Mail : échec authentification avec Dovecot

Tags: #<Tag:0x00007fc9df20d798> #<Tag:0x00007fc9df20d658> #<Tag:0x00007fc9df20d4f0> #<Tag:0x00007fc9df20d3d8>

Bonjour tout le monde,

Mon serveur mail fonctionnait très bien jusqu’à hier (jusqu’à un reboot) sous Debian 10/Buster, Postfix 3.4.5 / Dovecot 2.3.4.1 / MariaDB 10.3.15

Je n’arrive plus à me connecter en IMAP ni recevoir de mail.

Voici les logs /var/log/dovecot-debug.log quand je tente de me connecter avec Thunderbird :

Aug 13 12:32:53 auth: Debug: auth client connected (pid=4217)
Aug 13 12:32:53 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured=tls     session=****        lip=37.59.36.196        rip=91.168.148.99       lport=993       rport=60174     local_name=imap.ioutone.fr     ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256  ssl_cipher_bits=128     ssl_pfs=KxECDHE ssl_protocol=TLSv1.2
Aug 13 12:32:53 auth: Debug: client passdb out: CONT    1
Aug 13 12:32:53 auth: Debug: client in: CONT    1       **** (previous base64 data may contain sensitive data)
Aug 13 12:32:53 auth-worker(4123): Debug: sql(contact,91.168.148.99,<****>): query: SELECT email as user, password FROM virtual_users WHERE email='contact';
Aug 13 12:32:55 auth: Debug: client passdb out: FAIL    1       user=contact    original_user=contact@ioutone.fr
Aug 13 12:32:55 imap-login: Debug: Ignoring unknown passdb extra field: original_user
Aug 13 12:32:55 auth: Debug: client in: AUTH    2       LOGIN   service=imap    secured=tls     session==****        lip=37.59.36.196        rip=91.168.148.99       lport=993       rport=60174     local_name=imap.ioutone.fr     ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256  ssl_cipher_bits=128     ssl_pfs=KxECDHE ssl_protocol=TLSv1.2
Aug 13 12:32:59 auth: Debug: client passdb out: CONT    2       ****
Aug 13 12:32:59 auth: Debug: client in: CONT    2       **** (previous base64 data may contain sensitive data)
Aug 13 12:32:59 auth: Debug: client passdb out: CONT    2       ****
Aug 13 12:32:59 auth: Debug: client in: CONT    2       **** (previous base64 data may contain sensitive data)
Aug 13 12:32:59 auth-worker(4123): Debug: sql(contact,91.168.148.99,<****>): query: SELECT email as user, password FROM virtual_users WHERE email='contact';
Aug 13 12:33:01 auth: Debug: client passdb out: FAIL    2       user=contact    original_user=contact@ioutone.fr
Aug 13 12:33:01 imap-login: Debug: Ignoring unknown passdb extra field: original_user
Aug 13 12:33:01 auth: Debug: client in: AUTH    3       PLAIN   service=imap    secured=tls     session==****        lip=37.59.36.196        rip=91.168.148.99       lport=993       rport=60174     local_name=imap.ioutone.fr     ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256  ssl_cipher_bits=128     ssl_pfs=KxECDHE ssl_protocol=TLSv1.2    resp=**** (previous base64 data may contain sensitive data)
Aug 13 12:33:05 auth-worker(4123): Debug: sql(contact,91.168.148.99,<****>): query: SELECT email as user, password FROM virtual_users WHERE email='contact';
Aug 13 12:33:07 auth: Debug: client passdb out: FAIL    3       user=contact    original_user=contact@ioutone.fr
Aug 13 12:33:07 imap-login: Debug: Ignoring unknown passdb extra field: original_user

J’ai remplacé certaines valeurs sensibles par ****

Si je me connecte via RoundCube :
Aug 13 14:20:54 ns397413 roundcube: <3uvtcbqu> IMAP Error: Login failed for contact@ioutone.fr from 91.168.148.99. LOGIN: Authentication failed. in /home/roundcube/www/program/lib/Roundcube/rcube_imap.php on line 196 (POST /?_task=login&_action=login)

À la réception d’un mail :

