Can't login email user from the internet

[knagpateaculos]

Hello!

 

Thanks for reading this!. Probably my question is a n00b one so sorry for that . I can't make a succefully login connection to the dovecot/postfix on my server. I followed all the instructions on the froxlor server configuration page and added some tweaks trying to find the problem. Login from telnet locahost 143 it's ok as a PLAIN login but I'm aiming for a LOGIN connection from the outside rather than plaintext due security reasons (plaintext it's my last option at the moment, with some SSL certificates)

mail.log

dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=79.157.45.6, lip=serverip, session=<xUogUBVTogBPnS0G>
dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=79.157.45.6, lip=serverip, session=<rUnFUBVTtwBPnS0G>

telnet localhost 143

Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
1 login pedidos@mundooliva.es 'password'
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA] Logged in
2 logout
* BYE Logging out
2 OK Logout completed.
Connection closed by foreign host.

mail.log showing that succesfully login

dovecot: imap-login: Login: user=<pedidos@mundooliva.es>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=5150, secured, session=<t4qffBVTfAB/AAAB>
dovecot: imap(pedidos@mundooliva.es): Disconnected: Logged out in=8 out=401

doveconf -n

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-042stab123.1 x86_64 Debian 8.8 
auth_mechanisms = plain login
mail_access_groups = vmail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  sieve = ~/sieve/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster@Servidor
protocols = imap pop3 lmtp imap sieve pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-client {
    mode = 0660
    user = mail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lda {
  mail_plugins = " quota sieve"
}
protocol imap {
  mail_plugins = " quota imap_quota"
}

postconf -n

alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = ipv4
local_transport = local
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 52428800
mydomain = euve255689.serverpri24.net
myhostname = $mydomain
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_helo_hostname, reject_unknown_recipient_domain, reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:2000

Mails are comming in and stored under its folder correctly:

/var/customers/mail/mundooliva/mundooliva.es/pedidos/Maildir/new# ls -l
total 24
-rw------- 1 vmail vmail 2491 Jun 26 17:44 1498499044.M209464P14253.euve255689,S=2491,W=2542
-rw------- 1 vmail vmail 2505 Jun 26 17:49 1498499344.M386198P14642.euve255689,S=2505,W=2556
-rw------- 1 vmail vmail 2497 Jun 26 18:31 1498501861.M552489P18392.euve255689,S=2497,W=2548
-rw------- 1 vmail vmail 2499 Jun 26 18:39 1498502344.M150024P18861.euve255689,S=2499,W=2566
-rw------- 1 vmail vmail 2502 Jun 26 18:44 1498502644.M362721P19260.euve255689,S=2502,W=2553
-rw------- 1 vmail vmail 1263 Jun 28 12:39 1498653540.M276837P3671.euve255689,S=1263,W=1296
/var/customers/mail/mundooliva/mundooliva.es/pedidos/Maildir/new#

What am I missing? Sorry again if I forgot basic rules for posting this.

Thanks!

[d00p]

Try "disable_plaintext = no" in the dovecot configs

[knagpateaculos]

Hi d00p,

I didn't post the 10-auth.conf, sorry for that, but I've already added that option:

##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = no

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

It is mandatory to have "ssl = (required or yes)" if I disable the plain text auth?

[d00p]

what distribution are you using? Did you really use all the froxlor configuration templates?

[knagpateaculos]

Distributor ID: Debian
Description:    Debian GNU/Linux 8.8 (jessie)
Release:        8.8

Codename:       jessie

dovecot --version
2.2.13

postconf -d | grep mail_version
mail_version = 2.11.3

Yes of course!, but I'm not inmune to make mistakes or skip one of the template's steps. I'm checking again step by step, all services from Webserver to System.

[d00p]

You just need to Check SMTP and IMAP/pop3...havent Had any issues with the Jessie configs in other systems so far :/