Virtual Users And Domains With Postfix, Courier And MySQL

Discussion in 'Server Operation' started by koi, Jan 25, 2007.

  1. koi

    koi New Member

    Hi, I use debian GNU/linux sarge 3.1 stable.
    I have followed step by step the tutorial: (without the quota stuff)

    At the end of the tutorial I have tried to do this:

    telnet localhost 25
    ehlo localhost
    mail from:<[email protected]>
    rcpt to:<[email protected]>

    And it works, I get no errors and I can see the e-mail in the right folder

    But I have problems:

    I have tried to use thunderbird from a pc in the same lan, and I can't send/receive e-mails: it asks me password, but it never authenticates me.
    I get this in mail logs: imaplogin: LOGIN FAILED, ip=[::ffff:]
    ( is the ip address of the pc I use to connect to the mail server (

    postconf -d | grep mail_version = 2.1.5

    What's wrong?

    Thanks in advance.
  2. koi

    koi New Member

    It was my fault, I had a problem here:

    But now I have another problem:

    warning: maildir access problem for UID/GID=5000/5000: create /home/vmail/..... permission denied.
  3. koi

    koi New Member

    Solved: chown -R vmail:vmail /home/vmail

    Now everything works, but in the /var/log/mail.warn

    I get this:

    postfix/smtpd[3306]: warning: SASL authentication failure: no secret in database

    postfix/smtpd[3306]: warning: unknown[]: SASL CRAM-MD5 authentication failed
  4. falko

    falko Super Moderator ISPConfig Developer

    Please compare your configuration files with those of the tutorial, especially /etc/pam.d/smtp and /etc/default/saslauthd.
  5. koi

    koi New Member

    Thanks for the answer. :)

    This time I have checked well :D

    But nothing, everything is like the tutorial

    But it's normal that everything is working?
    I mean: I can receive e-mails (asking me username and paswsord) and send e-mails too (asking me username and password)
    But I have those logs.
    It's normal?
    There something wrong?

  6. koi

    koi New Member

    So, in /etc/postfix/sasl/smtpd.conf

    i had:

    mech_list: plain login cram-md5 digest-md5

    instead of only

    mech_list: plain login

    I imagine it was the reason why everything was working even with the errors in the log, right?

    I have read this post:

    "I suggest that anyone using this setup replaces the /etc/postfix/sasl/smtpd.conf with the following:

    pwcheck_method: saslauthd
    #mech_list: plain login
    mech_list: digest-md5 cram-md5
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_user: mail_admin
    sql_passwd: mail_admin_password
    sql_database: mail
    sql_select: select password from users where email = '%u'

    That will disable authentication in the clear.
    I also suggest disabling pop3 and imap without ssl. There's no reason to use pop3 or imap without ssl.
    Disable them like so (this only disables the insecure versions, ssl is started/stopped through another script):

    /etc/init.d/courier-pop stop

    /etc/init.d/courier-imap stop

    Ensure they don't start on boot like so:
    update-rc.d -f courier-pop remove
    update-rc.d -f courier-imap remove
    At this point, you shouldn't have any of your login and passwords crossing the network in the clear for checking email. You will have logins and hashed passwords sent across the clear when sending email unless the client uses starttls.
    Anyone have a good pointer that only allows clients to auth *after* starttls and making auth required for relay?"

    Is it true?

    Is it working?

    Again, thanks in advance.
  7. falko

    falko Super Moderator ISPConfig Developer

    Try it. :)
  8. koi

    koi New Member
    Firts: if courier-imap is stopped, the connection to the server fails, so it isn't true the tip, right?

    Second: if I put CRAM-MD5 and digest-md, I'll return in the situation when i had problems, (well, "virtual" problems, :D I mean when I have plain login, CRAM-MD5 and digest-md5, and the system was complaining of CRAM-MD5 and digest-md5, but everything was working cause plain login was the one working, right?)

    So it's everything wrong on the tip?
  9. falko

    falko Super Moderator ISPConfig Developer

    You must use
    mech_list: plain login
    in /etc/postfix/sasl/smtpd.conf instead of
    mech_list: plain login cram-md5 digest-md5
  10. koi

    koi New Member

    yes, thanks, I know it, I was speaking of the tip.

    If I stop courier-imap i can't connect to the server, is it normal, right?
  11. koi

    koi New Member

    And why if I examine the server certificate it says:

    Common name localhost
    Organizzation Courier mail server
    Organizzation unit automatically-generated IMAP SSL key


    I have inserted my data, even in /etc/ssl/openssl.cnf! :eek:
  12. falko

    falko Super Moderator ISPConfig Developer


    Courier uses another certifiacate than Postfix does.
  13. koi

    koi New Member

    Is it possible to choose which certificate to use?
  14. koi

    koi New Member

    the default is imapd.pem and is autogenerated when installing the packet?
  15. falko

    falko Super Moderator ISPConfig Developer

  16. koi

    koi New Member

    thanks, yes to create the certificate first you have to edit imapd.cnf , then you have to run mkimapdcert :)

    Another thing:

    what is this line that sometimes is present in some how-to in postfix

    smtpd_tls_CAfile =

    Again, a super big thanks!!!!
  17. falko

    falko Super Moderator ISPConfig Developer

    Take a look here:
  18. koi

    koi New Member

    Some questions; what should I choose in the e-mail clients?
    I mean: in "server settings" (i am speaking of thunderbird, but the concept is general) I should choose "tls if available", "tls", or "ssl"? It works with all of these 3 choices. Why?
    In "smtp settings" I should choose "tls if available", "tls", or "ssl" ? The "ssl" choice doesn't work.

    I hope you can help.

    Thanks in advance.
  19. falko

    falko Super Moderator ISPConfig Developer

    I'd try "tls if available".
  20. koi

    koi New Member

    I want to say that i have followed your how-to based on debian sarge (the one of this thread, that is to say "Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAssassin, ClamAV)") and it works (well, it seems :D ) in debian etch too. I didn't use the part about quota, spamassassin and clamav, and a packet name (about courier support to mysql) now is named courier-authlib-mysql.

Share This Page