postfix Error Plaintext authentication disabled

11 posts / 0 new
Last post
#1 Mon, 07/09/2007 - 19:34
MatthiasL

postfix Error Plaintext authentication disabled

After a fresh install of Debian etch i have a problem with postfix: the mailclient says: -ERR Plaintext authentication disabled.

i already checked for some options:

/etc/dovecot/dovecot.conf: mechanisms = plain

/etc/postfix/sasl/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login

/etc/postfix/main.cf: smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous

But login to the mailaccounts still fail

Has anybody the answer?

Mon, 07/09/2007 - 20:12
MatthiasL

I checked the authentication with telnet

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.xx.yy ESMTP Postfix (Debian/GNU)
ehlo localhost
250-mail.xx.yy
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Hm, for me, it seems ok. But the server did not allow to authenticate.

Sun, 06/07/2009 - 07:13 (Reply to #2)
MatthiasL

This is my main.cf:

------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.xx.yy
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, $mydomain, debian4064m, localhost, Debian-40-etch-64-minimal
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
smtp_bind_address = x.y.z.w
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Sun, 06/07/2009 - 07:13 (Reply to #3)
MatthiasL

This is my main.cf:

------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.xx.yy
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, $mydomain, debian4064m, localhost, Debian-40-etch-64-minimal
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
smtp_bind_address = x.y.z.w
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Wed, 07/11/2007 - 01:33
Joe
Joe's picture

Howdy Mathias,

Actually this is a (stupid) default in the Dovecot configuration on Debian, which prevents it from working with PAM or shadow authentication, that we haven't corrected yet in the install script. In /etc/dovecot/dovecot.conf find the option labeled "disable_plaintext_auth = yes", uncomment it, and change the "yes" to "no".

It'll be fixed in the next version of virtualmin-base for Debian. Sorry for the inconvenience.

--

Check out the forum guidelines!

Sun, 10/12/2008 - 04:05
fuerst

FYI: Looks like it is not (yet) fixed in Virtualmin 3.62 (Pro) on Ubuntu 8.04. The option disable_plaintext_auth = yes was still there and commented out.

Sun, 10/12/2008 - 05:49 (Reply to #6)
andreychek

Indeed it is!

If you don't hear anything regarding that on the forums here, I might open up a bug in the bug tracker about that.

Thanks,
-Eric

Sun, 10/12/2008 - 10:28 (Reply to #7)
Joe
Joe's picture

<div class='quote'>FYI: Looks like it is not (yet) fixed in Virtualmin 3.62 (Pro) on Ubuntu 8.04. The option disable_plaintext_auth = yes was still there and commented out.</div>

The Virtualmin module version isn't relevant to this particular nuisance.

It's gotta happen in virtualmin-base, which hasn't seen an update lately (it takes so much more testing, and across a lot of platforms, that it's sort of painful to roll out). But thanks for the reminder. I'd forgotten that there was an outstanding issue with virtualmin-base.

--

Check out the forum guidelines!

Thu, 11/06/2008 - 09:47
stefen

My dovecot.conf has disable_plaintext_auth = no uncommented and I still have this error if I use a mail client (evolution or Tbird). I installed roundcubem and it seems to be OK for sending mail

any other thoughts?

Mon, 11/17/2008 - 19:52 (Reply to #9)
andreychek

First, you did restart Dovecot after uncommenting that, right?

If so, what distribution are you using -- and can you attach a copy of your dovecot.conf?

Thanks!
-Eric

Thu, 06/12/2014 - 11:23
jimdunn

Eric,

My Dovecot and Postfix are working fine, but I'm curious...

QUESTION: Should/can the disable_plaintext_auth be set to YES without a problem?

Thx!
Jim

---snip of dovecot conf.d 10-auth.conf---
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes
disable_plaintext_auth = no

Topic locked