Aug 13 12:49:33 ns397413 postfix/qmgr[31414]: ABE35FF7A9: from=<tonelune@gmail.com>, size=3448, nrcpt=1 (queue active)
Aug 13 12:49:33 ns397413 postfix/smtpd[8217]: disconnect from mail-wr1-f51.google.com[209.85.221.51] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Aug 13 12:49:33 ns397413 postfix/lmtp[8227]: ABE35FF7A9: to=<contact@ioutone.fr>, relay=ns397413.ip-37-59-36.eu[private/dovecot-lmtp], delay=0.14, delays=0.09/0/0/0.04, dsn=5.1.1, status=bounced (host ns397413.ip-37-59-36.eu[private/dovecot-lmtp] said: 550 5.1.1 <contact@ioutone.fr> User doesn't exist: contact@ioutone.fr (in reply to RCPT TO command))
Aug 13 12:49:33 ns397413 postfix/cleanup[8226]: CCFAC1003B0: message-id=<20190813104933.CCFAC1003B0@ns397413.ip-37-59-36.eu>
Aug 13 12:49:33 ns397413 postfix/bounce[8230]: ABE35FF7A9: sender non-delivery notification: CCFAC1003B0
Aug 13 12:49:33 ns397413 postfix/qmgr[31414]: CCFAC1003B0: from=<>, size=5692, nrcpt=1 (queue active)
Aug 13 12:49:33 ns397413 postfix/qmgr[31414]: ABE35FF7A9: removed
Aug 13 12:49:34 ns397413 postfix/smtp[8231]: CCFAC1003B0: to=<tonelune@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=0.51, delays=0.04/0/0.17/0.3, dsn=2.0.0, status=sent (250 2.0.0 OK  1565693374 g6si767027wmk.121 - gsmtp)
Aug 13 12:49:34 ns397413 postfix/qmgr[31414]: CCFAC1003B0: removed

Je fonctionne en multidomaine avec des bases de données

Ma configuration Dovecot :

# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.9.182-xxxx-std-ipv6-64 x86_64  ext4
# Hostname: ns397413.ip-37-59-36.eu
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
postmaster_address = postmaster@%d
protocols = imap lmtp
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
    port = 0
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.ioutone.fr/fullchain.pem
ssl_dh = </etc/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/mail.ioutone.fr/privkey.pem
ssl_min_protocol = TLSv1.2
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  driver = static
}

Et côté Postfix :

alias_database = hash:/etc/aliases,hash:/etc/mail/sympa/aliases
alias_maps = hash:/etc/aliases,hash:/etc/mail/sympa/aliases
append_dot_mydomain = no
biff = no
inet_interfaces = all
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = ioutone.fr
myhostname = ns397413.ip-37-59-36.eu
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relayhost =
smtp_tls_CAfile = /etc/letsencrypt/live/mail.ioutone.fr/chain.pem
smtp_tls_cert_file = /etc/letsencrypt/live/mail.ioutone.fr/cert.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.ioutone.fr/privkey.pem
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.ioutone.fr/chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ioutone.fr/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.ioutone.fr/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
sympa_destination_recipient_limit = 1
sympabounce_destination_recipient_limit = 1
transport_maps = regexp:/etc/postfix/sympa_transport.cf,hash:/etc/postfix/transport
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual,regexp:/etc/mail/sympa_virtual_regexp
virtual_mailbox_domains = mysql:/etc/postfix/db/virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/db/virtual-users.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

Je n’arrive pas à trouver le problème après de longues recherches infructueuses …
Ça faut quelques années que je bidouille ce serveur, j’ai toujours réussi à me dépatouiller jusque là, mais là je sèche sur un soucis qui n’a pourtant pas l’air très complexe à résoudre …

Je m’en réfère donc à votre expertise !
Si vous avez besoin d’autres éléments, n’hésitez pas à me demander.
D’avance, merci beaucoup pour votre aide.

Bonjour,

J’ai l’impression que c’est un bête problème de nom d’utilisateur avec ou sans le nom de domaine (toto ou bien toto@example.com)
Il faut essayer de modifier la configuration de dovecot pour conserver le nom de domaine :
auth_username_format = %Lu
ou modifier la requête SQL pour être sûr que user contient l’adresse mail complète et pas le seul nom d’utilisateur.

C’était bien ça !
Le pire c’est que c’est déjà un paramètre qui m’avait déjà posé soucis dans le passé.

Sujet résolu, merci Bruno et bravo la communauté de prendre le temps même pour des notions élémentaires.

C’est fou le nombre d’heures de sommeil qu’on est prêt à sacrifier pour une mauvaise lettre.