: expire
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
  postmaster_address: postmaster at seibercom.net
  mail_plugins: sieve
  sieve_global_path: /usr/local/etc/dovecot/sieve/gerard.sieve
  sendmail_path: /usr/sbin/sendmail
auth default:
  mechanisms: plain login digest-md5 cram-md5
  username_format: %Lu
  verbose: yes
  debug: yes
  debug_passwords: yes
    driver: sql
    args: /usr/local/etc/dovecot-sql.conf
    driver: sql
    args: /usr/local/etc/dovecot-sql.conf
    type: listen
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
      group: vmail
  expire: Trash 2 Spam/* 2
  expire_dict: proxy::expire
  expire: mysql:/usr/local/etc/dovecot-dict-expire.conf

This is the "dovecot-sql.conf" file:

driver = mysql

connect = host=localhost dbname=Dovecot user=root password=xxxxxxxx

password_query = SELECT concat(userid, '@', domain) AS user, password \
  FROM users WHERE userid = '%n' AND domain = '%d'

user_query = SELECT uid, gid, home FROM users WHERE userid = '%n' AND domain = '%d'

This is the pertinent part of the postconf -fn output:

broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_password_maps
smtp_sasl_security_options = noanonymous
smtp_sasl_type = dovecot
smtpd_client_restrictions = reject_unauth_pipelining permit_sasl_authenticated
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

I have tried using "dovecot" in place of "private/auth", but it doesn't make any difference.

This is the only output from the postfix maillog:

Mar 18 08:13:02 scorpio postfix/smtpd[65217]: connect from localhost[]
Mar 18 08:13:02 scorpio postfix/smtpd[65217]: warning: localhost[]: SASL CRAM-MD5 authentication failed: authentication failure
Mar 18 08:13:02 scorpio postfix/smtpd[65217]: lost connection after AUTH from localhost[]

Again, it doesn't appear that Postfix ever actually makes contact with
Dovecot. I am probably doing something extremely stupid, but I just
cannot figure out what it is.

Jerry ♔

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

More information about the dovecot mailing list